The Hacker News ·EN News source Exploited in the wildWordPressJoomla
Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites
CVE Tools coverage
A cybercriminal group accidentally left a server exposed online for three weeks, revealing internal operations including tools, logs, and a list of over 1.4 million targeted websites. Researchers identified the campaign as WP-SHELLSTORM, where attackers exploit outdated plugins to plant webshells on vulnerable WordPress and Joomla sites. The most impactful flaws were in the Breeze caching plugin (CVE-2026-3844) and the Joomla JCE editor (CVE-2026-48907). These vulnerabilities allowed attackers to gain unauthorized access and control over compromised systems. Website owners using these platforms should prioritize patching affected components immediately.