CVE-2026-10735
Deferred Deferred - Pending Action

Cross-Site Scripting in Shapedsmart-post-show-pro WordPress Plugin

Vulnerability report for CVE-2026-10735, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: WPScan

Description

Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 were distributed with malicious code through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage payload that exfiltrates credentials and other sensitive data and grants full control of affected sites.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
shapedplugin smart_post_show_pro to 4.0.2 (exc)
shapedplugin testimonial_pro to 3.2.5 (exc)
shapedplugin woo_product_slider_pro to 3.5.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthenticated attackers to deploy malicious payloads that exfiltrate credentials and other sensitive data from affected WordPress sites.

The unauthorized access and data exfiltration could lead to violations of data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information.

Organizations using the affected plugins may face compliance risks due to potential data breaches resulting from this vulnerability.

Executive Summary

Multiple ShapedPlugin Pro WordPress plugins were distributed with malicious code through the vendor's compromised update server.

This allowed unauthenticated attackers to deploy a second-stage payload on affected sites.

The payload exfiltrates credentials and other sensitive data and grants full control of the compromised sites to the attackers.

  • Affected plugins include Smart Post Show Pro before version 4.0.2, Real Testimonials Pro before version 3.2.5, and Product Slider for WooCommerce Pro before version 3.5.3.
Impact Analysis

If your site uses any of the affected plugins, attackers can gain full control over your site.

Attackers can exfiltrate credentials and other sensitive data from your site.

This can lead to unauthorized access, data breaches, and potential further exploitation of your site and its users.

Detection Guidance

This vulnerability can be detected by looking for indicators of compromise related to the malicious code distributed through the compromised update server.

  • Check for network connections to the command-and-control server at IP address 194.76.217.28 on port 2871.
  • Look for the presence of a persistent stage file named install-persistent.php in the plugin directories.
  • Monitor for beacon endpoint activity or unusual dropper URLs associated with the affected plugins.

Suggested commands might include network monitoring tools like netstat or tcpdump to detect connections to the suspicious IP and port, and file system searches to find the install-persistent.php file.

Mitigation Strategies

Immediate mitigation steps include updating the affected plugins to the fixed versions released by the vendor.

  • Update Smart Post Show Pro to version 4.0.2 or later.
  • Update Real Testimonials Pro to version 3.2.5 or later.
  • Update Product Slider for WooCommerce Pro to version 3.5.3 or later.

Additionally, remove any detected malicious files such as install-persistent.php and investigate any unauthorized access or data exfiltration.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10735. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart