The Australian Signals Directorate's Australian Cyber Security Centre (ACSC) has issued a second alert on content management systems in two months, warning that attackers are running a large-scale campaign exploiting already-patched vulnerabilities.
The campaign involves 17 specific vulnerabilities affecting websites worldwide, including many operated by small- to medium-sized businesses in Australia.
Several WordPress plugins - Craft CMS, MaxSite CMS, MetInfo CMS and Joomla's JCE editor - are covered by the alert, with some of the underlying vulnerabilities dating back to 2024.
The latest alert follows an ACSC advisory issued in May about a ClickFix campaign in which compromised WordPress websites belonging to legitimate Australian businesses delivered the Vidar Stealer malware to visitors.
All 17 vulnerabilities listed by the ACSC have patches available, with some fixes having been released many months ago.
Among them is CVE-2025-32432 affecting Craft CMS, which was exploited as a zero-day for around two months before a patch was released in April 2025.
Other vulnerabilities mentioned in the alert affect the GutenKit and Hunk Companion WordPress plugins, both of which were patched in 2024 but continued to attract heavy exploitation attempts after fixes became available, security vendor Wordfence said.
ACSC advises administrators to look for indicators of compromise, including webshells that enable remote connections and other malicious scripts, to remove any attacker persistence, and then apply available security updates.
The agency also recommends disabling vulnerable components where patches cannot be applied immediately.
For organisations relying on managed hosting, the cybersecurity agency suggests they ask providers how monitoring for compromise and responding to active exploitation campaigns is done.

iTnews State of Data & AI Breakfast
Forrester's AI Forum Sydney
The 2026 iAwards
Integrate 2026
Security Exhibition & Conference



