Australia's Cyber Authority Just Warned the World About a CMS Webshell Campaign. We Named Its Headline CVE 64 Days Ago — With the Live Exploit Count Attached.
- Patrick Duggan
- 2 hours ago
- 3 min read
Today the Australian Cyber Security Centre — a national government cyber authority — warned the world about a large-scale global campaign exploiting content management systems: WordPress and a stack of its plugins, Craft CMS, MaxSite, MetInfo, Joomla JCE. The method is the oldest one in the book for this target class: exploit a file-upload or code-execution flaw, drop a webshell, and settle in for persistent access, credential theft, and lateral movement. It is a real, serious alert, and if you run any of these platforms you should read it and act on it.
We are not writing this to repeat the ACSC's warning. We are writing it because we have the receipt showing we named the headline vulnerability in it more than two months ago — and because the gap between those two dates is the entire argument for what we do.
The receipt
Among the vulnerabilities the ACSC lists as being actively exploited in this campaign is [CVE-2026-3844](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-3844), an unauthenticated remote-code-execution flaw in the Cloudways Breeze Cache plugin for WordPress — installed on more than 400,000 sites, CVSS 9.8.
We published a full write-up of CVE-2026-3844 on May 8, 2026. Not a mention in a roundup — a dedicated post: "Cloudways Just Shipped a 9.8 CVSS to 400,000 WordPress Sites. Wordfence Logged 170 Active Exploits Before the Patch Landed. Here's the Hunt." We documented the exact mechanism — the missing file-type validation in the fetch_gravatar_from_remote function that lets an unauthenticated attacker write executable content to disk — and we attached the live exploitation telemetry showing it was already being hit before the fix existed.
That is sixty-four days before today's national-authority warning. When the ACSC says CVE-2026-3844 is part of a campaign happening now, the honest translation is: the thing we told you to patch in early May is the thing being used against Australia and everyone else in July. The warning is correct. It is also two months downstream of the receipt.
This isn't one lucky call — it's the beat
CVE-2026-3844 is not a coincidence, because the shape of this campaign is a pattern we have been documenting all spring, one plugin at a time, each with its own timestamp:
[CVE-2026-3300](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-3300) — Everest Forms Pro fed visitor input straight into eval(); a 9.8 under active exploitation, minting an admin account. We wrote it up June 7.
[CVE-2026-7458](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-7458) — a WordPress plugin that authenticated you as anyone who submitted true for the OTP, PHP loose comparison striking again. May 12.
[CVE-2026-8732](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-8732) — WP Maps Pro, a 9.8 minting rogue administrators. Our exploit harvester had the detection rules on May 30, three days before the headline, and we published the receipt with timestamps.
[CVE-2026-37748](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-37748) — an unrestricted file upload in a Visitor Management System. Our harvester indexed the proof-of-concept thirty-seven minutes after it was pushed to GitHub.
And underneath all of it, the technique itself — a poisoned upload becomes a webshell becomes persistent access — is exactly what we described in "Your Security Team Probably Cloned a Webshell Last Week" and the Cisco-FMC-POC-with-a-webshell network analysis back in March. The ACSC's alert is a snapshot of a movie we have been narrating frame by frame since the winter.
Why the gap matters
Held to about ninety-five percent, and credit where it is due: the campaign warning is the ACSC's, and national CERTs issuing clear, actionable alerts is genuinely valuable work — it reaches audiences we never will. The Breeze Cache exploitation telemetry is Wordfence's. We are not claiming to have discovered these flaws.
What we are claiming — and can prove with dated posts — is that the useful moment for a defender is not when a government authority confirms a campaign is global. It is sixty-four days earlier, when the CVE first has a working exploit and live hits and nobody has said the word "campaign" yet. That window is where a patch still matters, where a detection rule still gets ahead of the webshell. Our exploit harvester lives in that window on a six-hour cycle; the national alert arrives after the window has closed for a lot of people.
So if you are reading the ACSC warning today and reaching for your patch list, good — do it. But notice the date on our post about the single worst item in it, and ask what it would be worth to have been reading that in May. That is the whole product. The alert tells you a campaign is here. We tell you which bug is about to become one, while there is still time to do something about it.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.
