Stealthy Webshell Attacks Target Vulnerable CMS Platforms
As an automated, potentially AI-assisted campaign scans for flawed plugins, small businesses face a severe rise in stealthy webshell attacks.
For thousands of small and medium-sized businesses, a website is not just a digital storefront but the very lifeblood of daily operations. Yet, beneath the polished user interfaces of modern web design lies a complex, often fragile ecosystem of plugins, templates, and content management code. When these components fail, the consequences are immediate and devastating. Security defenses are quietly bypassed as automated scanners scour the internet, looking for the tiniest crack in a site's digital mortar. This silent intrusion transforms legitimate business platforms into launching pads for deeper network infiltration, proving that even minor software oversights can invite global security crises.
The vulnerability of Content Management Systems (CMS) is a historical soft spot in enterprise security. Platforms like WordPress and Joomla have democratized web development, allowing organizations of all sizes to build robust web presences without writing code from scratch. However, this accessibility has created a massive, highly fragmented attack surface. Because many of these sites rely heavily on third-party plugins developed by independent programmers, they frequently suffer from inconsistent patching schedules and security oversight. Threat actors have long recognized that compromising a single widely used plugin is far more efficient than target-by-target hacking, casting a wide net across the global internet.
This systemic risk has manifested in a coordinated global offensive. The Australian Cyber Security Centre (ACSC) recently issued an urgent warning detailing how malicious groups are actively exploiting these structural weaknesses. According to the government agency, numerous businesses have already seen their systems compromised. To establish persistent footholds, attackers are deploying webshells—malicious scripts that grant threat actors the ability to bypass authentication, harvest user credentials, install secondary malware payloads, and navigate laterally into deeper corporate networks.
In their official advisory, the ACSC warns: “A large-scale exploitation campaign is targeting various vulnerabilities in content management systems (CMS) globally, including in Australia, with many small- to medium-sized Australian businesses impacted,” and notes that, “As part of this campaign, malicious cyber actors are actively scanning websites for opportunities to deploy webshells, leveraging various vulnerabilities affecting CMS software and plugins.”
The scope of this campaign spans multiple prominent content management platforms and an array of specific plugins. The ACSC identified key targets including WordPress, Craft CMS, MaxSite CMS, MetInfo CMS, and Joomla JCE. The specific vulnerabilities being actively leveraged include:
- Simple File List (WordPress) – CVE-2025-34085/CVE-2020-36847
- WavePlayer (WordPress) – CVE-2025-12057
- BerqWP (WordPress) – CVE-2025-7443
- WPBookit (WordPress) – CVE-2025-7852
- Ninja Forms (WordPress) – CVE-2026-0740
- ThemeREX Addons (WordPress) – CVE-2026-1969
- Breeze Cache (WordPress) – CVE-2026-3844
- pay-uz (WordPress) – CVE-2026-31843
- ACF Extended (WordPress) – CVE-2025-13486
- Sneeit Framework – CVE-2025-6389
- WPvivid Backup (WordPress) – CVE-2026-1357
- Gravity Forms (WordPress) – CVE-2025-12352
- GutenKit/Hunk Companion (WordPress) – likely CVE-2024-9234
- Craft CMS – CVE-2025-32432
- MaxSite CMS – CVE-2026-3395
- MetInfo CMS – CVE-2026-29014
- Joomla JCE – CVE-2026-48907
An examination of the threat landscape reveals a highly systematic assault strategy targeting 5 major CMS platforms, focusing on a list of 17 distinct software packages containing security flaws. The dominance of WordPress-related items in this list—comprising 12 of the 17 vulnerable components—underscores the disproportionate threat faced by users of the world’s most popular site-building tool. Notably, the vulnerabilities span across multiple years, ranging from older exploits like CVE-2020-36847 up to modern 2025 and 2026 designations such as CVE-2026-48907. Furthermore, the agency pointed out that the campaign might be supported by AI, which typically helps threat actors accelerate attacks and scale the exploitation of emerging flaws.
For businesses operating online, this campaign serves as a stark reminder that security is only as strong as its weakest third-party integration. When a web server is hijacked via a webshell, the compromise rarely remains isolated to the website itself; it frequently serves as the initial entry point for devastating ransomware campaigns or corporate espionage. To mitigate these risks, organizations must adopt a more proactive defensive posture. Administrators are urged to implement immediate updates for all CMS engines, active themes, and plugins, while purging any unused software components from their systems. Additionally, configuring web directories as read-only, aggressively monitoring for unauthorized file creations, restricting access to sensitive administrative directories, and blocking unexpected child processes on web hosts can effectively disrupt the webshell lifecycle before attackers gain a permanent foothold.