Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Hacker Server Leak Unveils Massive WordPress Breach

Hacker Server Leak Unveils Massive WordPress Breach

Posted on July 10, 2026 By CWS

An inadvertently exposed server revealed the inner workings of a widespread hacking operation, targeting over 1.4 million websites. The group, tracked under the name WP-SHELLSTORM, inadvertently left the server unprotected for three weeks, offering researchers a rare glimpse into their methods and tools.

WP-SHELLSTORM’s Modus Operandi

The WP-SHELLSTORM operation primarily focuses on exploiting vulnerabilities in outdated WordPress and Joomla plugins. By inserting hidden backdoors, known as webshells, the group gains unauthorized access to numerous sites. The most significant vulnerabilities were identified in the Breeze caching plugin and Joomla’s JCE editor.

The operation was uncovered by SOCRadar and Ctrl-Alt-Intel, with the latter discovering the exposed server on June 11, 2026. The server contained extensive data, including over 800MB of files, listing webshells, exploit scripts, and scanned results.

Exploiting Plugin Vulnerabilities

The hacking crew exploited publicly known bugs in WordPress plugins by using automated scanners. Their toolkit included 27 flaws, with a critical bug in the Breeze caching plugin (CVE-2026-3844) being the most exploited. This vulnerability allowed them to compromise over 17,000 sites from a list of 45,000 targets.

Despite the large number of targeted domains, the actual number of compromised sites was much lower. SOCRadar identified over 5,700 active webshells, while Ctrl-Alt-Intel confirmed 25,195 compromised sites.

Analysis of the Exposed Tools and Methods

The server leak also revealed the use of a backdoor file, down.php, and a toolchain involving SNOWLIGHT and VShell. These tools, while sophisticated, were left exposed due to the crew’s oversight. The exposure also hinted at a previous campaign targeting corporate Java systems, executed in May 2026.

Investigators believe the group is likely Chinese or Chinese-speaking, based on the Simplified Chinese in the code and reliance on the Chinese search engine FOFA. However, the exact identity of the operators remains uncertain.

In response to the exposure, security experts emphasize the importance of patching vulnerable systems. Key recommendations include updating the Breeze plugin to version 2.4.5 and addressing the Joomla JCE vulnerability (CVE-2026-48907). Additional security measures include scanning for known webshells and securing server configurations.

Protecting Against Future Threats

WP-SHELLSTORM’s activities highlight the risks posed by publicly known vulnerabilities. Despite the lack of zero-day exploits, the group managed to scale their operation due to the sheer volume of unpatched systems. The cybersecurity community is urged to remain vigilant and proactive in securing websites against such threats.

The incident serves as a stark reminder of the importance of maintaining up-to-date cybersecurity measures. As the investigation continues, updates from SOCRadar are expected to provide further insights into the operation’s impact and preventative strategies.

The Hacker News Tags:Ctrl-Alt-Intel, Cybercrime, Cybersecurity, Hacking, internet security, Joomla, mass hacking, plugin flaws, server breach, SOCRadar, Vulnerabilities, web security, Webshell, website security, WordPress

Post navigation

Previous Post: Critical Linux FUSE Flaw Allows Root Access
Next Post: AI Gateways: Emerging Targets for Cyber Attacks

Related Posts

Popular Chrome Ad Blocker Raises Security Concerns Popular Chrome Ad Blocker Raises Security Concerns The Hacker News
Microsoft Patches 67 Vulnerabilities Including WEBDAV Zero-Day Exploited in the Wild Microsoft Patches 67 Vulnerabilities Including WEBDAV Zero-Day Exploited in the Wild The Hacker News
New ZuRu Malware Variant Targeting Developers via Trojanized Termius macOS App New ZuRu Malware Variant Targeting Developers via Trojanized Termius macOS App The Hacker News
Google Ordered to Pay 4M for Misusing Android Users’ Cellular Data Without Permission Google Ordered to Pay $314M for Misusing Android Users’ Cellular Data Without Permission The Hacker News
Malicious Ads Lead to EDR-Disabling Malware via Huawei Driver Malicious Ads Lead to EDR-Disabling Malware via Huawei Driver The Hacker News
Fortinet Addresses Critical FortiClient EMS Vulnerability Fortinet Addresses Critical FortiClient EMS Vulnerability The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • New Windows Attack Method Evades Leading Security Tools
  • Injective Labs GitHub Breach Exposes Crypto Wallets
  • AI Gateways: Emerging Targets for Cyber Attacks
  • Hacker Server Leak Unveils Massive WordPress Breach
  • Critical Linux FUSE Flaw Allows Root Access

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • New Windows Attack Method Evades Leading Security Tools
  • Injective Labs GitHub Breach Exposes Crypto Wallets
  • AI Gateways: Emerging Targets for Cyber Attacks
  • Hacker Server Leak Unveils Massive WordPress Breach
  • Critical Linux FUSE Flaw Allows Root Access

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark