A large-scale cyber campaign is actively exploiting known vulnerabilities in content management systems (CMS), with WordPress plugins being the primary target. Attackers are scanning the internet for vulnerable websites and quickly exploiting unpatched systems.
How the Attacks Work
Threat actors are abusing vulnerabilities such as:
- Unauthenticated file upload
- Remote Code Execution (RCE)
- Server-Side Request Forgery (SSRF)
- Deserialization flaws
These vulnerabilities allow attackers to upload webshells, giving them persistent remote access to compromised websites.
Impact on Organizations
Organizations worldwide, including small and medium-sized businesses, have already been affected. Once attackers gain access, they can:
- Execute commands remotely
- Install additional malware
- Steal sensitive data
- Harvest user credentials
- Move laterally within internal networks
- Use compromised websites for defacement or hosting scams
Incident Response Recommendations
If you suspect your website has been compromised, assume the system is affected until proven otherwise.
Security teams should:
- Inspect plugin directories for suspicious or unknown files.
- Review web server logs for unusual GET or POST requests.
- Isolate affected servers immediately.
- Preserve logs for forensic investigation.
- Audit user accounts, authentication logs, and network activity.
- Look for persistence mechanisms and signs of lateral movement or data exfiltration.
If a webshell is found, remove malicious files, eliminate persistence mechanisms, and restore the website from a recent trusted backup before bringing services back online.
Affected Software and Plugins
| Software / Plugin | CVE |
|---|---|
| Simple File List (WordPress) | CVE-2025-34085, CVE-2020-36847 |
| WavePlayer | CVE-2025-12057 |
| BerqWP | CVE-2025-7443 |
| WPBookit | CVE-2025-7852 |
| Ninja Forms | CVE-2026-0740 |
| ThemeREX Addons | CVE-2026-1969 |
| Breeze Cache | CVE-2026-3844 |
| pay-uz | CVE-2026-31843 |
| ACF Extended | CVE-2025-13486 |
| Sneeit Framework | CVE-2025-6389 |
| WPvivid Backup | CVE-2026-1357 |
| Gravity Forms | CVE-2025-12352 |
| GutenKit / Hunk Companion | Likely CVE-2024-9234 |
| Craft CMS | CVE-2025-32432 |
| MaxSite CMS | CVE-2026-3395 |
| MetInfo CMS | CVE-2026-29014 |
| Joomla JCE | CVE-2026-48907 |
Security Recommendations
Organizations should:
- Apply the latest security patches immediately.
- Enable automatic updates where practical.
- Identify vulnerable plugins and CMS components.
- Remove unused or unsupported plugins.
- Monitor websites for suspicious activity and unauthorized file changes.
- Investigate any unusual web traffic or unexpected server behavior promptly.
Keeping WordPress plugins and other CMS components fully updated remains the most effective way to reduce the risk of exploitation.