Published: Fri 10 July 2026
Prepared by: Brandon Sawyer, Vulnerability Analyst
On 9 July 2026, Australian Cyber Security Centre (ACSC) has issued a critical alert regarding a large scale global exploitation campaign targeting Content Management Systems (CMS) and associated plugins. The campaign is impacting organisations worldwide, including Australian businesses, and is particularly affecting small and medium sized enterprises.
This bulletin aims to raise awareness of the active exploitation activity, identify vulnerable software, outline potential impacts, and provide detection and mitigation guidance for website administrators and security teams.
Threat actors are actively scanning internet-facing websites and exploiting known vulnerabilities in CMS platforms and plugins. A CMS is a software platform used to create, manage, and publish website content. Popular CMS platforms include WordPress, Joomla, and Craft CMS. These platforms often rely on third-party plugins and extensions to provide additional functionality. Most commonly, threat actors are exploiting vulnerabilities to enable:
Unauthenticated file uploads
Remote Code Execution (RCE)
Server-Side Request Forgery (SSRF)
Insecure deserialisation attacks
Successful exploitation allows attackers to deploy webshells, providing persistent remote access and control over compromised web servers. The ACSC has noted that publicly disclosed vulnerabilities are being weaponised rapidly, with AI contributing to a reduced timeframe between vulnerability disclosure and exploitation.
Affected Vulnerabilities
The following CMS platforms and plugins have been identified as being actively exploited in this campaign:
| Software/Plugin | CVE |
| Simple File List (WordPress) | CVE-2025-34085/CVE-2020-36847 |
| WavePlayer (WordPress) | CVE-2025-12057 |
| BerqWP (WordPress) | CVE-2025-7443 |
| WPBookit (WordPress) | CVE-2025-7852 |
| Ninja Forms (WordPress) | CVE-2026-0740 |
| ThemeREX Addons (WordPress) | CVE-2026-1969 |
| Breeze Cache (WordPress) | CVE-2026-3844 |
| pay-uz (WordPress) | CVE-2026-31843 |
| ACF Extended (WordPress) | CVE-2025-13486 |
| Sneeit Framework | CVE-2025-6389 |
| WPvivid Backup (WordPress) | CVE-2026-1357 |
| Gravity Forms (WordPress) | CVE-2025-12352 |
| GutenKit/Hunk Companion (WordPress) | CVE-2024-9234* |
| Craft CMS | CVE-2025-32432 |
| MaxSite CMS | CVE-2026-3395 |
| MetInfo CMS | CVE-2026-29014 |
| Joomla JCE | CVE-2026-48907 |
* Reported by the ACSC as likely to be affected.
Once deployed, webshells can provide attackers with persistent access to a web server and may enable several malicious activities, including:
Website defacement or service disruption.
Theft of credentials entered by users or stored on the server.
Installation of additional malware.
Distribution of malicious content to website visitors.
Data theft and exfiltration.
Establishment of persistence mechanisms.
Use of the compromised web server as an initial foothold for broader network compromise and lateral movement.
The Five Eyes cyber security agencies have assessed that advances in AI are increasing the speed, scale and sophistication of cyber attacks, reducing the time organisations have to detect and remediate vulnerable systems.
The ACSC is recommending organisations should perform the following activities to identify potential compromise:
In line with the Five Eyes guidance, organisations should accelerate patch management processes, reduce their attack surface, strengthen identity and access controls, address legacy systems, and regularly test incident response plans to improve cyber resilience. The ACSC also recommends the following actions to reduce risk and prevent reinfection:
If a service provider maintains your website, it is recommended that you direct them to the information supplied in this bulletin or the official ACSC bulletin.
All customers with our Monitor service (24x7x365 Managed Detection and Response) are, as always, being monitored for IOCs and Lateral Movement, with heightened vigilance around CMS related alerts. Triskele Labs SOC customers with our Vulnerability Scanning service are currently being assessed for exposure to the vulnerabilities referenced in this bulletin.