Leaked Server Exposes Mass WordPress Backdoor Operation

CSBadmin
2 Min Read

Inside the WP-SHELLSTORM Operation

A cybersecurity crew inadvertently left its own command server exposed on the internet for 22 days, revealing the inner mechanics of a large scale website hacking campaign now tracked as WP-SHELLSTORM. Researchers from SOCRadar and Ctrl Alt Intel independently discovered the unsecured server, which contained approximately 800 MB of data across 434 files. The exposed material included webshells, exploit scripts, target lists, and the operator’s typed command history. The server was left open due to a basic operational error: the attacker started a Python web server to transfer files and never shut it down. The campaign primarily targeted WordPress and Joomla sites running outdated plugins, with automated scanners exploiting 27 known vulnerabilities to plant persistent backdoors, or webshells, on compromised servers.

Scale and Impact

The exposed target lists contained more than 1.4 million domain names, though the actual number of successfully compromised sites was significantly lower. Ctrl Alt Intel found 25,195 sites with confirmed evidence of compromise, while SOCRadar identified over 5,700 active webshells still operational. The most exploited vulnerability was CVE-2026-3844 in the Breeze caching plugin, which allowed attackers to backdoor over 17,000 sites. Another critical flaw, CVE-2026-48907 in the Joomla JCE editor, is a maximum severity vulnerability already added to CISA’s Known Exploited Vulnerabilities list. Before shifting to the high volume WordPress campaign, the same group ran a quieter operation against corporate Java systems in May 2026, extracting cloud credentials and database passwords from nine companies using CVE-2021-29441 in Nacos. Researchers assess with medium to high confidence that the operator is Chinese speaking and financially motivated, citing the use of Simplified Chinese in code and command history, reliance on FOFA (a Chinese search engine), and tooling common in Chinese speaking criminal forums.

Source: The Hacker News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.