Global CMS Exploitation Campaign Targets Australian Businesses, Warns ACSC
The **Australian Cyber Security Centre (ACSC)** has issued a critical alert regarding an extensive global exploitation campaign. This campaign is actively targeting vulnerable Content Management Systems (CMS) and their associated plugins, with numerous Australian small to medium-sized businesses already compromised through the deployment of webshells.

The **ACSC** has uncovered a widespread, malicious campaign exploiting weaknesses in various **CMS** platforms and plugins worldwide. This activity has directly impacted Australian businesses, where attackers are deploying webshells to gain persistent access.
### The Threat of Webshells
Webshells are potent tools that grant threat actors continuous access to compromised websites. Once established, they enable a range of malicious activities, including service disruption, credential theft, further malware implantation, and lateral movement deeper into an organization's network.
"A large-scale exploitation campaign is targeting various vulnerabilities in content management systems (CMS) globally, including in Australia, with many small- to medium-sized Australian businesses impacted," the **ACSC** stated in its advisory.
"As part of this campaign, malicious cyber actors are actively scanning websites for opportunities to deploy webshells, leveraging various vulnerabilities affecting CMS software and plugins."
### Targeted Platforms and Vulnerabilities
The campaign leverages known flaws across several prominent **CMS** platforms and their plugins. Key targets include **WordPress**, **Craft CMS**, **MaxSite CMS**, **MetInfo CMS**, and **Joomla JCE**. The **ACSC** has provided a list of specific products and their associated Common Vulnerabilities and Exposures (**CVE**) identifiers being exploited:
* **Simple File List** (WordPress) β **CVE-2025-34085** / **CVE-2020-36847**
* **WavePlayer** (WordPress) β **CVE-2025-12057**
* **BerqWP** (WordPress) β **CVE-2025-7443**
* **WPBookit** (WordPress) β **CVE-2025-7852**
* **Ninja Forms** (WordPress) β **CVE-2026-0740**
* **ThemeREX Addons** (WordPress) β **CVE-2026-1969**
* **Breeze Cache** (WordPress) β **CVE-2026-3844**
* **pay-uz** (WordPress) β **CVE-2026-31843**
* **ACF Extended** (WordPress) β **CVE-2025-13486**
* **Sneeit Framework** β **CVE-2025-6389**
* **WPvivid Backup** (WordPress) β **CVE-2026-1357**
* **Gravity Forms** (WordPress) β **CVE-2025-12352**
* **GutenKit** / **Hunk Companion** (WordPress) β likely **CVE-2024-9234**
* **Craft CMS** β **CVE-2025-32432**
* **MaxSite CMS** β **CVE-2026-3395**
* **MetInfo CMS** β **CVE-2026-29014**
* **Joomla JCE** β **CVE-2026-48907**
### AI-Assisted Attacks
The **ACSC** suggests that Artificial Intelligence (AI) may be supporting this campaign. AI can significantly accelerate attack operations and enhance the scalability of exploiting newly discovered vulnerabilities, posing an even greater challenge for defenders.
### Recommendations for Website Administrators
To mitigate the risk, the **ACSC** urges website administrators to implement several key security measures:
* **Apply Updates Promptly**: Ensure all **CMS** core software, themes, and plugins are updated to the latest security versions.
* **Remove Unused Components**: Deactivate and remove any themes or plugins that are no longer in use.
* **Enable Automatic Updates**: Where feasible, configure automatic updates to ensure timely patching.
* **Restrict File System Permissions**: Make web directories read-only whenever possible.
* **Monitor for Anomalies**: Actively monitor for unauthorized file creation within web directories.
* **Control Access**: Restrict access to sensitive directories on the web server.
* **Prevent Unexpected Processes**: Implement measures to block the unexpected spawning of child processes on the web server.