This alert is relevant to all Australian website owners or website managers. This alert is intended for a technical audience.
Background
A large-scale exploitation campaign is targeting various vulnerabilities in content management systems (CMS) globally, including in Australia, with many small to medium sized Australian businesses impacted.
As part of this campaign, malicious cyber actors are actively scanning websites for opportunities to deploy webshells, leveraging various vulnerabilities affecting CMS software and plugins. These vulnerabilities primarily allow unauthenticated file upload, remote code execution, server side request forgery or deserialisation.
Once deployed, webshells can allow malicious cyber actors to remotely access and control targeted web servers. Malicious cyber actors may leverage compromised web servers for several purposes, including:
- Website defacement or disruption
- Capturing credentials entered by website users or other data stored on web servers
- Uploading additional malware to target and scam legitimate website users
- Using web server access as a pathway for broader network compromise
The software, plugins and CVEs being exploited include:
| Software/plugin | CVE |
|---|---|
| Simple File List (WordPress) | CVE-2025-34085/CVE-2020-36847 |
| WavePlayer (WordPress) | CVE-2025-12057 |
| BerqWP (WordPress) | CVE-2025-7443 |
| WPBookit (WordPress) | CVE-2025-7852 |
| Ninja Forms (WordPress) | CVE-2026-0740 |
| ThemeREX Addons (WordPress) | CVE-2026-1969 |
| Breeze Cache (WordPress) | CVE-2026-3844 |
| pay-uz (WordPress) | CVE-2026-31843 |
| ACF Extended (WordPress) | CVE-2025-13486 |
| Sneeit Framework | CVE-2025-6389 |
| WPvivid Backup (WordPress) | CVE-2026-1357 |
| Gravity Forms (WordPress) | CVE-2025-12352 |
| GutenKit/Hunk Companion (WordPress) | Likely CVE-2024-9234 |
| Craft CMS | CVE-2025-32432 |
| MaxSite CMS | CVE-2026-3395 |
| MetInfo CMS | CVE-2026-29014 |
| Joomla JCE | CVE-2026-48907 |
This highly scaled global exploitation campaign demonstrates the rapidly evolving cyber risk facing organisations. The heads of the Five Eyes cyber security agencies recently released a joint statement highlighting how advances in AI are accelerating the speed and scale of cyber operations, reducing the time between vulnerability disclosure and exploitation.
Immediate mitigation advice
ASD’s ACSC recommends that website owners confirm whether their servers have been impacted and remediate accordingly, by following the steps below:
- Inspect your CMS for webshells. Examine the web directory for abnormal changes to internet facing files. If you determine your webserver has a particular vulnerable plugin, also check for the creation of abnormal files in the plugin directory.
- Examine your web access logs for any IP addresses making GET or POST requests to any webshell paths.
- Treat servers with identified webshells as compromised, isolate them and perform an audit of authentication and network logging for malicious events and network connections.
- Look back in time to trace any suspicious web requests that may make up the initial exploitation and deployment of any webshells.
- Review network logs (such as on edge firewalls) for interactions with any of the identified IP addresses seen communicating with the webshells.
- Investigate logging and hosts for evidence of persistence, lateral movement or other malicious actions. This may include the creation of additional accounts, exfiltration attempts or the deployment of malware.
- Patch vulnerable systems to prevent re-infection. If webshells or other malware are identified, remove or quarantine them. Remove any persistence mechanisms, and ensure the device is safe before bringing it back online.
- If there are indications that websites are compromised, restore websites from a recent known-good backup.
Additional steps to protect your websites
ASD's ACSC encourages organisations to take the following steps to protect their websites:
- Ensure website software/plugins are up to date – The vulnerabilities exploited in this campaign are public and known vulnerabilities, with patches available. Organisations should limit their exposure to these vulnerabilities by ensuring that website software, as well as associated plugins, are rapidly patched and up to date.
- Consider applying all security patches automatically, if the risk of a faulty patch is acceptably low or can be rolled back easily.
- Consider disabling plugins that have an actively exploited vulnerability, until a patch or other mitigation is available and is applied.
- For internet-facing websites, consider using cloud services for which the cloud service provider is responsible for rapidly remediating vulnerabilities on the customer’s behalf.
- Monitor or block file creation – Where possible, web directories should be configured as read-only to prevent webshell deployment. If blocking file creation is not feasible, organisations should establish a formal change process and monitor for any file creation outside of approved activities. This can significantly reduce the time a malicious webshell remains active.
- Restrict file and path access – Website administrators should define which files and directories can be accessed, or explicitly identify those that are restricted. This helps prevent malicious files, including webshells, from being accessed or executed.
- Monitor for new processes – Webshells are typically used to run commands or run programs on a compromised system, and these processes (typically referred to as child processes) will spawn off the process running the webserver. Organisations should prevent or closely monitor unexpected child processes to detect and limit malicious activity. This can substantially reduce the effectiveness of a deployed web shell.
- Consider implementing application control on internet-facing websites, to restrict the execution of child processes and other software to an organisation-approved set.
- Limit broader network compromise – Block unnecessary network communication between internet-facing websites and other corporate computing devices.
If a service provider maintains your website, point them to this alert and review our guidance for small and medium businesses on defending against AI-enabled cyber attacks for additional questions to ask.
Where to get help
Organisations that have been impacted, suspect impact or require advice and assistance can notify us via www.cyber.gov.au/report.