Introduction
A backdoor planted in ShapedPlugin LLC's Product Slider Pro for WooCommerce plugin has earned a CVSS score of 10.0, the maximum possible severity rating, allowing unauthenticated remote attackers to implant malicious software and achieve persistent access to any affected WordPress site. Making matters worse, the vendor's decision to patch the existing version in place without releasing a new version number means that site operators cannot reliably determine whether their installation is safe simply by checking the version string.
Product Slider Pro for WooCommerce is a commercial WordPress/WooCommerce plugin that enables store owners to display product carousels, sliders, and grid galleries on their sites. ShapedPlugin LLC, the developer, has been building WordPress plugins since 2015 and maintains a portfolio that includes WP Carousel, Logo Carousel, Smart Post, Easy Accordion, and several other plugins. The free version of Product Slider for WooCommerce has been listed on WordPress.org since April 2016, while the Pro version is sold through the vendor's own website at wooproductslider.io.
Technical Information
Root Cause and Vulnerability Classification
CVE-2026-49777 is classified under CWE-1284: Improper Validation of Specified Quantity in Input. CWE-1284 describes a weakness where a product receives input expected to specify a quantity (such as size, length, frequency, price, rate, number of operations, or time) but does not validate or incorrectly validates that the quantity has the required properties. CWE-1284 is a child of CWE-20 (Improper Input Validation) and can precede CWE-789 (Memory Allocation with Excessive Size Value). In the context of this CVE, the improper validation of a quantity related input parameter enabled malicious software to be implanted into the plugin, effectively creating a backdoor.
The Patchstack advisory describes the vulnerability as a backdoor that permits attackers to "gain access and exploit your website at any time they desire," including the ability to "execute a payload to inject advertisements." Patchstack explicitly warns that "any website that currently has or has had this compromised version of the plugin should be considered compromised."
CVSS Vector Breakdown
The CVSS 10.0 score reflects the worst case combination of all base metrics:
| CVSS Metric | Value | Rationale |
|---|---|---|
| Attack Vector | Network | Exploitable remotely over the internet |
| Attack Complexity | Low | Trivial exploitation, no special conditions required |
| Privileges Required | None | No authentication needed |
| User Interaction | None | No user action required for exploitation |
| Scope | Changed | Impacts beyond the vulnerable component |
| Confidentiality | High | Complete information disclosure |
| Integrity | High | Complete system integrity compromise |
| Availability | High | Complete system availability loss |
Attack Flow
Based on the Patchstack advisory and the characteristics of the vulnerability, the attack flow proceeds as follows:
-
Initial Access: An unauthenticated remote attacker sends a crafted request to the affected WordPress site running a vulnerable version of Product Slider Pro for WooCommerce. No credentials, session tokens, or user interaction are required.
-
Backdoor Activation: The planted malicious file within the plugin processes the attacker's request. The CWE-1284 classification indicates that a quantity related input parameter is improperly validated, enabling the malicious code path.
-
Payload Execution: The attacker can execute arbitrary payloads through the backdoor. Patchstack specifically mentions the ability to inject advertisements, but the backdoor's capabilities are not limited to this; full site takeover is possible given the CVSS impact ratings of High across confidentiality, integrity, and availability.
-
Persistence: The backdoor provides persistent access, meaning the attacker can return at any time without needing to re-exploit the vulnerability. This is consistent with the "Malicious Software Implanted" attack pattern described in the NVD entry.
Context from the WordPress Supply Chain Attack Landscape
While the exact malicious code in CVE-2026-49777 has not been publicly documented in detail, the April 2026 Essential Plugin supply chain attack provides a well documented reference for how WordPress plugin backdoors typically operate. In that incident, over 30 plugins were compromised after acquisition by a malicious actor through the Flippa marketplace. The backdoor methodology involved:
- A PHP deserialization backdoor using
unserialize()on data fetched from an attacker controlled server - An unauthenticated REST API endpoint configured with
permission_callback: __return_true - A phone home mechanism that downloaded additional payloads from command and control infrastructure
- Injection of malicious PHP into
wp-config.phpfor persistence - Command and control domain resolution through an Ethereum smart contract, making traditional domain takedowns ineffective
The Essential Plugin attack lay dormant for approximately 8 months (August 2025 to April 2026) before discovery, affecting hundreds of thousands of active installations across 31 plugins that were ultimately closed by WordPress.org.
Whether CVE-2026-49777 follows this exact pattern or represents a different technical approach is not yet publicly documented. The CWE-1284 classification suggests a different initial entry mechanism than the Essential Plugin's PHP deserialization approach, but the strategic outcome is identical: malicious software implanted in a trusted plugin enabling persistent unauthorized access.
The Version Verification Problem
A significant complicating factor is the vendor's patching approach. ShapedPlugin applied a fix to the existing version 3.5.3 release without publishing a new version number. This means that two installations both reporting "version 3.5.3" could be in entirely different security states: one running the compromised code and one running the patched code. Standard WordPress update mechanisms and version based vulnerability scanners cannot distinguish between the two. Patchstack treats this as an unpatched version for precisely this reason.
Affected Systems and Versions
The vulnerability affects Product Slider Pro for WooCommerce by ShapedPlugin LLC:
- Affected versions: All versions from the initial release through version 3.5.2
- Version 3.5.3 status: Ambiguous. The vendor applied a fix to the existing 3.5.3 release without issuing a new version number. Installations reporting version 3.5.3 may or may not contain the fix, depending on when the plugin files were downloaded.
- Plugin slug:
woo-product-slider-pro - Distribution channel: Commercial plugin sold through wooproductslider.io (not listed on the WordPress.org plugin directory)
The free version of Product Slider for WooCommerce (slug: woo-product-slider), which is distributed through WordPress.org, is a separate product. The CVE specifically references the Pro (commercial) version.
Vendor Security History
ShapedPlugin LLC has accumulated 5 published CVE records since 2024, with an average CVSS base score of 6.2. Prior to CVE-2026-49777, the vendor had zero entries in CISA's Known Exploited Vulnerabilities catalog and zero known public exploits.
| Metric | Value |
|---|---|
| Published CVEs (since 2024) | 5 |
| Average CVSS Score (prior CVEs) | 6.2 |
| CISA KEV Entries | 0 |
| Known Public Exploits (prior) | 0 |
| CVE-2026-49777 CVSS | 10.0 |
The jump from an average of 6.2 to a perfect 10.0 is notable. A backdoor vulnerability is qualitatively different from the types of issues (typically cross site scripting or access control flaws) that produce scores in the 6.x range. This suggests either a compromise of the vendor's development or distribution pipeline, or a deliberate insertion of malicious code, rather than an ordinary coding error.
The vendor's decision to patch version 3.5.3 in place without releasing a new version number also raises concerns about their release management practices. Standard security practice requires that patches be released under a new, distinguishable version number to enable both automated and manual version based vulnerability detection.
References
- Patchstack Advisory: Backdoor in WordPress Product Slider Pro for WooCommerce Plugin
- NVD (National Vulnerability Database)
- CWE-1284: Improper Validation of Specified Quantity in Input
- ShapedPlugin LLC Vulnerability History
- Product Slider for WooCommerce (Free Version) on WordPress.org
- ShapedPlugin LLC WordPress.org Profile
- ShapedPlugin About Us
- ShapedPlugin Plugin Portfolio
- Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them
- CISA Known Exploited Vulnerabilities Catalog
- CWE-1284 on Mondoo
- Critical Supply Chain Attack on EssentialPlugin WordPress Suite



