Home

Description

Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 were distributed with malicious code through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage payload that exfiltrates credentials and other sensitive data and grants full control of affected sites.

PUBLISHED Reserved 2026-06-03 | Published 2026-06-24 | Updated 2026-06-24 | Assigner WPScan

Problem types

CWE-912 Hidden Functionality

Product status

Default status
unaffected

4.0.1 (semver) before 4.0.2
affected

Default status
unaffected

3.2.4 (semver) before 3.2.5
affected

Default status
unaffected

3.5.2 (semver) before 3.5.3
affected

Credits

Mike Gozdiskowski finder

WPScan coordinator

References

wpscan.com/...rability/160ee7f7-91b6-4cce-9462-837130621402/ exploit vdb-entry technical-description

cve.org (CVE-2026-10735)

nvd.nist.gov (CVE-2026-10735)

Download JSON