Back to Feed
Threat IntelligenceJul 11, 2026

Australia warns of global campaign targeting vulnerable CMS platforms

Australia warns of global campaign targeting vulnerable CMS platforms and plugins.

Summary

The Australian Cyber Security Centre (ACSC) has issued an alert regarding a widespread global campaign exploiting vulnerabilities in various Content Management Systems (CMS) and their plugins. Many Australian businesses have already been impacted, with threat actors deploying webshells to gain persistent access, disrupt services, and steal credentials. The ACSC suggests that AI may be supporting this campaign to accelerate attacks.

Full text

Australia warns of global campaign targeting vulnerable CMS platforms By Bill Toulas July 11, 2026 10:18 AM 0 The Australian Cyber Security Centre (ACSC) issued an alert about a global exploitation campaign targeting vulnerable content management systems (CMS) and plugins. The government agency says that many Australian businesses have already been affected by the malicious activity, with webshells being deployed on their sites. Webshells provide persistent access to the compromised sites and allow threat actors to disrupt services, steal credentials, plant additional malware, and move deeper into the network. “A large-scale exploitation campaign is targeting various vulnerabilities in content management systems (CMS) globally, including in Australia, with many small- to medium-sized Australian businesses impacted,” the ACSC warns. “As part of this campaign, malicious cyber actors are actively scanning websites for opportunities to deploy webshells, leveraging various vulnerabilities affecting CMS software and plugins.” According to the agency, the activity leverages flaws in several CMS platforms and plugins, including WordPress, Craft CMS, MaxSite CMS, MetInfo CMS, and Joomla JCE. ACSC lists the following products exploited in the campaign: Simple File List (WordPress) – CVE-2025-34085/CVE-2020-36847 WavePlayer (WordPress) – CVE-2025-12057 BerqWP (WordPress) – CVE-2025-7443 WPBookit (WordPress) – CVE-2025-7852 Ninja Forms (WordPress) – CVE-2026-0740 ThemeREX Addons (WordPress) – CVE-2026-1969 Breeze Cache (WordPress) – CVE-2026-3844 pay-uz (WordPress) – CVE-2026-31843 ACF Extended (WordPress) – CVE-2025-13486 Sneeit Framework – CVE-2025-6389 WPvivid Backup (WordPress) – CVE-2026-1357 Gravity Forms (WordPress) – CVE-2025-12352 GutenKit/Hunk Companion (WordPress) – likely CVE-2024-9234 Craft CMS – CVE-2025-32432 MaxSite CMS – CVE-2026-3395 MetInfo CMS – CVE-2026-29014 Joomla JCE – CVE-2026-48907 The ACSC noted that the campaign might be supported by AI, which typically helps threat actors accelerate attacks and scale the exploitation of emerging flaws. Website administrator are recommended to apply the latest security updates for their CMS, themes, and plugins, remove unused components, and enable automatic updates where possible. It is also recommended to make web directories read-only when possible, monitor for unauthorized file creation, restrict access to sensitive directories, and block unexpected spawning of child processes on the web server. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: WP Maps Pro bug exploited to create admin accounts on WordPress sitesShapedPlugin update flow hacked to infect WordPress sitesHackers exploit info disclosure bug in Gravity SMTP WordPress pluginCritical Everest Forms Pro flaw exploited to take over WordPress sitesCritical Kirki flaw exploited to hijack WordPress admin accounts

Indicators of Compromise

  • cve — CVE-2025-34085
  • cve — CVE-2020-36847
  • cve — CVE-2025-12057
  • cve — CVE-2025-7443
  • cve — CVE-2025-7852
  • cve — CVE-2026-0740
  • cve — CVE-2026-1969
  • cve — CVE-2026-3844
  • cve — CVE-2026-31843
  • cve — CVE-2025-13486
  • cve — CVE-2025-6389
  • cve — CVE-2026-1357
  • cve — CVE-2025-12352
  • cve — CVE-2024-9234
  • cve — CVE-2025-32432
  • cve — CVE-2026-3395
  • cve — CVE-2026-29014
  • cve — CVE-2026-48907

Entities

Australian Cyber Security Centre (vendor)WordPress (product)Craft CMS (product)MaxSite CMS (product)MetInfo CMS (product)Joomla (product)