Active Exploitation Alert: WP-SHELLSTORM Campaign Mass-Compromises WordPress Sites via Plugin Vulnerabilities

Active Exploitation Alert: WP-SHELLSTORM Campaign Mass-Compromises WordPress Sites via Plugin Vulnerabilities

Executive Summary

A recently exposed hacker server has revealed the full scope of the WP-SHELLSTORM campaign, a mass exploitation operation targeting thousands of WordPress sites globally. The adversaries behind WP-SHELLSTORM leveraged a suite of automated tools to scan for and exploit known vulnerabilities in popular WordPress plugins, deploying persistent webshells and advanced backdoors. The exposed infrastructure, discovered by security researchers, provided unprecedented insight into the attackers’ tactics, techniques, and procedures (TTPs), as well as the breadth of their victimology. This report details the technical aspects of the campaign, the threat actor profile, exploitation methods, and actionable mitigation strategies for organizations at risk.

Threat Actor Profile

The operators of WP-SHELLSTORM are a financially motivated, Chinese-speaking cybercriminal group. Analysis of the exposed server, including command history, toolsets, and language artifacts, points to actors with significant experience in mass exploitation and access brokerage. The group is not believed to be state-sponsored, but their tradecraft overlaps with techniques previously observed in campaigns attributed to Chinese APTs, such as the use of the SNOWLIGHT dropper and VShell backdoor. Their operational security was notably poor, as evidenced by the accidental exposure of their own command-and-control infrastructure, which included unredacted logs, exploit scripts, and target lists.

Technical Analysis of Malware/TTPs

The WP-SHELLSTORM campaign utilized a highly automated attack chain. Initial reconnaissance was performed using FOFA, a Chinese internet-facing asset search engine, to identify vulnerable WordPress and Joomla installations. The attackers then launched automated exploitation scripts targeting at least 27 known plugin vulnerabilities, including but not limited to Breeze (CVE-2026-3844), Joomla JCE Editor (CVE-2026-48907), ThemeREX Addons (CVE-2026-1969), Simple File List (CVE-2020-36847), Custom CSS JS PHP (CVE-2026-6433), BerqWP (CVE-2025-7443), Ninja Forms (CVE-2026-0740), WavePlayer (CVE-2025-12057), WPBookit (CVE-2025-7852), and WP File Manager (CVE-2020-25213).

Upon successful exploitation, the attackers uploaded obfuscated PHP webshells, such as down.php, .bd.php, .wp-log.php, and .brq-*.php, many of which are variants of the Chinese BestShell project. These webshells provided persistent remote access, file management, command execution, and lateral movement capabilities. For advanced persistence, the SNOWLIGHT dropper was deployed to install the VShell backdoor, which masqueraded as a legitimate Linux kernel worker process ([kworker/0:2]). This process was designed to evade detection by blending in with normal system activity, lacking an executable path, command line, or network sockets.

The attackers’ toolkit also included credential theft modules, reverse shell utilities, and scripts for exfiltrating sensitive configuration files. The exposed server contained over 800MB of operational data, including logs of successful compromises, target lists exceeding 1.4 million domains, and evidence of resale or brokering of access to compromised sites.

Exploitation in the Wild

The WP-SHELLSTORM campaign has been active since at least early 2026, with a significant spike in activity observed in the spring and summer months. Security vendors such as Wordfence and SOCRadar have tracked tens of thousands of exploitation attempts, particularly against the Breeze and Joomla JCE Editor plugins. The attackers’ infrastructure was left exposed for 22 days, during which time researchers confirmed at least 25,195 successful compromises and over 5,700 active webshells. The largest single exploit vector was the Breeze plugin vulnerability (CVE-2026-3844), which accounted for more than 17,000 backdoored sites.

The campaign’s scale and automation enabled the threat actors to target a diverse range of sectors, including fintech, e-commerce, logistics, gaming, electronics, and general web hosting. While the majority of victims were running outdated or misconfigured WordPress installations, the attackers also targeted Joomla and, in earlier campaigns, Java-based systems via the Nacos platform (CVE-2021-29441).

Victimology and Targeting

The WP-SHELLSTORM operators cast a wide net, targeting over 1.4 million domains globally. Their victimology is opportunistic, focusing on any internet-facing WordPress or Joomla site with vulnerable plugins. Analysis of the exposed data indicates that compromised sites span North America, Europe, Asia, and the Middle East, with no specific industry or geography singled out. However, there is a notable concentration of victims in sectors with high rates of WordPress adoption, such as small-to-medium businesses, e-commerce platforms, and digital marketing agencies.

The attackers’ monetization strategy appears to center on access brokerage, selling or renting webshell access to other criminal groups for use in further attacks, phishing, or malware distribution. There is no evidence of targeted espionage or data theft beyond credential harvesting and opportunistic exploitation.

Mitigation and Countermeasures

Organizations running WordPress, Joomla, or Java-based web applications should take immediate action to mitigate the risk posed by WP-SHELLSTORM. The following measures are recommended:

Ensure all WordPress and Joomla installations, as well as associated plugins and themes, are updated to the latest versions. Pay particular attention to the Breeze, Joomla JCE Editor, ThemeREX Addons, Simple File List, Custom CSS JS PHP, BerqWP, Ninja Forms, WavePlayer, WPBookit, and WP File Manager plugins, as well as the Nacos Java platform. For Breeze, ensure the "Host Files Locally – Gravatars" feature is either disabled or patched to version 2.4.5 or higher. For Joomla JCE Editor, update to version 2.9.99.5 or higher.

Conduct a thorough search of web directories for suspicious PHP files, including down.php, .bd.php, .wp-log.php, and .brq-*.php. Remove any unauthorized or unfamiliar scripts immediately.

Inspect running processes for anomalies, particularly any process masquerading as [kworker/X:Y] without a legitimate executable path or command line. Such processes may indicate the presence of the VShell backdoor.

Block all network traffic to and from the following indicators of compromise: IP addresses 137.175.93[.]126 and 43.108.17[.]80, and the domain xs.xxooonline[.]eu[.]cc.

For organizations using Nacos, upgrade to version 2.2.1 or higher, enable authentication by setting nacos.core.auth.enabled=true, and rotate all credentials if compromise is suspected.

Implement web application firewalls (WAFs) with up-to-date rulesets to detect and block exploitation attempts against known plugin vulnerabilities.

Monitor logs for unusual authentication attempts, file uploads, or command execution activity, and enable alerting for suspicious behavior.

Educate web administrators and developers on the importance of timely patching and the risks associated with outdated plugins and themes.

References

The Hacker News: Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites, SOCRadar Threat Intelligence, Ctrl-Alt-Intel Analysis, eSecurityPlanet: WP-SHELLSTORM Exposed, TechRepublic: Exposed Server Reveals 25,000 Compromised WordPress Websites, Reddit: r/pwnhub, NVD - National Vulnerability Database, CISA KEV Catalog, Wordfence: Everest Forms Pro Attacks

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure compliance with industry standards. For more information or to discuss how Rescana can help secure your organization, please contact us at info@rescana.com.