Australia warns of a global campaign exploiting CMS flaws to deploy webshells on WordPress, Joomla, and other websites.Australia’s Signals Directorate has issued an alert about a large-scale exploitation campaign actively targeting content management systems (CMS) worldwide, with many small and medium-sized Australian businesses already hit. Attackers are scanning websites for known vulnerabilities, deploying webshells to gain persistent remote access, and using compromised servers as a base for broader attacks.“A large-scale exploitation campaign is targeting various vulnerabilities in content management systems (CMS) globally, including in Australia, with many small to medium sized Australian businesses impacted.” reads the alert published by the Australia’s Signals Directorate.“As part of this campaign, malicious cyber actors are actively scanning websites for opportunities to deploy webshells, leveraging various vulnerabilities affecting CMS software and plugins. These vulnerabilities primarily allow unauthenticated file upload, remote code execution, server side request forgery or deserialisation.”The list of targeted software covers 17 CVEs across WordPress plugins including Ninja Forms, Gravity Forms, WPvivid Backup, Breeze Cache, and GutenKit, as well as standalone CMS platforms including Craft CMS, Joomla, and MaxSite CMS. All of the vulnerabilities are public and patched — which means every successful attack here is hitting someone who didn’t update.Below is the list of software, plugins and CVEs being exploited: Software/pluginCVESimple File List (WordPress)CVE-2025-34085/CVE-2020-36847WavePlayer (WordPress)CVE-2025-12057BerqWP (WordPress)CVE-2025-7443WPBookit (WordPress)CVE-2025-7852Ninja Forms (WordPress)CVE-2026-0740ThemeREX Addons (WordPress)CVE-2026-1969Breeze Cache (WordPress)CVE-2026-3844pay-uz (WordPress)CVE-2026-31843ACF Extended (WordPress)CVE-2025-13486Sneeit FrameworkCVE-2025-6389WPvivid Backup (WordPress)CVE-2026-1357Gravity Forms (WordPress)CVE-2025-12352GutenKit/Hunk Companion (WordPress)Likely CVE-2024-9234Craft CMSCVE-2025-32432MaxSite CMSCVE-2026-3395MetInfo CMSCVE-2026-29014Joomla JCECVE-2026-48907“Once deployed, webshells can allow malicious cyber actors to remotely access and control targeted web servers.” continues the alert. “Malicious cyber actors may leverage compromised web servers for several purposes, including:Website defacement or disruptionCapturing credentials entered by website users or other data stored on web serversUploading additional malware to target and scam legitimate website usersUsing web server access as a pathway for broader network compromise“The pivot-to-broader-network angle is the one that turns a compromised WordPress site into a corporate incident.The ACSC is connecting this campaign to a trend the Five Eyes agencies flagged recently: AI is shortening the window between vulnerability disclosure and active exploitation. “This highly scaled global exploitation campaign demonstrates the rapidly evolving cyber risk facing organisations.” continues the alert. “The heads of the Five Eyes cyber security agencies recently released a joint statement highlighting how advances in AI are accelerating the speed and scale of cyber operations, reducing the time between vulnerability disclosure and exploitation.”Faster scanning plus faster exploit development means the patch window is shrinking, and campaigns like this one are the evidence.For anyone running a CMS, the ACSC’s immediate advice is to check your web directories for unexpected files, especially in plugin folders, and review access logs for GET or POST requests to unusual paths. If a webshell is found, don’t just delete it and move on, trace back through logs to understand the initial exploitation, look for signs of lateral movement or additional accounts created, and restore from a known-good backup before bringing the server back online.Longer term, the advisory recommends configuring web directories as read-only where possible to block webshell deployment at the filesystem level, monitoring for unexpected child processes spawning off the web server process, and blocking unnecessary network connections between internet-facing servers and internal corporate systems. Auto-patching is worth enabling where a faulty patch can be rolled back easily. And if a third-party manages your website, the ACSC says point them at this alert and ask them directly what they’re doing about it.Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, CMS)