WP-SHELLSTORM: An Exposed Server Reveals a WordPress Backdoor Operation — What to Check This Week

A padlock icon cracked open beside code brackets, representing 25,195 WordPress and Joomla sites confirmed backdoored

Researchers at SOCRadar found a rented server sitting wide open on the internet — no password, no access controls — and inside it, roughly 800MB of someone else's hacking operation: webshells, exploit scripts, scan results, and the operator's own command history. The crew behind it, which researchers are calling WP-SHELLSTORM, had been running an automated campaign that breaks into websites at scale, plants a hidden backdoor on each one, and sells that access on to other criminals.

The target lists on the server named 1.4 million domains. Not all of those were successfully breached, but SOCRadar validated at least 25,195 sites that were actually backdoored. The toolkit covered 27 known vulnerabilities, and two did most of the damage: a flaw in the Breeze WordPress caching plugin (CVE-2026-3844), fired at over 45,000 sites and successfully backdooring more than 17,000 of them, and a maximum-severity bug in the Joomla JCE editor (CVE-2026-48907) that's also on the US government's list of vulnerabilities known to be under active attack.

What makes this worth your attention isn't sophistication — there's no zero-day here. Every one of the 27 bugs was already public and already had a patch available. The operators simply pointed automated scanners at a target list big enough that "already patched" versus "still vulnerable" did the sorting for them.

What this means for your business

If your site runs on WordPress or Joomla, this is a plugin-hygiene problem, not a "rebuild everything" problem:

  • If you use the Breeze caching plugin, update to version 2.4.5 or later. The bug is specifically tied to a "Host Files Locally — Gravatars" setting, so it's worth confirming that setting either way.
  • If you run Joomla with the JCE editor, update to 2.9.99.5 or later — this one is on the actively-exploited list, so treat it as urgent rather than routine.
  • More broadly: check that every plugin and theme on your site is current, and remove any you're not actively using. Old, forgotten plugins are exactly what campaigns like this one are built to find.
  • If you want to check for existing compromise, ask whoever manages your hosting to look for unfamiliar files with names like .bd.php or .wp-log.php — filenames the operators used to disguise their backdoors as system files.

None of this needs new tooling or a big budget — it's an update-and-audit pass most hosting providers or dev teams can do in under an hour. The risk isn't that this particular campaign is advanced; it's that it proves outdated plugins are still enough to lose control of a website with no skill required on the attacker's part.

Questions about your own setup? support@techleetsolutions.com
Sources: The Hacker News, SOCRadar