Australia’s Cyber Security Centre has issued a critical alert for a large-scale campaign that is exploiting known content management system and plugin vulnerabilities to plant webshells on websites worldwide.[1] The warning matters beyond Australia because the agency says the scanning and exploitation are global, with small and medium-sized businesses already affected.
The campaign is not built around one mystery zero-day. ACSC says attackers are leaning on public flaws in CMS software and plugins, especially bugs that enable unauthenticated file upload, remote code execution, server-side request forgery, or deserialization.[1] That makes the immediate response straightforward for site owners: identify whether the listed products are present, patch or disable exposed components, and check the server for files that should not exist.
ACSC’s list includes several WordPress plugins and CMS products: Simple File List, WavePlayer, BerqWP, WPBookit, Ninja Forms, ThemeREX Addons, Breeze Cache, pay-uz, ACF Extended, Sneeit Framework, WPvivid Backup, Gravity Forms, GutenKit/Hunk Companion, Craft CMS, MaxSite CMS, MetInfo CMS, and Joomla JCE.[1] BleepingComputer separately summarized the same campaign on July 11, noting that the compromised sites can be used for credential theft, disruption, additional malware delivery, or deeper network access.[2]
For howtofix.guide readers, the practical point is that a webshell is often the start of the incident, not the end. If a vulnerable plugin allowed a PHP file to land in a writable directory, the attacker may still have a route back in after the obvious file is removed. Recent CMS incidents on this site show the same pattern in narrower form, including Joomla JCE exploitation, the MetInfo CMS RCE case, and the KnowledgeDeliver Godzilla web shell incident.
What website owners should check first
Start with an inventory. Confirm whether any of the ACSC-listed CMS products, themes, or plugins are installed, including inactive copies, staging sites, old backups exposed under the web root, and forgotten subdomains. Patch supported components immediately. If a patch is unavailable or the plugin is no longer needed, disable it and remove the files rather than merely deactivating it in the admin panel.
Next, inspect for webshell behavior. ACSC recommends checking web directories for abnormal file changes, especially inside vulnerable plugin directories, then reviewing access logs for GET or POST requests to suspicious file paths.[1] On WordPress hosts, pay attention to recently modified PHP files under wp-content/uploads/, plugin upload folders, cache directories, and theme directories. On Joomla and other CMS platforms, look for unexpected PHP files in media, image, cache, temporary, and extension folders.
If a webshell is found, treat the server as compromised. Isolate the site, preserve logs, remove or quarantine malicious files, and review authentication logs, newly created accounts, outbound connections, scheduled tasks, and unexpected web server child processes. A clean backup may be faster and safer than trying to surgically delete every malicious file, but restoring a backup only helps if the vulnerable plugin is patched before the site returns online.
Site operators should also reduce the next compromise window. Make web directories read-only where practical, monitor file creation outside approved deployment paths, restrict direct access to sensitive directories, block unnecessary outbound connections from the web server, and keep a tested rollback path for automatic security updates. The campaign’s scale is the warning: once a CMS flaw becomes easy to scan for, attackers do not need to know your organization before they try your website.
References
- Australian Cyber Security Centre. “Large-scale exploitation campaign targeting website content management systems (CMS).” First published July 9, 2026. cyber.gov.au
- BleepingComputer. “Australia warns of global campaign targeting vulnerable CMS platforms.” Published July 11, 2026. bleepingcomputer.com
Leave a Comment