GBHackers

Attackers Exploit WordPress Plugin Vulnerabilities for Remote Code Execution and Webshell Access


A large-scale exploitation campaign is actively weaponising known vulnerabilities across multiple content management systems, with WordPress plugins forming the primary attack surface.

Cyber actors are scanning the internet for vulnerable sites and chaining unauthenticated file upload, remote code execution (RCE), server-side request forgery (SSRF) and deserialization vulnerabilities to deploy webshells that grant persistent remote access.

Small and medium Australian businesses among organisations worldwide have already seen tangible impact as threat operators rapidly convert disclosures into operational compromise.

Once a webshell is established, adversaries can remotely execute commands, pivot to internal networks, deploy additional malware, exfiltrate data and harvest credentials entered by site users.

Immediate mitigation and incident response must assume compromise until proven otherwise. ASD’s ACSC guidance is clear: inspect web directories for anomalous files, particularly inside plugin folders.

Review web access logs for suspicious GET or POST requests targeting typical webshell paths; and treat any server with a discovered webshell as compromised isolate, preserve logs, and perform a full audit of authentication and network activity.

Operators have repurposed compromised sites for defacement, scam hosting, and as footholds for wider intrusion. The speed and scale of this campaign echo warnings from the heads of the Five Eyes cyber security agencies, who recently highlighted.ACSC said.

Investigators should trace initial access events, look for persistence mechanisms, and search for lateral movement and exfiltration indicators.

WordPress Plugin Vulnerabilities

Restore from recent known-good backups when possible, and remove or quarantine identified malware and persistence artifacts prior to returning services online.

Software/pluginCVE
Simple File List (WordPress)CVE-2025-34085/CVE-2020-36847
WavePlayer (WordPress)CVE-2025-12057
BerqWP (WordPress)CVE-2025-7443
WPBookit (WordPress)CVE-2025-7852
Ninja Forms (WordPress)CVE-2026-0740
ThemeREX Addons (WordPress)CVE-2026-1969
Breeze Cache (WordPress)CVE-2026-3844
pay-uz (WordPress)CVE-2026-31843
ACF Extended (WordPress)CVE-2025-13486
Sneeit FrameworkCVE-2025-6389
WPvivid Backup (WordPress)CVE-2026-1357
Gravity Forms (WordPress)CVE-2025-12352
GutenKit/Hunk Companion (WordPress)Likely CVE-2024-9234
Craft CMSCVE-2025-32432
MaxSite CMSCVE-2026-3395
MetInfo CMSCVE-2026-29014
Joomla JCECVE-2026-48907

Preventive measures remain straightforward and effective. Apply vendor patches promptly these are public CVEs with available fixes and consider automatic patching where rollback is manageable.

Organisations that host public-facing CMS instances should prioritise discovery of affected components, accelerate patching, and treat any unexplained web activity as potentially malicious.

Disable or remove plugins with active exploitation until patched. Harden web servers by making web directories read-only where feasible, restricting file and path access, and monitoring or blocking unapproved file creation.

Implement process monitoring to detect unexpected child processes spawned by webserver binaries and consider application control to limit executable processes on internet-facing hosts.

Finally, segment and restrict network communications between web servers and internal systems to reduce the blast radius of a compromised site.

Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor Checklist – Download Free AI SOC SLA Guide



Source link