Skip to content

Security Bulletin 4min read

Large-scale exploitation campaign targeting website content management systems (CMS)

Last update: 10 July, 2026
Tags: Security Bulletin
 Brandon Sawyer
 Brandon Sawyer

Published: Fri 10 July 2026

Prepared by: Brandon Sawyer, Vulnerability Analyst

Purpose

On 9 July 2026, Australian Cyber Security Centre (ACSC) has issued a critical alert regarding a large scale global exploitation campaign targeting Content Management Systems (CMS) and associated plugins. The campaign is impacting organisations worldwide, including Australian businesses, and is particularly affecting small and medium sized enterprises.

This bulletin aims to raise awareness of the active exploitation activity, identify vulnerable software, outline potential impacts, and provide detection and mitigation guidance for website administrators and security teams.

Vulnerability Information

Threat actors are actively scanning internet-facing websites and exploiting known vulnerabilities in CMS platforms and plugins. A CMS is a software platform used to create, manage, and publish website content. Popular CMS platforms include WordPress, Joomla, and Craft CMS. These platforms often rely on third-party plugins and extensions to provide additional functionality. Most commonly, threat actors are exploiting vulnerabilities to enable:

  • Unauthenticated file uploads

  • Remote Code Execution (RCE) 

  • Server-Side Request Forgery (SSRF)

  • Insecure deserialisation attacks

Successful exploitation allows attackers to deploy webshells, providing persistent remote access and control over compromised web servers. The ACSC has noted that publicly disclosed vulnerabilities are being weaponised rapidly, with AI contributing to a reduced timeframe between vulnerability disclosure and exploitation.

Affected Vulnerabilities
The following CMS platforms and plugins have been identified as being actively exploited in this campaign:

Software/Plugin CVE
Simple File List (WordPress)  CVE-2025-34085/CVE-2020-36847
WavePlayer (WordPress) CVE-2025-12057
BerqWP (WordPress) CVE-2025-7443
WPBookit (WordPress) CVE-2025-7852
Ninja Forms (WordPress) CVE-2026-0740
ThemeREX Addons (WordPress) CVE-2026-1969
Breeze Cache (WordPress) CVE-2026-3844
pay-uz (WordPress) CVE-2026-31843
ACF Extended (WordPress) CVE-2025-13486
Sneeit Framework CVE-2025-6389
WPvivid Backup (WordPress) CVE-2026-1357
Gravity Forms (WordPress) CVE-2025-12352
GutenKit/Hunk Companion (WordPress) CVE-2024-9234* 
Craft CMS CVE-2025-32432
MaxSite CMS CVE-2026-3395
MetInfo CMS CVE-2026-29014
Joomla JCE CVE-2026-48907

* Reported by the ACSC as likely to be affected.

Impact

Once deployed, webshells can provide attackers with persistent access to a web server and may enable several malicious activities, including:

  • Website defacement or service disruption.

  • Theft of credentials entered by users or stored on the server.

  • Installation of additional malware.

  • Distribution of malicious content to website visitors.

  • Data theft and exfiltration.

  • Establishment of persistence mechanisms.

  • Use of the compromised web server as an initial foothold for broader network compromise and lateral movement.

     

The Five Eyes cyber security agencies have assessed that advances in AI are increasing the speed, scale and sophistication of cyber attacks, reducing the time organisations have to detect and remediate vulnerable systems.

Detection

The ACSC is recommending organisations should perform the following activities to identify potential compromise:

  • Inspect CMS and plugin directories for suspicious, unauthorised, or recently created files that may indicate webshell deployment.
  • Review web server access logs for unusual GET and POST requests, particularly to unknown files or directories.
  • Analyse firewall and network logs for suspicious outbound connections.
  • Investigate systems for signs of persistence, malware, lateral movement, unauthorised account creation, or data exfiltration.
  • Monitor for unexpected child processes spawned from web server processes, as this is a common webshell behaviour.

Mitigation

In line with the Five Eyes guidance, organisations should accelerate patch management processes, reduce their attack surface, strengthen identity and access controls, address legacy systems, and regularly test incident response plans to improve cyber resilience. The ACSC also recommends the following actions to reduce risk and prevent reinfection:

  • Immediately patch all affected CMS platforms and plugins.
  • Enable automatic security updates where operationally appropriate.
  • Disable vulnerable plugins until patches are available and applied.
  • Treat any server containing a webshell as compromised and isolate it from the network.
  • Remove or quarantine identified webshells and malware.
  • Restore compromised websites from known-good backups.
  • Configure web directories as read-only where possible to prevent unauthorised file creation.
  • Implement monitoring and alerting for file creation and modification events.
  • Restrict access to sensitive files and directories.
  • Implement application control to prevent unauthorised process execution.
  • Limit communication between internet-facing web servers and internal corporate networks.

If a service provider maintains your website, it is recommended that you direct them to the information supplied in this bulletin or the official ACSC bulletin.  

All customers with our Monitor service (24x7x365 Managed Detection and Response) are, as always, being monitored for IOCs and Lateral Movement, with heightened vigilance around CMS related alerts. Triskele Labs SOC customers with our Vulnerability Scanning service are currently being assessed for exposure to the vulnerabilities referenced in this bulletin. 

 


References