PROBABLYPWNED
Threat IntelligenceJuly 12, 20264 min read

Exposed Server Reveals WP-SHELLSTORM Backdoored 25,000 WordPress Sites

A misconfigured hacker server exposed 22 days of logs revealing a webshell access-brokerage operation that compromised over 25,000 WordPress sites using 27 weaponized CVEs.

Alex Kowalski

A misconfigured hacker server sat exposed for 22 days, inadvertently documenting a large-scale webshell operation that compromised over 25,000 WordPress sites. SOCRadar's threat intelligence team discovered the unsecured directory on June 11, 2026, finding approximately 800MB of files including webshells, exploit scripts, scan results, and command logs.

The operation, now tracked as WP-SHELLSTORM, represents what researchers call a "webshell access brokerage"—a crew that systematically compromises websites, plants hidden backdoors, and packages that access for resale to other threat actors.

How the Operation Was Exposed

The threat actors left a Python web server running at 137.175.93[.]126 on a US-based VPS without authentication. The exposed files included their complete operational toolkit: 27 CVE exploits, target lists covering 1.4 million domains, successful compromise logs, and bash history revealing their commands.

After researchers began documenting the exposure, the operators noticed on July 2 and attempted to cover their tracks. Access logs showed line counts dropping sharply as entries covering July 2-4 were deleted. But by then, three weeks of operational data had already been captured.

Scale of Compromise

Analysis of the exposed data revealed conflicting figures depending on how compromises were counted:

  • Target lists contained approximately 1.4 million domains across WordPress, Joomla, and other CMS platforms
  • Ctrl-Alt-Intel's deduplicated analysis found 25,195 sites with confirmed compromise evidence
  • SOCRadar counted 5,700+ active webshells still functioning at discovery

The gap between targets scanned and actual compromises reflects typical conversion rates for automated exploitation. Most targets were either already patched, running unaffected configurations, or otherwise not vulnerable to the specific CVEs being exploited.

Primary Attack Vector: CVE-2026-3844

The Breeze caching plugin vulnerability proved the operation's most effective tool. According to the exposed logs, the crew fired at over 45,000 Breeze installations and successfully backdoored more than 17,000 of them.

The catch: CVE-2026-3844 only works when a non-default "Host Files Locally – Gravatars" setting is enabled. This explains the relatively modest conversion rate despite the large target list.

Other heavily exploited vulnerabilities included JCE Editor (CVE-2026-48907) targeting Joomla sites, Simple File List (CVE-2020-36847), and Nacos configuration server (CVE-2021-29441).

Webshell Deployment and Persistence

Successful exploits uploaded down.php, a heavily obfuscated webshell derived from the BestShell framework. The backdoor enables file management, command execution, and network reconnaissance—everything needed for an access broker to demonstrate control to potential buyers.

Researchers identified several indicators of compromise:

  • Webshell filenames matching patterns: .bd.php, .wp-log.php, .brq-*.php
  • Fake kernel processes: [kworker/X:Y] showing actual network activity
  • Additional infrastructure at 43.108.17[.]80 and xs.xxooonline[.]eu[.]cc

Attribution and Operational Profile

Code comments in fluent Simplified Chinese and usage of FOFA (a Chinese network reconnaissance platform) led researchers to assess the operators as Chinese or Chinese-speaking. The operation showed sophisticated tooling combined with careless operational security—a common pattern where technical skill outpaces tradecraft discipline.

This incident parallels the ACSC warning about global CMS exploitation campaigns issued on July 9. Australian authorities noted that similar automated scanning operations are targeting WordPress and Joomla installations worldwide, with webshell deployment as the primary objective.

Recommendations for WordPress Administrators

  1. Update all plugins immediately, particularly Breeze (to 2.2.5+), JCE Editor, and Simple File List
  2. Search for webshell indicators including the filename patterns listed above
  3. Check for unfamiliar admin users that may have been created during compromise
  4. Review server processes for suspicious kernel-named processes with network activity
  5. Enable automatic plugin updates where operationally feasible

For organizations managing multiple WordPress sites, consider implementing a centralized patch management system and regular webshell scanning. See our malware defense guide for additional hardening recommendations.

The WP-SHELLSTORM exposure offers a rare window into how automated access-brokerage operations function at scale. The same techniques being used against WordPress are equally applicable to any CMS platform with exploitable plugins.

Related Articles