Malicious Code Distribution in Shapedsmart-post-show-pro, Real Testimonials Pro, and Product Slider for WooCommerce Plugins
CVE-2026-10735

Currently unrated

Key Information:

Vendor: WordPress
Status: Smart-post-show-pro; Real Testimonials Pro; Product Slider For WooCommerce Pro
Vendor: CVE Published:; 24 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-10735?

The Shapedsmart-post-show-pro, Real Testimonials Pro, and Product Slider for WooCommerce Pro WordPress plugins have been compromised through a vendor's update server, allowing attackers to inject malicious code. This vulnerability enables unauthenticated users to execute a second-stage payload capable of exfiltrating sensitive data, including user credentials, and granting them full control over compromised WordPress sites.

Affected Version(s)

Product Slider for WooCommerce Pro 3.5.2 < 3.5.3

Real Testimonials Pro 3.2.4 < 3.2.5

smart-post-show-pro 4.0.1 < 4.0.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-10735 - Proof of Concept

References

https://wpscan.com/vulnerability/160ee7f7-91b6-4cce-9462-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 24, 2026
👾
Exploit known to exist
Jun 24, 2026
Vulnerability published
Jun 24, 2026
Vulnerability Reserved
Jun 3, 2026

Credit

Mike Gozdiskowski

WPScan

CVE-2026-10735 Data

JSON