Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Hacker Server Leak Unveils Massive WordPress Breach

Hacker Server Leak Unveils Massive WordPress Breach

Posted on July 10, 2026 By CWS

An inadvertently exposed server revealed the inner workings of a widespread hacking operation, targeting over 1.4 million websites. The group, tracked under the name WP-SHELLSTORM, inadvertently left the server unprotected for three weeks, offering researchers a rare glimpse into their methods and tools.

WP-SHELLSTORM’s Modus Operandi

The WP-SHELLSTORM operation primarily focuses on exploiting vulnerabilities in outdated WordPress and Joomla plugins. By inserting hidden backdoors, known as webshells, the group gains unauthorized access to numerous sites. The most significant vulnerabilities were identified in the Breeze caching plugin and Joomla’s JCE editor.

The operation was uncovered by SOCRadar and Ctrl-Alt-Intel, with the latter discovering the exposed server on June 11, 2026. The server contained extensive data, including over 800MB of files, listing webshells, exploit scripts, and scanned results.

Exploiting Plugin Vulnerabilities

The hacking crew exploited publicly known bugs in WordPress plugins by using automated scanners. Their toolkit included 27 flaws, with a critical bug in the Breeze caching plugin (CVE-2026-3844) being the most exploited. This vulnerability allowed them to compromise over 17,000 sites from a list of 45,000 targets.

Despite the large number of targeted domains, the actual number of compromised sites was much lower. SOCRadar identified over 5,700 active webshells, while Ctrl-Alt-Intel confirmed 25,195 compromised sites.

Analysis of the Exposed Tools and Methods

The server leak also revealed the use of a backdoor file, down.php, and a toolchain involving SNOWLIGHT and VShell. These tools, while sophisticated, were left exposed due to the crew’s oversight. The exposure also hinted at a previous campaign targeting corporate Java systems, executed in May 2026.

Investigators believe the group is likely Chinese or Chinese-speaking, based on the Simplified Chinese in the code and reliance on the Chinese search engine FOFA. However, the exact identity of the operators remains uncertain.

In response to the exposure, security experts emphasize the importance of patching vulnerable systems. Key recommendations include updating the Breeze plugin to version 2.4.5 and addressing the Joomla JCE vulnerability (CVE-2026-48907). Additional security measures include scanning for known webshells and securing server configurations.

Protecting Against Future Threats

WP-SHELLSTORM’s activities highlight the risks posed by publicly known vulnerabilities. Despite the lack of zero-day exploits, the group managed to scale their operation due to the sheer volume of unpatched systems. The cybersecurity community is urged to remain vigilant and proactive in securing websites against such threats.

The incident serves as a stark reminder of the importance of maintaining up-to-date cybersecurity measures. As the investigation continues, updates from SOCRadar are expected to provide further insights into the operation’s impact and preventative strategies.

The Hacker News Tags:Ctrl-Alt-Intel, Cybercrime, Cybersecurity, Hacking, internet security, Joomla, mass hacking, plugin flaws, server breach, SOCRadar, Vulnerabilities, web security, Webshell, website security, WordPress

Post navigation

Previous Post: Critical Linux FUSE Flaw Allows Root Access
Next Post: AI Gateways: Emerging Targets for Cyber Attacks

Related Posts

Cyber Espionage Threatens Asian Infrastructure via Web Exploits Cyber Espionage Threatens Asian Infrastructure via Web Exploits The Hacker News
New Browser Security Report Reveals Emerging Threats for Enterprises New Browser Security Report Reveals Emerging Threats for Enterprises The Hacker News
Iranian Hacker Pleads Guilty in  Million Robbinhood Ransomware Attack on Baltimore Iranian Hacker Pleads Guilty in $19 Million Robbinhood Ransomware Attack on Baltimore The Hacker News
CountLoader Broadens Russian Ransomware Operations With Multi-Version Malware Loader CountLoader Broadens Russian Ransomware Operations With Multi-Version Malware Loader The Hacker News
Miasma Malware Targets npm and GitHub in New Attack Miasma Malware Targets npm and GitHub in New Attack The Hacker News
Vibe-Coded Malicious VS Code Extension Found with Built-In Ransomware Capabilities Vibe-Coded Malicious VS Code Extension Found with Built-In Ransomware Capabilities The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • AI Gateways: Emerging Targets for Cyber Attacks
  • Hacker Server Leak Unveils Massive WordPress Breach
  • Critical Linux FUSE Flaw Allows Root Access
  • Laser Pulse Vulnerability in Tangem Wallets Exposes Security Risks
  • Critical GNU Guix Vulnerabilities Permit Remote Attacks

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • AI Gateways: Emerging Targets for Cyber Attacks
  • Hacker Server Leak Unveils Massive WordPress Breach
  • Critical Linux FUSE Flaw Allows Root Access
  • Laser Pulse Vulnerability in Tangem Wallets Exposes Security Risks
  • Critical GNU Guix Vulnerabilities Permit Remote Attacks

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark