Australia Alerts Organizations to Ongoing CMS Exploitation Attacks

Australia warns of a global campaign exploiting CMS flaws to deploy webshells on WordPress, Joomla, and other websites.
Australia’s Signals Directorate has issued an alert about a large-scale exploitation campaign actively targeting content management systems (CMS) worldwide, with many small and medium-sized Australian businesses already hit. Attackers are scanning websites for known vulnerabilities, deploying webshells to gain persistent remote access, and using compromised servers as a base for broader attacks.
“A large-scale exploitation campaign is targeting various vulnerabilities in content management systems (CMS) globally, including in Australia, with many small to medium sized Australian businesses impacted.” reads the alert published by the Australia’s Signals Directorate.
“As part of this campaign, malicious cyber actors are actively scanning websites for opportunities to deploy webshells, leveraging various vulnerabilities affecting CMS software and plugins. These vulnerabilities primarily allow unauthenticated file upload, remote code execution, server side request forgery or deserialisation.”
The list of targeted software covers 17 CVEs across WordPress plugins including Ninja Forms, Gravity Forms, WPvivid Backup, Breeze Cache, and GutenKit, as well as standalone CMS platforms including Craft CMS, Joomla, and MaxSite CMS. All of the vulnerabilities are public and patched — which means every successful attack here is hitting someone who didn’t update.
Below is the list of software, plugins and CVEs being exploited:
| Software/plugin | CVE |
|---|---|
| Simple File List (WordPress) | CVE-2025-34085/CVE-2020-36847 |
| WavePlayer (WordPress) | CVE-2025-12057 |
| BerqWP (WordPress) | CVE-2025-7443 |
| WPBookit (WordPress) | CVE-2025-7852 |
| Ninja Forms (WordPress) | CVE-2026-0740 |
| ThemeREX Addons (WordPress) | CVE-2026-1969 |
| Breeze Cache (WordPress) | CVE-2026-3844 |
| pay-uz (WordPress) | CVE-2026-31843 |
| ACF Extended (WordPress) | CVE-2025-13486 |
| Sneeit Framework | CVE-2025-6389 |
| WPvivid Backup (WordPress) | CVE-2026-1357 |
| Gravity Forms (WordPress) | CVE-2025-12352 |
| GutenKit/Hunk Companion (WordPress) | Likely CVE-2024-9234 |
| Craft CMS | CVE-2025-32432 |
| MaxSite CMS | CVE-2026-3395 |
| MetInfo CMS | CVE-2026-29014 |
| Joomla JCE | CVE-2026-48907 |
“Once deployed, webshells can allow malicious cyber actors to remotely access and control targeted web servers.” continues the alert. “Malicious cyber actors may leverage compromised web servers for several purposes, including:
- Website defacement or disruption
- Capturing credentials entered by website users or other data stored on web servers
- Uploading additional malware to target and scam legitimate website users
- Using web server access as a pathway for broader network compromise“
The pivot-to-broader-network angle is the one that turns a compromised WordPress site into a corporate incident.
The ACSC is connecting this campaign to a trend the Five Eyes agencies flagged recently: AI is shortening the window between vulnerability disclosure and active exploitation.
“This highly scaled global exploitation campaign demonstrates the rapidly evolving cyber risk facing organisations.” continues the alert. “The heads of the Five Eyes cyber security agencies recently released a joint statement highlighting how advances in AI are accelerating the speed and scale of cyber operations, reducing the time between vulnerability disclosure and exploitation.”
Faster scanning plus faster exploit development means the patch window is shrinking, and campaigns like this one are the evidence.
For anyone running a CMS, the ACSC’s immediate advice is to check your web directories for unexpected files, especially in plugin folders, and review access logs for GET or POST requests to unusual paths.
If a webshell is found, don’t just delete it and move on, trace back through logs to understand the initial exploitation, look for signs of lateral movement or additional accounts created, and restore from a known-good backup before bringing the server back online.
Longer term, the advisory recommends configuring web directories as read-only where possible to block webshell deployment at the filesystem level, monitoring for unexpected child processes spawning off the web server process, and blocking unnecessary network connections between internet-facing servers and internal corporate systems.
Auto-patching is worth enabling where a faulty patch can be rolled back easily. And if a third-party manages your website, the ACSC says point them at this alert and ask them directly what they’re doing about it.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CMS)
