Australia's ACSC names 18 CMS bugs under exploitation
Australia's ACSC named 18 CVEs across WordPress plugins, Craft CMS, Joomla JCE, and more as active exploitation targets, with attackers dropping webshells.
On July 11, the Australian Cyber Security Centre issued an advisory warning of what it called a large-scale, global exploitation campaign against content management systems — WordPress plugins, Craft CMS, Joomla, MaxSite CMS, MetInfo, and the Sneeit Framework — with attackers dropping webshells for persistent access to compromised sites. The advisory names roughly eighteen CVEs by number, and the practical guidance in it is one line: apply the security updates that already exist, remove plugins you are not using, and turn on automatic updates where the CMS supports them.
Analysis, not incident reporting. The CVE list, the tactic descriptions, and the mitigation advice are all sourced to the ACSC advisory and to BleepingComputer’s coverage; the framing here is commentary on what a national cyber authority publishing a “please patch your plugins” list in the middle of 2026 says about where the CMS attack surface is.
The list
The WordPress plugin side is a catalogue of what plugin vulnerabilities have looked like for the last decade — file uploaders, form builders, backup tools, cache modules, page-builder addons. CVE-2024-9234, a CVSS 9.8 flaw in GutenKit and Hunk Companion, is on the ACSC’s list two years after disclosure. CVE-2026-0740 in Ninja Forms — a plugin that ships on hundreds of thousands of sites — is on there this week. Gravity Forms, WPvivid Backup, ACF Extended, Breeze Cache, ThemeREX Addons, WavePlayer, BerqWP, WPBookit, pay-uz, and Simple File List with two different CVE numbers because the same plugin has been broken more than once. None of it is exotic. It is the boring middle of the WordPress plugin ecosystem, the one nobody who runs a site can quite remember installing.
The non-WordPress side of the list is a useful reminder that this is a CMS story, not just a WordPress one. Craft CMS’s CVE-2025-32432 is on there at CVSS 10.0. Joomla’s JCE editor is on there again — CISA already added two more Joomla file-upload holes to KEV earlier today. MaxSite CMS and MetInfo — a Russian and a Chinese-market CMS respectively that most Western defenders will not have on any inventory — are on the list. The Sneeit Framework, a plugin framework rather than a plugin, is on the list. The common thread across all of it is the same: the code was published, someone found a bug, the maintainer shipped a fix, and installations kept running the old version.
What the ACSC is not saying
There is no attribution. The ACSC does not name a threat actor and does not tie the campaign to a single crew. The TTPs it does describe are generic — webshells for persistence, then credential theft, secondary payload deployment, lateral movement — because a mass CMS compromise campaign has looked more or less exactly like this since the mid-2000s. There is a straight line from the mass WordPress defacement operations of the early 2010s to WP-SHELLSTORM’s twenty-seven-CVE scanner, whose open directory a researcher pulled apart last week, to the ACSC’s list today. Different servers, different plugin names, largely overlapping CVE numbers, the same funnel: enormous target list, small stuck-conversion rate, cheap enough per attempted host that the operator makes money anyway.
What is worth noting is who is being told what. The ACSC issues advisories primarily for Australian government agencies and critical-infrastructure operators. It is telling those operators, in July 2026, that a large enough share of the sites they are responsible for is running unpatched CMS plugins that a global-scale automated exploitation campaign is worth flagging at the national level. That is a statement about the input side of the funnel, not the output.
The input side, again
The mitigation advice at the end of the advisory is unremarkable and correct: patch, remove plugins you are not using, enable auto-updates where possible, make web directories read-only where you can, monitor for unauthorized file creation, and block child-process spawns you do not expect. There is nothing in any of it that a WordPress admin in 2015 would not recognise. That is the point.
If you run a site of any consequence on any of the CMSes named — WordPress with plugins, Craft, Joomla, MaxSite, MetInfo, or the Sneeit Framework — the useful move this week is the same one it has been for a decade: reconcile the list of things you have installed against the list of things that have shipped updates, and remove the ones you never actually used. Whoever is running the campaign the ACSC just named will move on to a different set of CVEs when this one stops paying. The pattern will not.
Related coverage on 0dayNews:
- WP-SHELLSTORM ran 22 days with its door left open — the same funnel, seen from inside an exposed C2 server.
- CISA adds Balbooa Forms and iCagenda to KEV — two more Joomla file-upload holes catalogued today.
- CISA’s KEV Langflow and Joomla page-builder additions — a different Joomla component, same catalogue effect.
Found this useful? Share it.