TTP Advisory: WP-SHELLSTORM | No CVE | Operation Type: Webshell Access Brokerage | Targets: WordPress (Breeze caching plugin) + Joomla (JCE editor) | Sites Scanned: 1.4 million | Discovered by: SOCRadar
What Happened
A cybercrime crew left one of its own servers exposed on the internet for three weeks, revealing the inner workings of a mass site-hacking operation tracked as WP-SHELLSTORM. SOCRadar discovered the exposed server on June 11, 2026, containing hacking tools, activity logs, and target lists naming more than 1.4 million websites. The operation is a webshell access brokerage: the crew breaks into sites at scale, plants hidden backdoor webshells, and packages that access for resale to other cybercriminals. The two plugins most targeted were the Breeze caching plugin (WordPress) and the JCE editor (Joomla). Far fewer than 1.4 million sites were actually compromised, but the scale of targeting is significant.
Affected Products
- Breeze caching plugin for WordPress — out-of-date versions
- JCE editor for Joomla — out-of-date versions
Exploited?
Yes — active operation with confirmed compromise. The exposed server confirmed that the crew successfully breached a subset of the 1.4 million scanned sites. Australia’s Cyber Security Centre has separately reported large-scale coordinated attacks against CMS platforms, suggesting this may be part of a broader campaign ecosystem.
Mitigation
- Update plugins: Ensure Breeze caching plugin (WordPress) and JCE editor (Joomla) are on latest versions.
- Audit for webshells: Check WordPress/Joomla installations for unauthorised files. Review file integrity against known-good baselines.
- Web application firewall: Deploy WAF rules to detect webshell upload attempts.
Recommendations
- Update CMS plugins: Apply latest updates for Breeze caching plugin and JCE editor.
- Scan for webshells: Use security plugins or server-side scanners to detect hidden webshells.
- Review file permissions: Ensure WordPress/Joomla file upload directories are not executable.
References
- The Hacker News: WP-SHELLSTORM
- SOCRadar Research Report
Part of the Vulnerability Intelligence series on threat-modeling.com. July 10, 2026 Report.
