Powered by MOMENTUMMEDIA
For breaking news and daily updates, subscribe to our newsletter

Critical alert! ACSC warns of ‘large-scale exploitation’ of Aussie websites

Australia’s top cyber agency says “malicious cyber actors” are targeting a raft of vulnerable WordPress plug-ins and content management systems, with SMBs in the firing line.

Fri, 10 Jul 2026
Critical alert! ACSC warns of ‘large-scale exploitation’ of Aussie websites

The Australian Signals Directorate’s Australian Cyber Security Agency (ACSC) has circulated a critical alert warning Australian website owners and managers of a widespread hacking campaign targeting several vulnerabilities in WordPress-related content management systems.

“A large-scale exploitation campaign is targeting various vulnerabilities in content management systems (CMS) globally, including in Australia, with many small- to medium-sized Australian businesses impacted,” the ACSC said late on 9 July.

“As part of this campaign, malicious cyber actors are actively scanning websites for opportunities to deploy webshells, leveraging various vulnerabilities affecting CMS software and plugins. These vulnerabilities primarily allow unauthenticated file upload, remote code execution, server-side request forgery, or deserialisation.

 
 

“Once deployed, webshells can allow malicious cyber actors to remotely access and control targeted web servers.”

Once compromised, the ACSC said, the hackers engage in website defacement, credential theft, malware deployment, and exploitation of access to penetrate company networks further.

“This highly scaled global exploitation campaign demonstrates the rapidly evolving cyber risk facing organisations,” the ACSC said.

“The heads of the Five Eyes cyber security agencies recently released a joint statement highlighting how advances in AI are accelerating the speed and scale of cyber operations, reducing the time between vulnerability disclosure and exploitation.”

This is an incomplete list of the vulnerabilities currently being targeted:

For more information, including mitigation advice and steps to protect Australian websites, you can read the ACSC’s full critical alert here.

Cyber DailyWant to see more stories from trusted news sources?
Make Cyber Daily a preferred news source on Google.
Tags:

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.