Australian businesses are being warned about a large-scale cyberattack campaign targeting websites built on popular content management systems, including WordPress, Joomla and Craft CMS.
According to a critical security alert published by ASD’s Australian Cyber Security Centre, attackers are actively scanning websites for known vulnerabilities in CMS platforms and plugins.
A number of Australian small and medium-sized businesses have already been affected.
Read the full government advisory: Find Out More
How Are Websites Being Compromised?
The attackers are exploiting publicly known software vulnerabilities that may allow them to upload malicious files, remotely execute commands or gain unauthorised access to parts of a website.
Once access is obtained, attackers may install a webshell.
A webshell is a malicious file that gives an attacker ongoing remote access to the website’s server.
A compromised website could then be used to:
- Deface, redirect or disrupt the website
- Steal login credentials or customer information
- Upload malware or scam content
- Redirect visitors to malicious websites
- Gain access to other devices or systems connected to the server
Which CMS Platforms and Plugins Are Affected?
The campaign is targeting vulnerabilities across several content management systems. A significant number of the identified vulnerabilities affect WordPress plugins.
| Software or Plugin | Identified Vulnerability |
|---|---|
| Simple File List for WordPress | CVE-2025-34085 and CVE-2020-36847 |
| WavePlayer for WordPress | CVE-2025-12057 |
| BerqWP | CVE-2025-7443 |
| WPBookit | CVE-2025-7852 |
| Ninja Forms | CVE-2026-0740 |
| ThemeREX Addons | CVE-2026-1969 |
| Breeze Cache | CVE-2026-3844 |
| pay-uz | CVE-2026-31843 |
| ACF Extended | CVE-2025-13486 |
| Sneeit Framework | CVE-2025-6389 |
| WPvivid Backup | CVE-2026-1357 |
| Gravity Forms | CVE-2025-12352 |
| GutenKit or Hunk Companion | Likely CVE-2024-9234 |
| Craft CMS | CVE-2025-32432 |
| MaxSite CMS | CVE-2026-3395 |
| MetInfo CMS | CVE-2026-29014 |
| Joomla JCE | CVE-2026-48907 |
Website owners should check whether any of these products are installed.
However, the absence of these specific plugins does not mean a website is completely protected. All CMS software, themes and plugins should be reviewed and kept up to date.
What Should Website Owners Do?
Website owners and administrators should take the following actions as soon as possible:
- Update the CMS, themes and pluginsInstall all available security updates and remove software that is no longer maintained.
- Disable vulnerable pluginsIf a security update is unavailable, disable and remove the affected plugin until a fix is released.
- Look for unexpected filesCheck website and plugin directories for recently created or modified PHP files that were not added by an authorised administrator.
- Review website access logsInvestigate unusual GET or POST requests, unfamiliar IP addresses and repeated access to unknown file paths.
- Check administrator accountsRemove unexpected accounts and reset passwords for website administrators, hosting accounts, databases and related services.
- Enable multi-factor authenticationUse MFA for website administrators and hosting control panels wherever it is supported.
- Review server activityLook for unexpected processes, outbound network connections, malware or signs that an attacker has attempted to access other systems.
- Maintain reliable backupsKeep regular, tested backups that are stored separately from the website server.
What If a Webshell Is Found?
A server containing a webshell should be treated as fully compromised.
Simply deleting the suspicious file may not remove the attacker. Additional accounts, scheduled tasks, modified website files or other persistence methods may have been created.
The affected server should be isolated while the incident is investigated.
Website owners should review authentication logs, website activity, server processes and network connections to determine how the compromise occurred and what the attacker accessed.
Where the integrity of the website cannot be confirmed, the safest recovery method may be to rebuild or restore the website from a recent known-good backup before applying all available security updates.
Reducing the Risk of Future Website Attacks
Businesses can further reduce their exposure by:
- Enabling automatic security updates where appropriate
- Removing unused plugins, themes and administrator accounts
- Restricting write access within website directories
- Monitoring unexpected file changes
- Using a web application firewall
- Separating internet-facing web servers from internal business systems
- Monitoring for unusual processes launched by the web server
- Using a reputable managed hosting or website maintenance provider
Need Help Checking Your Website?
If your business uses WordPress or another content management system, now is a good time to confirm that your website, plugins, hosting environment and backups are properly secured.
Accel IT can assist with website security reviews, plugin and CMS updates, malware investigations, backups and recovery following a suspected website compromise.
Contact Accel IT if you are concerned that your website may be vulnerable or has already been compromised.
Reference
This article is based on security guidance published by ASD’s Australian Cyber Security Centre.
Large-scale exploitation campaign targeting website content management systems:
https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/large-scale-exploitation-campaign-targeting-website-content-management-systems-cms
