CVE-2026-49777: WordPress Product Slider Pro for WooCommerce plugin < 3.5.3 - Backdoor vulnerability
Improper Validation of Specified Quantity in Input vulnerability in ShapedPlugin, LLC Product Slider Pro for WooCommerce allows Malicious Software Implanted. This issue affects Product Slider Pro for WooCommerce: from n/a before 3.5.3. No patched version is available - the vendor has applied a fix to an existing release without publishing a new version. While the patch provided by the vendor is valid, releasing it under the existing version number leaves users unable to reliably determine whether they are running a patched or vulnerable installation. As a result, we treat this as an unpatched version.
Metrics
- CVSS v3.1
- 10.0
- Severity
- CRITICAL
- Fixed in
- 3.5.3
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A backdoor-class vulnerability (improper input quantity validation enabling malicious software implantation) affects ShapedPlugin LLC's Product Slider Pro for WooCommerce plugin in all versions before 3.5.3. The flaw is reachable over the network with no authentication required and no user interaction needed, making it trivially exploitable by any remote attacker. Successful exploitation allows an attacker to implant malicious code, giving full read, write, and denial-of-service capability over the affected environment. Note: the vendor applied a fix silently under the existing version number rather than publishing a new release, meaning version numbers alone cannot confirm whether a running installation is patched; HarborGuard tracks this advisory and will reflect patch availability as it becomes reliably verifiable.
HarborGuard Coverage
Detection for CVE-2026-49777 is available across every HarborGuard environment: the CVE is ingested from Patchstack and upstream feeds within minutes of publication and matched against container images in customer registries and CI/CD pipelines, including custom-built WordPress or WooCommerce images that bundle this plugin. Coverage extends to any image layer containing the affected plugin files, not just base images.
AvailableTriage is available with a CVSS v3.1 base score of 10.0 (Critical), surfaced alongside per-environment compliance policy weighting so high-risk findings route to the appropriate team inbox within each customer organization. Because the vendor patched silently under the same version number, HarborGuard flags affected version ranges explicitly rather than relying solely on version-string matching.
AvailableBecause the vendor has not published a formally versioned patched release, HarborGuard re-checks the advisory on every ingest cycle and will make a verified patched-image rebuild available the moment a reliably distinguishable fixed release is confirmed upstream. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will trigger automatically once a trustworthy fix version is resolvable.
AvailableExploit Conditions
- Network reachabilityRequired
The vulnerability is exposed over the network (AV:N), meaning an attacker must be able to reach the WordPress/WooCommerce HTTP endpoint to exploit it.
- AuthenticationNot required
No credentials or account of any privilege level are needed (PR:N); the exploit is available to any unauthenticated remote party.
- Victim interactionNot required
No user action such as clicking a link or opening a file is required (UI:N); the attacker triggers exploitation entirely on their own.
- Attack complexityDetail
Attack complexity is low (AC:L), meaning the exploit is reliable and repeatable without needing to meet special conditions, race timing, or specific memory layout.
Blast Radius
- An attacker implants arbitrary malicious code (backdoor software) directly into the WordPress installation, gaining persistent execution capability on the host.
- Full confidentiality impact (C:H with scope change S:C) means the attacker reads any data accessible to the web server process, including database credentials, session tokens, customer order records, and payment metadata stored or accessible by WooCommerce.
- Full integrity impact (I:H with scope change) means the attacker modifies any data the web server process can write, including product listings, order records, user accounts, and plugin files across the WordPress installation.
- Full availability impact (A:H with scope change) means the attacker disrupts or completely crashes the affected service, taking down the storefront and any co-hosted workloads reachable from the compromised process.
How HarborGuard Handles This
Available on HarborGuard: because the vendor silently patched this Critical (CVSS 10.0) backdoor vulnerability under the existing version number without publishing a new release, version-string comparison alone is not a reliable signal. HarborGuard continuously re-checks the Patchstack advisory and upstream plugin metadata on every ingest cycle, and a verified patched-image rebuild will become available the moment a distinguishable fixed release is confirmed. For customers who opt into auto-remediation, that rebuild will immediately trigger a regression test run and a PR opened against affected workloads. In the interim, compensating controls available to consider include network-policy rules that restrict inbound HTTP access to the WooCommerce endpoint to known IP ranges, egress filtering to limit lateral movement from a compromised container, and disabling the Product Slider Pro plugin at the feature-flag or plugin-management level until a verifiable clean version is available. Where compliance policy permits, HarborGuard can flag any image containing the affected plugin version range as a blocking finding in CI/CD pipelines, preventing promotion of vulnerable images to production.
Fix available
- ShapedPlugin, LLC / Product Slider Pro for WooCommerce< 3.5.3 (from n/a)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H