T
Threats
CMS Platforms and WordPress Plugins Critical Vulnerabilities

Overview
CVE: CVE-2025-32432, CVE-2024-9234, CVE-2025-34085, CVE-2020-36847, CVE-2025-12057, CVE-2025-7443, CVE-2025-7852, CVE-2026-0740, CVE-2026-1969, CVE-2026-3844, CVE-2026-31843, CVE-2025-13486, CVE-2025-6389, CVE-2026-1357, CVE-2025-12352, CVE-2026-3395, CVE-2026-29014, CVE-2026-48907
Severity: Critical
Date: 10 July 2026
ASD's ACSC has issued a Critical alert for a large-scale exploitation campaign targeting known vulnerabilities across 17 CMS software products and WordPress plugins. Many small to medium Australian businesses have already been impacted, with attackers deploying webshells to remotely access and control affected web servers. Patches are available for all affected products and should be applied immediately.
Affected Versions
Craft CMS: Versions 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, 5.0.0-RC1 to before 5.6.17. Fixed in 3.9.15, 4.14.15, 5.6.17.
Ninja Forms (File Uploads): Versions up to and including 3.3.26. Fixed in 3.3.27.
Breeze Cache (WordPress): Versions up to and including 2.4.4. Exploitable only if "Host Files Locally - Gravatars" is enabled.
ACF Extended (WordPress): Versions 0.9.0.5 through 0.9.1.1.
Gravity Forms (WordPress): Versions up to and including 2.9.20. Exploitable only if allow_url_fopen is On and post creation form with file upload field is enabled.
GutenKit/Hunk Companion (WordPress): Versions up to and including 2.1.0.
Simple File List (WordPress): Versions up to and including 4.2.2. Fixed in 4.2.3.
WavePlayer (WordPress): Versions before 3.8.0. Fixed in 3.8.0.
BerqWP (WordPress): Versions up to and including 2.2.42.
WPBookit (WordPress): Versions up to and including 1.0.6.
ThemeREX Addons / trx_addons (WordPress): Versions before 2.38.5. Fixed in 2.38.5.
pay-uz (goodoneuz/pay-uz Laravel package): Versions up to and including 2.2.24.
Sneeit Framework (WordPress): Versions up to and including 8.3. Fixed in 8.4.
WPvivid Backup & Migration (WordPress): Versions up to and including 0.9.123.
MaxSite CMS: Versions up to and including 109.1. Fixed in 109.2.
MetInfo CMS: Versions 7.9, 8.0 and 8.1.
Joomla Content Editor (JCE): All versions prior to 2.9.99.5. Fixed in 2.9.99.5.
Vulnerability Breakdown
CVE-2025-32432 - Craft CMS Remote Code Execution
Severity: Critical
CVSS: 10.0
Description: Unauthenticated remote code execution via unsafe deserialisation in the asset transform functionality. Attackers can exploit this without credentials to achieve complete server compromise.
Impact: Arbitrary code execution on the server, enabling full system compromise and webshell deployment.
Conditions: No authentication required. Affects Craft CMS versions 3.x through 5.x.
Notes: Was exploited as a zero-day for approximately two months before a patch was released in April 2025.
CVE-2026-0740 - Ninja Forms File Uploads Arbitrary File Upload
Severity: Critical
CVSS: 9.8
Description: Arbitrary file upload due to missing file type validation in the handle_upload function. Unauthenticated attackers can upload malicious files to the server.
Impact: Potential remote code execution through uploaded malicious files.
Conditions: No authentication required. Affects versions up to 3.3.26.
Notes: Partially patched in 3.3.25, fully patched in 3.3.27.
CVE-2026-3844 - Breeze Cache Arbitrary File Upload
Severity: Critical
CVSS: 9.8
Description: Arbitrary file upload due to missing file type validation in the fetch_gravatar_from_remote function. Unauthenticated attackers can upload arbitrary files.
Impact: Potential remote code execution through uploaded malicious files.
Conditions: No authentication required. Only exploitable if "Host Files Locally - Gravatars" is enabled, which is disabled by default.
CVE-2025-13486 - ACF Extended Remote Code Execution
Severity: Critical
Description: Remote code execution via the prepare_form function accepting user input passed through call_user_func_array. Unauthenticated attackers can execute arbitrary code.
Impact: Arbitrary code execution, backdoor injection, and creation of new administrative user accounts.
Conditions: No authentication required. Affects versions 0.9.0.5 through 0.9.1.1.
Notes: Over 100,000 WordPress sites affected.
CVE-2025-12352 - Gravity Forms Arbitrary File Upload
Severity: Critical
Description: Arbitrary file upload due to missing file type validation in the copy_post_image function. Unauthenticated attackers can upload arbitrary files.
Impact: Potential remote code execution through uploaded malicious files.
Conditions: Only impacts sites with allow_url_fopen set to On, post creation form enabled, and a file upload field for the post. Affects versions up to 2.9.20.
CVE-2024-9234 - GutenKit/Hunk Companion Arbitrary File Upload
Severity: High
Description: Arbitrary file upload due to missing capability check on the install_and_activate_plugin_from_external function. Unauthenticated attackers can install arbitrary plugins or upload files.
Impact: Attackers can upload arbitrary files disguised as plugins, potentially leading to remote code execution.
Conditions: No authentication required. Affects versions up to 2.1.0.
Notes: ASD's ACSC attributes the GutenKit/Hunk Companion exploitation to CVE-2024-9234 as the likely vulnerability.
CVE-2025-34085 / CVE-2020-36847 - Simple File List Unauthenticated File Upload to RCE
Severity: Critical
Description: Unauthenticated arbitrary file upload leading to remote code execution. An attacker uploads a PHP payload disguised as a .png file via the plugin's upload endpoint (ee-upload-engine.php), then uses the ee-file-engine.php rename function to change the extension to .php, bypassing the upload restriction so the payload executes on the server.
Impact: Remote code execution and webshell deployment, enabling full server compromise.
Conditions: No authentication required. Affects versions up to and including 4.2.2; fixed in 4.2.3.
Notes: CVE-2025-34085 was rejected by MITRE as a duplicate of CVE-2020-36847 - both IDs refer to the same flaw. Public exploits are available.
CVE-2025-12057 - WavePlayer Arbitrary File Upload
Severity: Critical
Description: Arbitrary file upload caused by a missing authorisation check in the 'create_local_copy' AJAX action, combined with no validation of the file being copied locally. Unauthenticated attackers can upload arbitrary files to the server.
Impact: Remote code execution through uploaded malicious files.
Conditions: No authentication required. Affects versions before 3.8.0; fixed in 3.8.0.
Notes: Public proof-of-concept exploits are available.
CVE-2025-7443 - BerqWP Arbitrary File Upload
Severity: High
Description: Arbitrary file upload via store_javascript_cache.php in the BerqWP page-speed optimisation plugin. Unauthenticated attackers can upload arbitrary files to the server.
Impact: Potential remote code execution through uploaded malicious files.
Conditions: No authentication required. Affects versions up to and including 2.2.42.
CVE-2025-7852 - WPBookit Arbitrary File Upload
Severity: Critical
CVSS: 9.8
Description: Arbitrary file upload due to missing file type validation in the image_upload_handle() function, reached via the 'add_new_customer' route. The handler calls move_uploaded_file() on client-supplied files without restricting extensions or MIME types, or sanitising the filename.
Impact: Potential remote code execution through uploaded malicious files.
Conditions: No authentication required. Affects versions up to and including 1.0.6.
CVE-2026-1969 - ThemeREX Addons (trx_addons) Arbitrary File Upload
Severity: Critical (Wordfence rates 9.8; WPScan rates 5.3)
Description: Incorrect file type validation in one of the plugin's AJAX actions - an incomplete fix of CVE-2024-13448 - allowing unauthenticated users to upload arbitrary files.
Impact: Potential remote code execution through uploaded malicious files.
Conditions: No authentication required. Affects versions before 2.38.5; fixed in 2.38.5.
CVE-2026-31843 - pay-uz (Laravel package) Remote Code Execution
Severity: Critical
CVSS: 9.8
Description: The /payment/api/editable/update endpoint of the goodoneuz/pay-uz package is exposed via Route::any() without authentication middleware. User-controlled input is written directly into executable PHP payment hook files using file_put_contents(), which are then executed via require() during normal payment processing.
Impact: Unauthenticated remote code execution under default application behaviour.
Conditions: No authentication required. Affects versions up to and including 2.2.24. The vendor's payment secret token does not mitigate this endpoint.
CVE-2025-6389 - Sneeit Framework Remote Code Execution
Severity: Critical
CVSS: 9.8
Description: Unauthenticated remote code execution via the sneeit_articles_pagination_callback() function, which accepts user input and passes it through call_user_func().
Impact: Arbitrary code execution, enabling backdoor injection and the creation of new administrative accounts.
Conditions: No authentication required. Affects versions up to and including 8.3; fixed in 8.4.
Notes: Confirmed actively exploited in the wild (reported by Wordfence, December 2025).
CVE-2026-1357 - WPvivid Backup & Migration Arbitrary File Upload
Severity: Critical
CVSS: 9.8
Description: Unauthenticated arbitrary file upload caused by improper error handling in the RSA decryption process combined with a lack of path sanitisation. When session-key decryption fails, execution continues with a predictable null-byte key, and unsanitised filenames allow directory traversal out of the protected backup directory.
Impact: Remote code execution and full site takeover.
Conditions: No authentication required. Affects versions up to and including 0.9.123. Only critically affects sites that have generated a key allowing another site to send backups - a feature disabled by default. Over 800,000 installations are affected.
Notes: Exploited via the wpvivid_action=send_to_site parameter; automated exploit tooling is public.
CVE-2026-3395 - MaxSite CMS Code Injection / RCE
Severity: Critical
Description: Code injection via the eval call in application/maxsite/admin/plugins/editor_markitup/preview-ajax.php (the MarkItUp preview AJAX endpoint), where user-controlled data reaches code execution. The attack can be launched remotely.
Impact: Remote code execution and full server compromise.
Conditions: Affects versions up to and including 109.1; fixed in 109.2.
Notes: A public exploit has been released.
CVE-2026-29014 - MetInfo CMS Unauthenticated PHP Code Injection
Severity: Critical
CVSS: 9.3
Description: Unauthenticated PHP code injection (CWE-94). Attackers send crafted requests containing malicious PHP code that is insufficiently neutralised in the execution path, achieving remote code execution.
Impact: Remote code execution and full control of the affected server.
Conditions: No authentication required. Affects MetInfo CMS versions 7.9, 8.0 and 8.1. On non-Windows servers, exploitation of the disclosed path (weixinreply.class.php) requires the /cache/weixin/ directory, which is created when the official WeChat plugin is installed.
CVE-2026-48907 - Joomla Content Editor (JCE) Unauthenticated RCE
Severity: Critical
CVSS: 10.0 (CVSS v4.0)
Description: Improper access control on the JCE profile import endpoint allows unauthenticated users to create editor profiles, ultimately enabling arbitrary PHP file upload and execution.
Impact: Unauthenticated remote code execution and complete compromise of the Joomla installation.
Conditions: No authentication required. Affects all JCE versions prior to 2.9.99.5; fixed in 2.9.99.5.
Notes: Added to the CISA Known Exploited Vulnerabilities catalogue on 16 June 2026; actively exploited with public automated tooling. Roughly 2.5 million Joomla sites are potentially in scope.
Mitigation
Inspect your CMS for webshells by examining the web directory for abnormal changes to internet-facing files.
Examine web access logs for IP addresses making GET or POST requests to suspicious paths.
Treat servers with identified webshells as compromised, isolate them, and audit authentication and network logging.
Trace suspicious web requests that may indicate initial exploitation and webshell deployment.
Review network logs on edge firewalls for interactions with identified malicious IP addresses.
Investigate logging and hosts for evidence of persistence, lateral movement, or other malicious actions.
Patch all vulnerable systems to prevent re-infection. Remove webshells and persistence mechanisms before bringing systems back online.
Restore compromised websites from a recent known-good backup.
Ensure all CMS software and plugins are up to date. Consider applying security patches automatically.
Disable plugins with actively exploited vulnerabilities until a patch is applied.
Configure web directories as read-only where possible to prevent webshell deployment.
Restrict file and path access to prevent execution of unauthorised files.
Monitor for unexpected child processes spawned by the webserver process.
Block unnecessary network communication between internet-facing websites and corporate computing devices.
Summary for IT Teams
Products: Multiple CMS platforms and WordPress plugins including Craft CMS, Ninja Forms, Breeze Cache, ACF Extended, Gravity Forms, GutenKit/Hunk Companion, Simple File List, WavePlayer, BerqWP, WPBookit, ThemeREX Addons, pay-uz, Sneeit Framework, WPvivid Backup, MaxSite CMS, MetInfo CMS, Joomla JCE
Threat Level: Critical, CVSS 10.0 (highest)
Action Required: Immediately patch all affected CMS software and plugins. Inspect for webshells and compromise indicators. Isolate and audit any compromised servers. Disable vulnerable plugins where patches cannot be applied immediately.
Reference
Need help?
Please get in touch on 1300 769 460 or email us. We are here to help you strengthen your cybersecurity posture.
