HackMyIP
← Back to News
2026-07-10 The Hacker News

Exposed WP-SHELLSTORM Server Reveals Mass WordPress Backdoor Operation

MalwareVulnerabilityThreat Intel

A cybercrime operation tracked as WP-SHELLSTORM inadvertently exposed its own infrastructure for 22 days, leaving a rented US-based server at 137.175.93[.]126 wide open with no authentication, according to SOCRadar's threat intelligence team. The roughly 800MB archive contained 434 files spanning webshells, exploit scripts, target lists, command-and-control settings, and the operator's typed command history. Researchers from Ctrl-Alt-Intel independently discovered the same directory via Hunt.io's open-directory platform and published their findings on June 22, preceding SOCRadar's July 9 writeup. The slip stemmed from the operator launching a simple Python web server to transfer files and forgetting to shut it down.

SOCRadar describes WP-SHELLSTORM as a webshell access brokerage: a crew that compromises websites at scale, plants persistent backdoors, and resells access to other attackers. The operators pulled target lists exceeding 1.4 million domains from FOFA, a Chinese internet-of-things search engine, and ran automated scanners against publicly known vulnerabilities across WordPress, Joomla, and other platforms. The single largest target file contained 587,034 Joomla domains. Their toolkit covered 27 known flaws, but a handful did the heavy lifting. The most prolific was CVE-2026-3844 in the Breeze WordPress caching plugin, which was fired at more than 45,000 targets and reportedly backdoored over 17,000 sites, though exploitation required the non-default "Host Files Locally – Gravatars" setting to be enabled. Flaws in Joomla's JCE editor accounted for the bulk of the remaining compromises, with Ctrl-Alt-Intel's deduplicated analysis confirming evidence of compromise on 25,195 sites.

The exposed logs make clear that out-of-date plugins were the primary entry vector, reinforcing long-standing guidance to patch CMS components promptly and audit non-default configuration options that expand attack surfaces. Website owners can begin triage by running a port scanner to verify unexpected services are not exposed, checking certificate health with an SSL/TLS checker, and reviewing domain ownership via a WHOIS lookup for any unfamiliar contacts tied to their hosting. Because planted webshells typically reuse harvested administrator credentials for lateral movement, operators of compromised WordPress and Joomla environments should also rotate every privileged password and validate it against known leaks using a password checker before reissuing accounts to staff.

Source: The Hacker News →

Related Tools

Check whether this kind of story affects you — free, no signup:

Email Breach Check →Privacy Checkup →

Related Guides

Learn the background behind this story:

What is my IP and why it matters →IP address security →How to stop being tracked online →