Global CMS Exploitation Campaign Targets Unpatched Websites
A large-scale cyberattack campaign is actively targeting Content Management System (CMS) websites worldwide, with threat actors scanning for unpatched software and vulnerable plugins. Once exploited, attackers deploy malicious webshells to gain remote control over compromised systems, enabling website defacement, credential theft, and malware distribution.
The campaign has impacted organizations globally, particularly small- to medium-sized businesses, and reflects a broader trend identified by the Five Eyes cybersecurity agencies the increasing use of artificial intelligence to accelerate cyber operations. This shift has drastically reduced the time between a vulnerability’s public disclosure and its exploitation in the wild.
Attackers primarily exploit flaws allowing unauthenticated file uploads, remote code execution, server-side request forgery, or unsafe deserialization. Known vulnerabilities in popular WordPress plugins including Simple File List (CVE-2025-34085), WavePlayer (CVE-2025-12057), and Ninja Forms (CVE-2026-0740) have been weaponized in this campaign.
Once a webshell is deployed, hackers use it to disrupt operations, steal sensitive data, and distribute additional malware to unsuspecting visitors. Compromised servers may also serve as a foothold for deeper network infiltration.
The Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC) has urged administrators to proactively inspect CMS environments, as the rapid automation of attacks is shrinking the window for manual remediation. Organizations are advised to adopt continuous monitoring, automated security updates, and strict access controls to mitigate risks.
Source: https://cyberpress.org/hackers-exploit-cms-websites/
Ninja Forms TPRM report: https://www.rankiteo.com/company/cyber-ninjas
Simple File List TPRM report: https://www.rankiteo.com/company/wpmet
"id": "cybwpm1783600441",
"linkid": "cyber-ninjas, wpmet",
"type": "Vulnerability",
"date": "7/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'location': 'Global',
'type': 'Small- to medium-sized businesses'}],
'attack_vector': ['Unauthenticated file uploads',
'Remote code execution',
'Server-side request forgery',
'Unsafe deserialization'],
'data_breach': {'type_of_data_compromised': 'Sensitive data, credentials'},
'description': 'A large-scale cyberattack campaign is actively targeting '
'Content Management System (CMS) websites worldwide, with '
'threat actors scanning for unpatched software and vulnerable '
'plugins. Once exploited, attackers deploy malicious webshells '
'to gain remote control over compromised systems, enabling '
'website defacement, credential theft, and malware '
'distribution.',
'impact': {'data_compromised': 'Sensitive data',
'operational_impact': 'Disrupted operations',
'systems_affected': 'CMS websites (WordPress and plugins)'},
'initial_access_broker': {'backdoors_established': 'Webshells'},
'lessons_learned': 'The rapid automation of attacks is shrinking the window '
'for manual remediation, necessitating proactive security '
'measures.',
'motivation': ['Disruption of operations',
'Data theft',
'Malware distribution',
'Network infiltration'],
'post_incident_analysis': {'corrective_actions': ['Proactive inspection of '
'CMS environments',
'Automated security updates',
'Strict access controls'],
'root_causes': ['Unpatched CMS software',
'Vulnerable plugins']},
'recommendations': ['Adopt continuous monitoring',
'Implement automated security updates',
'Enforce strict access controls',
'Proactively inspect CMS environments'],
'references': [{'source': 'Australian Signals Directorate’s Australian Cyber '
'Security Center (ASD’s ACSC)'},
{'source': 'Five Eyes cybersecurity agencies'}],
'response': {'enhanced_monitoring': 'Continuous monitoring',
'remediation_measures': ['Proactive inspection of CMS '
'environments',
'Automated security updates',
'Strict access controls']},
'title': 'Global CMS Exploitation Campaign Targets Unpatched Websites',
'type': 'Exploitation Campaign',
'vulnerability_exploited': ['CVE-2025-34085 (Simple File List)',
'CVE-2025-12057 (WavePlayer)',
'CVE-2026-0740 (Ninja Forms)']}