The Australian Cyber Safety Heart (ACSC) has issued a warning a couple of world exploitation marketing campaign concentrating on susceptible content material administration programs (CMS) and plugins.
The federal government company says quite a lot of Australian companies have already been affected by this malicious exercise, with webshells being deployed on their websites.
Internet shells present persistent entry to compromised websites, permitting attackers to disrupt providers, steal credentials, plant further malware, and penetrate deep into networks.
“A big-scale exploitation marketing campaign concentrating on varied content material administration system (CMS) vulnerabilities throughout Australia and around the globe is affecting many Australian small and medium-sized companies,” the ACSC warned.
“As a part of this marketing campaign, malicious cyber attackers are actively scanning web sites for alternatives to deploy internet shells, leveraging varied vulnerabilities affecting CMS software program and plugins.”
The company stated the exercise exploited flaws in a number of CMS platforms and plugins, together with WordPress, Craft CMS, MaxSite CMS, MetInfo CMS, and Joomla JCE. ACSC lists the next merchandise exploited within the marketing campaign:
- Easy file listing (WordPress) – CVE-2025-34085/CVE-2020-36847
- WavePlayer (WordPress) – CVE-2025-12057
- BerqWP (WordPress) – CVE-2025-7443
- WPBookit (WordPress) – CVE-2025-7852
- Ninja Kind (WordPress) – CVE-2026-0740
- ThemeREX Addon (WordPress) – CVE-2026-1969
- Breeze cache (WordPress) – CVE-2026-3844
- pay-uz (WordPress) – CVE-2026-31843
- ACF Extension (WordPress) – CVE-2025-13486
- Sneeit Framework – CVE-2025-6389
- WPvivid Backup (WordPress) – CVE-2026-1357
- Gravity Types (WordPress) – CVE-2025-12352
- GutenKit/Hunk Companion (WordPress) – Probably CVE-2024-9234
- Craft CMS – CVE-2025-32432
- MaxSite CMS – CVE-2026-3395
- MetInfo CMS – CVE-2026-29014
- Joomla JCE – CVE-2026-48907
ACSC notes that this marketing campaign could also be supported by AI, which usually helps menace actors speed up assaults and increase exploitation of recent flaws.
We advocate that web site directors apply the newest safety updates to their CMS, themes, and plugins, take away unused elements, and allow computerized updates the place attainable.
It’s also a good suggestion to make internet directories read-only if attainable, monitor for unauthorized file creation, prohibit entry to delicate directories, and block the creation of sudden youngster processes on the internet server.

Safety groups doc 54% of profitable assaults and concern a warning on solely 14%. The remaining strikes invisibly by way of the surroundings.
Picus’ whitepaper exhibits the best way to take a look at your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
