Published: Fri 10 July 2026
Prepared by: Brandon Sawyer, Vulnerability Analyst
Purpose
On 9 July 2026, Australian Cyber Security Centre (ACSC) has issued a critical alert regarding a large scale global exploitation campaign targeting Content Management Systems (CMS) and associated plugins. The campaign is impacting organisations worldwide, including Australian businesses, and is particularly affecting small and medium sized enterprises.
This bulletin aims to raise awareness of the active exploitation activity, identify vulnerable software, outline potential impacts, and provide detection and mitigation guidance for website administrators and security teams.
Vulnerability Information
Threat actors are actively scanning internet-facing websites and exploiting known vulnerabilities in CMS platforms and plugins. A CMS is a software platform used to create, manage, and publish website content. Popular CMS platforms include WordPress, Joomla, and Craft CMS. These platforms often rely on third-party plugins and extensions to provide additional functionality. Most commonly, threat actors are exploiting vulnerabilities to enable:
-
Unauthenticated file uploads
-
Remote Code Execution (RCE)
-
Server-Side Request Forgery (SSRF)
-
Insecure deserialisation attacks
Successful exploitation allows attackers to deploy webshells, providing persistent remote access and control over compromised web servers. The ACSC has noted that publicly disclosed vulnerabilities are being weaponised rapidly, with AI contributing to a reduced timeframe between vulnerability disclosure and exploitation.
Affected Vulnerabilities
The following CMS platforms and plugins have been identified as being actively exploited in this campaign:
| Software/Plugin | CVE |
| Simple File List (WordPress) | CVE-2025-34085/CVE-2020-36847 |
| WavePlayer (WordPress) | CVE-2025-12057 |
| BerqWP (WordPress) | CVE-2025-7443 |
| WPBookit (WordPress) | CVE-2025-7852 |
| Ninja Forms (WordPress) | CVE-2026-0740 |
| ThemeREX Addons (WordPress) | CVE-2026-1969 |
| Breeze Cache (WordPress) | CVE-2026-3844 |
| pay-uz (WordPress) | CVE-2026-31843 |
| ACF Extended (WordPress) | CVE-2025-13486 |
| Sneeit Framework | CVE-2025-6389 |
| WPvivid Backup (WordPress) | CVE-2026-1357 |
| Gravity Forms (WordPress) | CVE-2025-12352 |
| GutenKit/Hunk Companion (WordPress) | CVE-2024-9234* |
| Craft CMS | CVE-2025-32432 |
| MaxSite CMS | CVE-2026-3395 |
| MetInfo CMS | CVE-2026-29014 |
| Joomla JCE | CVE-2026-48907 |
* Reported by the ACSC as likely to be affected.
Impact
Once deployed, webshells can provide attackers with persistent access to a web server and may enable several malicious activities, including:
-
Website defacement or service disruption.
-
Theft of credentials entered by users or stored on the server.
-
Installation of additional malware.
-
Distribution of malicious content to website visitors.
-
Data theft and exfiltration.
-
Establishment of persistence mechanisms.
-
Use of the compromised web server as an initial foothold for broader network compromise and lateral movement.
The Five Eyes cyber security agencies have assessed that advances in AI are increasing the speed, scale and sophistication of cyber attacks, reducing the time organisations have to detect and remediate vulnerable systems.
Detection
The ACSC is recommending organisations should perform the following activities to identify potential compromise:
- Inspect CMS and plugin directories for suspicious, unauthorised, or recently created files that may indicate webshell deployment.
- Review web server access logs for unusual GET and POST requests, particularly to unknown files or directories.
- Analyse firewall and network logs for suspicious outbound connections.
- Investigate systems for signs of persistence, malware, lateral movement, unauthorised account creation, or data exfiltration.
- Monitor for unexpected child processes spawned from web server processes, as this is a common webshell behaviour.
Mitigation
In line with the Five Eyes guidance, organisations should accelerate patch management processes, reduce their attack surface, strengthen identity and access controls, address legacy systems, and regularly test incident response plans to improve cyber resilience. The ACSC also recommends the following actions to reduce risk and prevent reinfection:
- Immediately patch all affected CMS platforms and plugins.
- Enable automatic security updates where operationally appropriate.
- Disable vulnerable plugins until patches are available and applied.
- Treat any server containing a webshell as compromised and isolate it from the network.
- Remove or quarantine identified webshells and malware.
- Restore compromised websites from known-good backups.
- Configure web directories as read-only where possible to prevent unauthorised file creation.
- Implement monitoring and alerting for file creation and modification events.
- Restrict access to sensitive files and directories.
- Implement application control to prevent unauthorised process execution.
- Limit communication between internet-facing web servers and internal corporate networks.
If a service provider maintains your website, it is recommended that you direct them to the information supplied in this bulletin or the official ACSC bulletin.
All customers with our Monitor service (24x7x365 Managed Detection and Response) are, as always, being monitored for IOCs and Lateral Movement, with heightened vigilance around CMS related alerts. Triskele Labs SOC customers with our Vulnerability Scanning service are currently being assessed for exposure to the vulnerabilities referenced in this bulletin.
References
- https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/large-scale-exploitation-campaign-targeting-website-content-management-systems-cms
- https://www.cyber.gov.au/about-us/view-all-content/news/five-eyes-cyber-security-agencies-statement