The Australian Cyber Security Centre (ACSC) has issued an alert warning of a global exploitation campaign targeting vulnerable content management systems (CMS) and plugins, with numerous small- to medium-sized Australian businesses already compromised.
According to the agency, threat actors are actively scanning websites for opportunities to deploy webshells by leveraging a wide range of known vulnerabilities in CMS software and plugins. Once installed, webshells give attackers persistent access to compromised sites, allowing them to disrupt services, steal credentials, deploy additional malware, and pivot further into victim networks.
The campaign spans multiple platforms, including WordPress, Craft CMS, MaxSite CMS, MetInfo CMS, and Joomla JCE. ACSC published a list of the specific plugins and vulnerabilities being exploited:
- Simple File List (WordPress) – CVE-2025-34085 / CVE-2020-36847
- WavePlayer (WordPress) – CVE-2025-12057
- BerqWP (WordPress) – CVE-2025-7443
- WPBookit (WordPress) – CVE-2025-7852
- Ninja Forms (WordPress) – CVE-2026-0740
- ThemeREX Addons (WordPress) – CVE-2026-1969
- Breeze Cache (WordPress) – CVE-2026-3844
- pay-uz (WordPress) – CVE-2026-31843
- ACF Extended (WordPress) – CVE-2025-13486
- Sneeit Framework – CVE-2025-6389
- WPvivid Backup (WordPress) – CVE-2026-1357
- Gravity Forms (WordPress) – CVE-2025-12352
- GutenKit / Hunk Companion – likely CVE-2024-9234
- Craft CMS – CVE-2025-32432
- MaxSite CMS – CVE-2026-3395
- MetInfo CMS – CVE-2026-29014
- Joomla JCE – CVE-2026-48907
The ACSC noted that the scale and speed of the campaign suggest it may be assisted by AI tooling, which typically helps attackers accelerate scanning and scale exploitation of newly disclosed flaws across many targets simultaneously.
Recommended mitigations
The agency urges website administrators to apply the latest security updates for CMS cores, themes, and plugins, and to enable automatic updates where possible. Unused plugins and components should be removed entirely rather than left dormant.
Additional hardening steps include making web directories read-only where feasible, monitoring for unauthorized file creation, restricting access to sensitive directories, and blocking unexpected child process spawning on web servers, a common indicator of webshell activity.
Given the breadth of affected plugins and platforms, organizations running any of the listed software should treat patching as urgent and audit their sites for signs of existing compromise.
