Joomla! A.I CyberSecurity Scoring
Joomla!
Company Information
Website:https://www.joomla.org
Employees number:145
Number of followers:14,223
NAICS:513
Industry Type:Technology, Information and Internet
Homepage:joomla.org
Joomla! Risk Score (AI oriented)
Between 700 and 749
Joomla!Technology, Information and Internet
Updated:
10/07/2026
10/07/2026
748/1000
Moderate
Ba
Joomla! Global Score (TPRM)
xxxx
Joomla!Technology, Information and Internet
Score locked

Joomla!Moderate
Current Score
748Ba (MODERATE)
01000
1 incidents
-19 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
748
JUNE 2026
767
Vulnerability
11 Jun 2026 • Joomla!
ThemeREX, Joomla, Simple File List, WP File Manager, Oracle and DigitalOcean: Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites
WP-SHELLSTORM Cybercrime Group's Exposed Server Reveals Mass Webshell Operation Targeting 1.4 Million Sites
748
CRITICAL-19
ORAJOOMANWPMDIGTHE1783693992
Cybercrime Crew’s Exposed Server Reveals Mass Webshell Operation Targeting 1.4 Million Sites
A cybercrime group, tracked as WP-SHELLSTORM, inadvertently exposed its operations for three weeks after leaving an unsecured server online. The incident, discovered by researchers at SOCRadar and Ctrl-Alt-Intel, provided an unprecedented look into a webshell access brokerage a scheme where attackers compromise websites en masse, install backdoors, and sell access to other criminals.
### The Exposure
On June 11, 2026, SOCRadar identified an unprotected server (IP: 137.175.93[.]126) hosting 800MB of data, including:
- Hacking tools (exploit scripts, webshells)
- Activity logs (command histories, scan results)
- Target lists naming 1.4 million websites (WordPress, Joomla, and others)
- Command-and-control (C2) configurations
The server, rented in the U.S., was left open due to a Python web server left running for 22 days a simple but costly oversight. Ctrl-Alt-Intel independently analyzed the same directory, publishing findings on June 22, before SOCRadar’s July 9 report.
### The Attack Method
The group exploited 27 known vulnerabilities, primarily in WordPress plugins, to deploy webshells small scripts granting remote control over compromised servers. Key flaws included:
- Breeze caching plugin (CVE-2026-3844) – Exploited against 45,000+ sites, successfully backdooring 17,000+ (only effective with a non-default setting enabled).
- Joomla JCE editor (CVE-2026-48907) – Targeted 560,000+ sites but only breached 77.
- Other WordPress plugins (e.g., ThemeREX Addons, Simple File List, WP File Manager).
The attackers used FOFA, a Chinese search engine for internet-connected systems, to build target lists. Their toolkit included:
- down.php – A heavily obfuscated webshell derived from BestShell (open-source Chinese malware).
- VShell – A stealthy backdoor disguised as a kernel process ([kworker/0:2]) to evade detection.
### Compromise Scale
While the 1.4 million figure represents targets, not breaches, researchers confirmed:
- Ctrl-Alt-Intel: 25,195 sites with evidence of compromise.
- SOCRadar: 5,700+ active webshells.
### Earlier Corporate Espionage Campaign
Before the WordPress spree, the same group ran a quieter operation in May 2026, targeting Java-based corporate systems via a Nacos configuration server flaw (CVE-2021-29441). They extracted:
- 613 configuration files from 11 systems across nine companies (fintech, e-commerce, logistics, gaming, electronics).
- Cloud credentials (AWS, Alibaba, Oracle, Tencent, DigitalOcean).
- Database passwords and Alipay RSA private keys.
SOCRadar suggests this was a "funding round" before scaling up the higher-volume webshell operation.
### Attribution & Sloppy Tradecraft
Researchers assess with medium-to-high confidence that the group is Chinese or Chinese-speaking, citing:
- Simplified Chinese in code and command logs.
- Use of FOFA (requiring a Chinese phone number for registration).
- Tools like Godzilla and VShell, common in Chinese-speaking cybercrime forums.
Despite a sophisticated toolchain, the group made basic errors:
- Left the server unprotected for weeks.
- Exposed a FOFA config file, traceable via law enforcement.
- Failed to sanitize command histories, revealing the full operation.
When alerted, the group deleted log entries between July 2–4, but the damage was already done.
### Broader Implications
WP-SHELLSTORM stands out not for its technical sophistication, but for its scale and opportunism. Using publicly known vulnerabilities and automated scanning, the group compromised thousands of sites without needing zero-days.
The incident mirrors a March 2026 exposure of Russia’s APT28 (Fancy Bear), where an open directory revealed phishing tools and logs. In both cases, human error not advanced hacking led to the unraveling of major cybercrime operations.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
MAY 2026
767
APRIL 2026
767
MARCH 2026
767
FEBRUARY 2026
767
JANUARY 2026
767
DECEMBER 2025
767
NOVEMBER 2025
767
OCTOBER 2025
767
SEPTEMBER 2025
767
AUGUST 2025
767
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for Joomla! ??
What was Joomla!'s A.I Rankiteo Cyber Score in June 2026 ??
What was Joomla!'s A.I Rankiteo Cyber Score in May 2026 ??
What was Joomla!'s A.I Rankiteo Cyber Score in April 2026 ??
What was Joomla!'s A.I Rankiteo Cyber Score in March 2026 ??
What was Joomla!'s A.I Rankiteo Cyber Score in February 2026 ??
What was Joomla!'s A.I Rankiteo Cyber Score in January 2026 ??
What was Joomla!'s A.I Rankiteo Cyber Score in December 2025 ??
What was Joomla!'s A.I Rankiteo Cyber Score in November 2025 ??
What was Joomla!'s A.I Rankiteo Cyber Score in October 2025 ??
What was Joomla!'s A.I Rankiteo Cyber Score in September 2025 ??
What was Joomla!'s A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on Joomla!'s A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with Joomla! ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view Joomla!'s profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?