Get Started

Australian Cyber Security Centre Issues Critical Warning as Attackers Deploy Web Shells Through Known WordPress and Joomla Vulnerabilities

The Australian Cyber Security Centre classified a global web shell campaign as "critical" on July 9, 2026, warning that attackers are exploiting known vulnerabilities in WordPress plugins, Craft CMS, Joomla, and other content management systems to install persistent backdoors on sites operated by small and medium businesses, according to a security bulletin published by Igor's Lab. The authority stated numerous organizations have already been compromised.

TL;DR: Automated scans target unpatched WordPress plugins including Ninja Forms, Gravity Forms, and Breeze Cache, allowing attackers to upload malicious scripts that grant server-level control even after initial vulnerabilities are patched.

Attackers Scan for Unauthenticated File Upload and Remote Code Execution Flaws

The campaign exploits known security issues that enable unauthenticated file uploads, remote code execution, server-side request forgery, and insecure deserialization, the Australian agency reported. Attackers scan publicly accessible sites for vulnerable installations, then upload web shells—small scripts that remain accessible through the web server and execute remote commands.

The authority named 11 specific vulnerabilities under active exploitation. WordPress targets include Simple File List (CVE-2025-34085, CVE-2020-36847), WavePlayer (CVE-2025-12057), BerqWP (CVE-2025-7443), WPBookit (CVE-2025-7852), Ninja Forms File Uploads (CVE-2026-0740), ThemeREX Addons (CVE-2026-1969), Breeze Cache (CVE-2026-3844), WPvivid Backup (CVE-2026-1357), and Gravity Forms (CVE-2025-12352). Craft CMS (CVE-2025-32432) and Joomla JCE (CVE-2026-48907) also appeared on the list.

The Australian Cyber Security Centre noted the campaign scales effectively because it targets many known, fundamentally remediable vulnerabilities rather than zero-day exploits. Sites running outdated plugin versions remain exposed even when patches exist.

Dashboard screenshot showing WordPress plugin update notifications with critical security warnings highlighted in red

Ninja Forms Vulnerability Allows Arbitrary File Upload Without Authentication

CVE-2026-0740 in the WordPress plugin Ninja Forms File Uploads permits unauthenticated attackers to upload arbitrary files to the server through insufficient validation of file types, enabling remote code execution, according to the National Vulnerability Database. The vulnerability received a CVSS 3.1 score of 9.8. Version 3.3.25 contained only a partial fix; version 3.3.27 is considered fully remediated, the database shows.

Craft CMS vulnerability CVE-2025-32432 enables remote code execution across several major versions and received a CVSS score of 10.0, the highest severity rating. The flaw was closed in Craft CMS versions 3.9.15, 4.14.15, and 5.6.17, and appears in the US Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities Catalog.

Agencies managing white-label WordPress development services for multiple clients face compounded exposure when a single vulnerable plugin version runs across dozens of installations. The attack surface scales with client count.

Patching Removes Future Exposure But Does Not Eliminate Existing Backdoors

The Australian authority emphasized that updating a vulnerable plugin prevents renewed exploitation but does not remove backdoors already installed on the server. Operators should examine web directories—particularly folders associated with vulnerable plugins—for unusual or newly created files, the bulletin stated. Access logs should be reviewed for suspicious GET and POST requests to known or unusual script paths.

A server with an identified web shell must be treated as fully compromised and initially isolated, according to the agency. Operators must then examine authentication and network logs for additional activity, including newly created accounts, additional persistence mechanisms, data exfiltration, malware downloads, and suspicious connections to other systems.

The authority recommends restoring from a demonstrably clean backup only if that backup was created before the original intrusion. A backup created after the web shell installation merely preserves the malicious script in an older directory structure, the bulletin warned.

Related plugin vulnerabilities discovered in recent months underscore the persistence of this attack vector. WordPress ecosystem researchers reported 250+ weekly plugin vulnerabilities through 2026, with 43% exploitable without authentication. Recent disclosures include stored XSS in Form Vibes, credential leaks in Gravity SMTP, and data access flaws in NEX-Forms.

Australian Agency Recommends Write-Protected Web Directories and Network Segmentation

The Australian Cyber Security Centre recommends operating web directories as write-protected wherever possible. Where dynamic file creation is required, new files should be monitored and permitted only through controlled change processes, the authority stated.

Web shells often use the compromised server to start shells, scripts, or additional programs, according to the bulletin. Application control and monitoring of unusual processes can detect such activities at early stages.

Network architecture determines damage scope, the agency noted. A publicly accessible web server should not have unrestricted access to databases, file servers, administration networks, or workstation systems. Without proper segmentation, a vulnerable WordPress plugin becomes an entry point into the entire organization, the authority warned.

Agencies hiring web developers for client site maintenance must verify that security update protocols include version-specific validation—not merely "install some reasonably current release"—given that partial fixes leave sites vulnerable, as the Ninja Forms case demonstrated.

What Happens Next

Agencies operating white-label WordPress services for multiple clients should audit plugin versions across their entire portfolio within the next 48 hours, prioritizing the 11 named packages if installed. The Australian warning explicitly targets small and medium businesses—the client segment most digital agencies serve—and the authority's use of "critical" classification indicates active exploitation rather than theoretical risk.

Incident response protocols must distinguish between patching (which prevents future attacks) and remediation (which removes backdoors already installed). Agencies lacking server-level forensic capabilities should document their white-label partners' incident response procedures before compromise occurs, including log retention policies, file integrity monitoring, and backup verification processes. Partner vetting scorecards that skip these technical controls create liability exposure when client sites are compromised.

The campaign's industrial scale—combining numerous known vulnerabilities with automated scanning—suggests attackers are targeting volume rather than individual high-value sites. Agencies managing 50+ client sites face multiplicative risk when a single vulnerable plugin version runs across the portfolio. Centralized update management that tracks version-specific CVE remediation becomes operationally critical above that client count threshold.