Global attack targets WordPress and Joomla websites
Could hackers already be inside your CMS?

Mystery man in silhouette red with binary code background. Kmatta/Getty.
- The ACSC warned hackers are globally targeting websites built with CMS platforms such as WordPress and Joomla.
- Attackers are using software and plugin flaws to install webshells that let them control web servers remotely.
- Small and medium-sized Australian businesses have been affected, while organizations worldwide have also been targeted.
- The ACSC urged organizations to update CMS tools, inspect logs, restrict access, and restore clean backups if compromised.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
The Australia Cyber Security Centre (ACSC) has issued a warning that hackers have launched a global exploitation campaign targeting websites that are built with content management systems like WordPress and Joomla.
“As part of this campaign, malicious cyber actors are actively scanning websites for opportunities to deploy webshells, leveraging various vulnerabilities affecting CMS software and plugins. These vulnerabilities primarily allow unauthenticated file upload, remote code execution, server-side request forgery, or deserialization,” the cybersecurity agency states in a press release.
Once deployed, webshells allow attackers to remotely access and control targeted web servers. Threat actors can take websites offline, deface them with political messages, steal sensitive or personal data that is stored on web servers, upload malware, or use the web server access for broader network compromise.
The software and plugins that are currently being exploited include WordPress and Joomla Content Editor (JCE). In addition, the attackers also exploit vulnerabilities in Craft CMS, MaxSite CMS, and MetInfo CMS, as well as a Common Vulnerability Exposure (CVE) in Sneeit Framework.
As of writing, many small and medium-sized Australian businesses have been impacted by the campaign. According to the ACSC, numerous organizations around the world have been targeted.
The ACSC stresses that the global exploitation campaign demonstrates the rapidly evolving cyber risk facing organizations, shortening the time window to act when vulnerabilities come to light.
The cybersecurity agency recommends inspecting access and network logs, checking existing accounts, and restoring a previous, clean backup in the event of indications of a hack.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
It’s also recommended to verify that both the CMS itself and used extensions and plugins are up-to-date, to block or monitor file creation on the web server where possible, to restrict access to paths and files, to monitor for new processes, and to apply network segmentation.
Last month, intelligence agencies from Australia, Canada, New Zealand, the United Kingdom, and the United States warned that advanced AI technology will accelerate and speed up the scale of cyber operations.
“Cyber resilience is not an IT issue: it is central to operational continuity and market trust. Leaders who act now will reduce exposure, strengthen resilience, and build confidence with customers, partners, and investors. Those who delay will face growing and avoidable risk,” the agencies said.