If your website uses testimonial sliders, product sliders, or other tools from a company called ShapedPlugin, this is worth five minutes of your time today.
Early this month, ShapedPlugin’s own system for delivering updates to its Pro plugins was broken into. That means people who installed the plugin the normal way, straight from the company that made it, could have received a compromised version without doing anything wrong.
What Happened
ShapedPlugin sells a set of premium WordPress tools that thousands of small business sites use, including Product Slider Pro for WooCommerce and Real Testimonials Pro. Someone got into the system ShapedPlugin uses to distribute updates for these Pro tools and slipped in a hidden program disguised as a normal update.
Once installed, that hidden program quietly reported information back to whoever planted it, then deleted the evidence of its own tracks. The site owner would have no obvious sign anything was wrong.
One important detail: this only affects the Pro versions of these plugins, the ones purchased directly through ShapedPlugin’s own store. The free versions available on WordPress.org were not touched.
Why Updating Isn’t Enough
Here’s the part that catches people off guard. If your site had one of the compromised versions installed at any point, simply updating to the newest version does not remove the problem. The hidden program may have already run and left something behind, even after the plugin itself gets patched.
The real fix is having someone check what’s actually on the site, not just clicking update and moving on. This is exactly the kind of thing ongoing site monitoring is built to catch before it turns into a bigger problem.
Why This Matters This Week
This isn’t a one-time, isolated event. Security researchers are also tracking a broader wave of attacks happening right now, where people are actively going after WordPress plugins across many different sites to gain lasting access, not just poking around to see what they can find.
Once someone has that kind of access to your site, they can read information stored there, send emails that appear to come from you, or quietly use your site to attack other websites, all without you knowing anything is wrong.
What to Check on Your Site
If you or whoever manages your website installed any ShapedPlugin Pro product through ShapedPlugin’s own store, treat it as something that needs a closer look, not just an update. That includes:
- Product Slider Pro for WooCommerce
- Real Testimonials Pro
- Any other ShapedPlugin Pro tool purchased directly from their site
If you’re not sure whether your site runs any of these, that uncertainty alone is worth resolving. A quick look at your site’s installed plugins will answer it.
Not sure what’s running on your site? Every website support plan includes keeping an eye on the tools your site depends on, so problems like this get caught early instead of after something breaks.
What to Do This Week
- If you use one of these plugins, have it checked before doing anything else. Don’t just update it and assume the problem is gone.
- If you’re not sure what your site is running, take a few minutes to find out. It’s a small task now and a much bigger one later.
- Going forward, keep an eye on which tools your site updates through the company’s own store versus WordPress.org. This attack got in through exactly that kind of direct update channel, and it’s worth knowing which of your tools work that way.
None of this means every WordPress site is in danger, or that every plugin update is suspect. It means one specific, popular set of tools had a real problem, and if you’re using them, it’s worth confirming your site is clean rather than assuming it is.