At a glance
| Actor / group | Unattributed malicious cyber actors |
| Activity | Mass exploitation of CMS flaws to deploy webshells |
| Targets / victims | WordPress and other CMS sites; many Australian SMBs |
| Scale | Global and large-scale; exact victim count not disclosed |
| Status | Public alert; no arrests; no named actor |
| Source | ASD’s ACSC alert; Five Eyes joint statement |
TL;DR
Australia’s cyber agency has warned of a large-scale CMS exploitation campaign. Attackers scan websites and plant webshells through known plugin flaws. Many small and medium Australian businesses have felt the impact.
What happened
ASD’s ACSC issued an alert about global attacks on content management systems. The actors chase public, patchable bugs in CMS software and plugins. According to the ACSC, they are “actively scanning websites for opportunities to deploy webshells.”
Most of the flaws allow unauthenticated file upload, remote code execution, SSRF, or deserialisation. The alert names many WordPress plugins, including Simple File List, Gravity Forms, and Ninja Forms. It also lists Craft CMS, Joomla JCE, MetInfo, and others. Every listed bug is public and already has a patch. Once a webshell lands, the attacker gains remote control of the server.
| Software/plugin | CVE |
|---|---|
| Simple File List (WordPress) | CVE-2025-34085/CVE-2020-36847 |
| WavePlayer (WordPress) | CVE-2025-12057 |
| BerqWP (WordPress) | CVE-2025-7443 |
| WPBookit (WordPress) | CVE-2025-7852 |
| Ninja Forms (WordPress) | CVE-2026-0740 |
| ThemeREX Addons (WordPress) | CVE-2026-1969 |
| Breeze Cache (WordPress) | CVE-2026-3844 |
| pay-uz (WordPress) | CVE-2026-31843 |
| ACF Extended (WordPress) | CVE-2025-13486 |
| Sneeit Framework | CVE-2025-6389 |
| WPvivid Backup (WordPress) | CVE-2026-1357 |
| Gravity Forms (WordPress) | CVE-2025-12352 |
| GutenKit/Hunk Companion (WordPress) | Likely CVE-2024-9234 |
| Craft CMS | CVE-2025-32432 |
| MaxSite CMS | CVE-2026-3395 |
| MetInfo CMS | CVE-2026-29014 |
| Joomla JCE | CVE-2026-48907 |
Who is behind it
The ACSC does not name a group. It refers only to “malicious cyber actors.” So attribution stays low at this stage. The pattern points to broad, opportunistic exploitation rather than one targeted crew.
Impact and scale
This CMS exploitation campaign runs worldwide, the alert says. Compromised servers give attackers several options. They can deface sites, steal user credentials, or push malware to visitors. Web server access can also become a route into the wider network.
Five Eyes agencies link the surge to AI. Their joint statement warns that AI is “accelerating the speed and scale of cyber operations.” As a result, the gap between disclosure and attack keeps shrinking.
How to stay protected
First, patch CMS software and every plugin without delay. Next, check web directories and access logs for odd files or requests. Then, treat any server with a webshell as compromised, and isolate it. Where possible, set web directories to read-only to block new uploads. Also, watch for unexpected child processes spawned by the web server. Finally, restore clean sites from a known-good backup.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.