What’s going on (spoiler: not good)
Australia’s cyber folks have flagged a worldwide campaign that’s been poking at websites built on popular content management systems. Attackers are scanning for weak spots in CMSs and plugins, then planting tiny digital squatters—webshells—to keep a backdoor open. Once inside, they can muck about: steal credentials, drop more malware, or wander deeper into a network like uninvited guests at a buffet.
The campaign touches multiple CMS families and a long list of plugins and components. The activity appears broad and opportunistic, and the defenders suspect attackers may be using automated tools (and maybe a sprinkle of AI) to speed things up and hit more targets.
Affected products called out include:
- Simple File List (WordPress) – CVE-2025-34085 / CVE-2020-36847
- WavePlayer (WordPress) – CVE-2025-12057
- BerqWP (WordPress) – CVE-2025-7443
- WPBookit (WordPress) – CVE-2025-7852
- Ninja Forms (WordPress) – CVE-2026-0740
- ThemeREX Addons (WordPress) – CVE-2026-1969
- Breeze Cache (WordPress) – CVE-2026-3844
- pay-uz (WordPress) – CVE-2026-31843
- ACF Extended (WordPress) – CVE-2025-13486
- Sneeit Framework – CVE-2025-6389
- WPvivid Backup (WordPress) – CVE-2026-1357
- Gravity Forms (WordPress) – CVE-2025-12352
- GutenKit / Hunk Companion (WordPress) – likely CVE-2024-9234
- Craft CMS – CVE-2025-32432
- MaxSite CMS – CVE-2026-3395
- MetInfo CMS – CVE-2026-29014
- Joomla JCE – CVE-2026-48907
How to stop the party crashers
If you manage a website, now’s not the time to be casual. These are straightforward, practical moves you can make to reduce the chance of waking up to a surprise webshell.
- Apply updates to your CMS core, themes, and plugins promptly. Many compromises happen because someone skipped an update that fixed a known flaw.
- Remove or disable plugins and themes you aren’t using. Less code = fewer attack surfaces. Yes, delete the dusty ones.
- Use automatic updates where it makes sense, especially for minor and security releases.
- Make web directories read-only when possible and monitor for unexpected file creation or modification.
- Harden access to sensitive directories (limit IPs, enforce strong passwords, and require multi-factor authentication for admin accounts).
- Block unexpected spawning of child processes from the web server and watch for unusual execution behavior.
- Keep offline backups, rotate credentials after a suspected compromise, and run file-integrity checks regularly.
- Consider a web application firewall (WAF) and routine scans for known indicators of compromise.
- Have an incident response plan so you know who does what if a webshell or other malware is found.
In short: tighten things up, update often, and watch the logs. If attackers are automating their scans and exploiting known CVEs, the best defense is removing easy targets and catching the weird stuff early.