The Australian Cyber Security Centre (ACSC) issued a public alert this week warning of a large-scale, ongoing campaign that scans the internet for websites running outdated content management system software and plants webshells — hidden backdoors that give an attacker persistent remote access to the server. The agency said Australian small and medium businesses have already been compromised, and that the campaign is global, not limited to Australia.
What stands out is the breadth of the target list. The advisory names 18 separate CMS platforms and plugins under active exploitation, including widely used WordPress add-ons such as Ninja Forms, Gravity Forms, ACF Extended and WPvivid Backup, alongside Craft CMS, MaxSite CMS, MetInfo CMS and the Joomla JCE editor. None of the underlying bugs are new — every one is a previously disclosed vulnerability with a patch already available, ranging from unauthenticated file upload to remote code execution and server-side request forgery. The ACSC also pointed to a recent joint statement from the Five Eyes intelligence alliance noting that AI tooling is measurably shortening the gap between a vulnerability being disclosed and it being exploited at scale — consistent with how quickly this campaign appears to have spread across so many unrelated platforms at once.
What this means for your business
If your website runs on WordPress, Joomla, Craft CMS, MaxSite or MetInfo, this is worth thirty minutes this week rather than a "someday" task:
- Check whether your site uses any of the named plugins — Simple File List, WavePlayer, BerqWP, WPBookit, Ninja Forms, ThemeREX Addons, Breeze Cache, pay-uz, ACF Extended, Sneeit Framework, WPvivid Backup, Gravity Forms, GutenKit or Hunk Companion — or the Joomla JCE editor, and update every one to its latest version.
- Turn on automatic updates for CMS core, themes and plugins where your platform supports it, and remove any plugin you're not actively using — an inactive plugin is still a working front door if it's vulnerable.
- Ask whoever manages your hosting to check for unfamiliar files in your web root and to make upload directories read-only where the site doesn't need write access there — both are on the ACSC's own recommended-actions list.
The pattern behind this advisory is the same one behind most website breaches we see: not a novel attack, but old, unpatched software sitting exposed to the internet long enough for an automated scanner to find it. A website that's a year or two behind on plugin updates isn't a hypothetical risk — campaigns exactly like this one are built to find it.