CVE-2026-10735
Received Received - Intake
Cross-Site Scripting in Shapedsmart-post-show-pro WordPress Plugin

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: WPScan

Description
Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 were distributed with malicious code through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage payload that exfiltrates credentials and other sensitive data and grants full control of affected sites.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-10735
EUVD
EUVD-2026-38693
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
shapedplugin smart_post_show_pro to 4.0.2 (exc)
shapedplugin testimonial_pro to 3.2.5 (exc)
shapedplugin woo_product_slider_pro to 3.5.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Multiple ShapedPlugin Pro WordPress plugins were distributed with malicious code through the vendor's compromised update server.

This allowed unauthenticated attackers to deploy a second-stage payload on affected sites.

The payload exfiltrates credentials and other sensitive data and grants full control of the compromised sites to the attackers.

  • Affected plugins include Smart Post Show Pro before version 4.0.2, Real Testimonials Pro before version 3.2.5, and Product Slider for WooCommerce Pro before version 3.5.3.
Impact Analysis

If your site uses any of the affected plugins, attackers can gain full control over your site.

Attackers can exfiltrate credentials and other sensitive data from your site.

This can lead to unauthorized access, data breaches, and potential further exploitation of your site and its users.

Detection Guidance

This vulnerability can be detected by looking for indicators of compromise related to the malicious code distributed through the compromised update server.

  • Check for network connections to the command-and-control server at IP address 194.76.217.28 on port 2871.
  • Look for the presence of a persistent stage file named install-persistent.php in the plugin directories.
  • Monitor for beacon endpoint activity or unusual dropper URLs associated with the affected plugins.

Suggested commands might include network monitoring tools like netstat or tcpdump to detect connections to the suspicious IP and port, and file system searches to find the install-persistent.php file.

Mitigation Strategies

Immediate mitigation steps include updating the affected plugins to the fixed versions released by the vendor.

  • Update Smart Post Show Pro to version 4.0.2 or later.
  • Update Real Testimonials Pro to version 3.2.5 or later.
  • Update Product Slider for WooCommerce Pro to version 3.5.3 or later.

Additionally, remove any detected malicious files such as install-persistent.php and investigate any unauthorized access or data exfiltration.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10735. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart