CVE Catalog

CVE-2026-10735

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.39%

31th percentile - higher than 31% of all known CVEs

Summary

WordPress plugins such as Shapedsmart-post-show-pro, Real Testimonials Pro, and Product Slider for WooCommerce before specified versions contained malicious code. They were distributed through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage attack.

Risk Assessment

Organizations using these plugins are at risk of credential theft and other sensitive data, potentially leading to full control over compromised sites.

Recommendation

It is recommended to immediately update the plugins to the latest versions and conduct a security audit of the websites to identify and remove potential threats.

Original NVD description (English source)

Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 were distributed with malicious code through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage payload that exfiltrates credentials and other sensitive data and grants full control of affected sites.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS