The Australian Signals Directorate’s Australian Cyber Security Agency (ACSC) has circulated a critical alert warning Australian website owners and managers of a widespread hacking campaign targeting several vulnerabilities in WordPress-related content management systems.
“A large-scale exploitation campaign is targeting various vulnerabilities in content management systems (CMS) globally, including in Australia, with many small- to medium-sized Australian businesses impacted,” the ACSC said late on 9 July.
“As part of this campaign, malicious cyber actors are actively scanning websites for opportunities to deploy webshells, leveraging various vulnerabilities affecting CMS software and plugins. These vulnerabilities primarily allow unauthenticated file upload, remote code execution, server-side request forgery, or deserialisation.
“Once deployed, webshells can allow malicious cyber actors to remotely access and control targeted web servers.”
Once compromised, the ACSC said, the hackers engage in website defacement, credential theft, malware deployment, and exploitation of access to penetrate company networks further.
“This highly scaled global exploitation campaign demonstrates the rapidly evolving cyber risk facing organisations,” the ACSC said.
“The heads of the Five Eyes cyber security agencies recently released a joint statement highlighting how advances in AI are accelerating the speed and scale of cyber operations, reducing the time between vulnerability disclosure and exploitation.”
This is an incomplete list of the vulnerabilities currently being targeted:
- CVE-2025-34085/CVE-2020-36847: Simple File List (WordPress plugin)
- CVE-2025-12057: WavePlayer (WordPress plugin)
- CVE-2025-7443: BerqWP (WordPress plugin)
- CVE-2025-7852: WPBookit (WordPress plugin)
- CVE-2026-0740: Ninja Forms (WordPress plugin)
- CVE-2026-1969: ThemeREX Addons (WordPress plugin)
- CVE-2026-3844: Breeze Cache (WordPress plugin)
- CVE-2026-31843: pay-uz (WordPress plugin)
- CVE-2025-13486: ACF Extended (WordPress plugin)
- CVE-2026-1357: WPvivid Backup (WordPress plugin)
- CVE-2025-12352: Gravity Forms (WordPress plugin)
- CVE-2025-6389: Sneeit Framework
- CVE-2025-32432: Craft CMS
- CVE-2026-3395: MaxSite CMS
- CVE-2026-29014: MetInfo CMS
- CVE-2026-48907: Joomla JCE
For more information, including mitigation advice and steps to protect Australian websites, you can read the ACSC’s full critical alert here.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.