Published: · Region: Global · Category: cyber

WordPress Backdoor in Popular Plugins Exposes E‑Commerce Credentials and 2FA Codes

Malicious code pushed through official update channels for several ShapedPlugin Pro WordPress add‑ons has opened a covert door into sites that installed them. The backdoor can steal admin logins, two‑factor authentication codes and WooCommerce order data, putting online stores, their customers, and wider supply chains of web developers on edge.

A cluster of commercial WordPress plugins used by thousands of websites has been quietly turned into an intrusion tool, after attackers managed to push backdoored updates through official channels and into live sites.

Security researchers report that several Pro‑tier plugins from the ShapedPlugin ecosystem were compromised, with malicious code added to versions delivered as standard updates. That code allows attackers to siphon off highly sensitive data from affected sites, including administrator credentials, two‑factor authentication (2FA) codes, configuration files and e‑commerce information handled by WooCommerce. Because the malicious payload arrived inside legitimate update packages, many site owners may have installed it automatically, unaware that they were opening a door for attackers.

The human impact is twofold. For site administrators and small businesses that rely on WordPress as their storefront or primary communications hub, the compromise turns a routine security practice—keeping plugins up to date—into the very vector of breach. Admins who believed they were hardening their sites by patching may now be facing unknown intrusions, stolen passwords and altered settings. For customers, particularly those who have purchased goods or entered billing details through WooCommerce‑powered stores using the affected plugins, the risk is that order data, and in some cases associated personal information, has been quietly exfiltrated.

Operationally, the malware’s ability to capture wp‑config.php data is especially serious. That file typically contains database credentials, authentication keys and other core secrets that underpin the integrity of a WordPress installation. With access to those, an attacker can clone or manipulate the site far beyond what a single stolen login would allow. The theft of 2FA codes weakens one of the main defenses that many administrators have added in recent years to protect high‑value accounts.

For hosting providers and managed security teams, the incident poses a scaling problem. Rather than a single site being hacked through an outdated or niche plugin, this case involves a supply‑chain style compromise: the official distribution of plugins that many customers trust. That forces defenders to review logs across large numbers of installations, hunt for suspicious connections and check file integrity on instances that may otherwise look fully up to date.

Strategically, the backdooring of popular plugins via legitimate update mechanisms is a reminder that web security has shifted from protecting individual sites to securing entire ecosystems. Attackers increasingly target upstream software suppliers, knowing that one successful compromise can cascade into access to thousands of downstream targets. For WordPress, which powers a vast share of the global web and underpins countless small and mid‑sized businesses, the reputational and practical stakes are high.

A key takeaway is that automatic updates—long promoted as the safest option for non‑expert users—can themselves become a liability when the update channel is abused. That does not mean abandoning patching, but it does mean that plugin developers, marketplaces and site operators will have to strengthen how code is signed, reviewed and monitored before and after it reaches production sites.

The next critical signals will be how quickly updated, clean versions of the affected ShapedPlugin Pro products are released, whether major hosting providers push out detection and remediation tools, and whether any stolen WooCommerce or credential data surfaces in underground markets. Regulators and data‑protection authorities may also step in if evidence emerges that significant volumes of personal data were exposed through this compromise.

Sources

Related Coverage

GLOBAL

Turkey–Italy Drone Teaming Trial Reveals New Swarm Warfare Playbook

Leonardo and Baykar have completed the first live ‘K‑SWARM’ trials in Turkey, with a crewed M‑346 jet directly commanding an uncrewed Bayraktar KIZILELMA fighter in autonomous formation flight. The test moves drone swarming and manned‑unmanned teaming from concept to practice — and points toward air campaigns where a single pilot orchestrates multiple AI‑driven combat assets.
GLOBAL

Canada’s $1.75 Billion Radar Bet on Australia Signals New Arctic Vulnerability and U.S. Tech Rebuff

Canada has chosen an Australian over‑the‑horizon radar system in a $1.75 billion deal to watch the skies from the U.S. border deep into the Arctic, sidelining a competing U.S. offering. The move marks Australia’s largest‑ever defense export and reshapes how North America monitors Russian bombers, Chinese incursions, and a warming Arctic that is harder — and more important — to police.
GLOBAL

Trump Presses U.S. Arms Makers to Speed Missiles as Iran Conflict Drains Stockpiles

Donald Trump plans to summon Pentagon leaders and major defense contractors to push for faster production of missiles and munitions, acknowledging that U.S. stocks are under strain from the confrontation with Iran. Efforts to ramp up systems like Patriot interceptors signal both Washington’s readiness to sustain the fight and the uncomfortable reality that America’s arsenal has limits.
WARNING

Reports: Israel Eyes Somaliland Berbera Naval Access, Extending Reach to Gulf of Aden

Israeli consideration of deploying naval forces, including Dolphin-class submarines, to Berbera in Somaliland would push Israel’s maritime footprint deep into the Gulf of Aden and along key shipping lanes to the Suez Canal. If formalized, the move would pressure Iran, unsettle Horn of Africa rivals, and raise security and insurance stakes for commercial traffic through Bab el-Mandeb.
WARNING

Reports: India–UAE Talks on BrahMos Missile Sale Signal New Gulf Strike Capability

Reuters says India is in accelerated talks to sell BrahMos cruise missiles and Akashteer air-defense systems to the UAE as of 21:48 UTC. A deal would give a key Gulf oil producer long-range supersonic strike options and stronger air defenses, and mark India’s emergence as a significant arms supplier into the Gulf, reshaping both regional deterrence and defense trade flows.
WARNING

Reports: Kerch Bridge Drone Alert Halts Traffic Again, Prolonging Crimea Supply Pressure

Russian monitoring channels reported a drone alert and halted traffic over the Kerch Bridge area at about 21:20–21:30 UTC, with tracer fire and air-defense activity near the span and adjacent ports. The repeated shutdowns are turning a single point of failure into a chronic vulnerability for Russia’s Crimea logistics and raising questions for shippers and insurers about the reliability of Black Sea routes.