Rankiteo Logo
Rankiteo
Leader in Cyber Underwriting
Loading...
NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop
WindowsmacOSLinux
Download
Joomla!

Joomla! Vendor Cyber Rating & Cyber Score

joomla.org

Joomla, The CMS Trusted By Millions for their Websites Joomla is an award-winning content management system (CMS), which enables you to build Web sites and powerful online applications. Joomla is the mobile-ready and user-friendly way to build your website. Choose from thousands of features and designs. Joomla is free and open source. Joomla is an open source project and is freely available to anyone. Our mission is to provide a flexible platform for digital publishing and collaboration.


Joomla! A.I CyberSecurity Scoring

Joomla!
Company Information
Website:https://www.joomla.org
Employees number:145
Number of followers:14,223
NAICS:513
Industry Type:Technology, Information and Internet
Homepage:joomla.org
Joomla! Risk Score (AI oriented)
Between 700 and 749
logo
Joomla!Technology, Information and Internet
Updated:
10/07/2026
748/1000
Moderate
Ba
AaaAaABaaBaBCaaCaC
Powered by our proprietary A.I cyber incident model
Insurance prefers TPRM score to calculate premium
Joomla! Global Score (TPRM)
xxxx
logo
Joomla!Technology, Information and Internet
•••
Score locked
Instant access to detailed risk factors
Vulnerabilities
Benchmark vs. industry & size peers
Findings

Joomla!
Joomla!Moderate
Current Score
748Ba (MODERATE)
01000
1 incidents
-19 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
748Before Incident
JUNE 2026
767Before Incident
Vulnerability
11 Jun 2026Joomla!
ThemeREX, Joomla, Simple File List, WP File Manager, Oracle and DigitalOcean: Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites

WP-SHELLSTORM Cybercrime Group's Exposed Server Reveals Mass Webshell Operation Targeting 1.4 Million Sites

748After Incident
CRITICAL-19
ORAJOOMANWPMDIGTHE1783693992
Cybercrime Crew’s Exposed Server Reveals Mass Webshell Operation Targeting 1.4 Million Sites A cybercrime group, tracked as WP-SHELLSTORM, inadvertently exposed its operations for three weeks after leaving an unsecured server online. The incident, discovered by researchers at SOCRadar and Ctrl-Alt-Intel, provided an unprecedented look into a webshell access brokerage a scheme where attackers compromise websites en masse, install backdoors, and sell access to other criminals. ### The Exposure On June 11, 2026, SOCRadar identified an unprotected server (IP: 137.175.93[.]126) hosting 800MB of data, including: - Hacking tools (exploit scripts, webshells) - Activity logs (command histories, scan results) - Target lists naming 1.4 million websites (WordPress, Joomla, and others) - Command-and-control (C2) configurations The server, rented in the U.S., was left open due to a Python web server left running for 22 days a simple but costly oversight. Ctrl-Alt-Intel independently analyzed the same directory, publishing findings on June 22, before SOCRadar’s July 9 report. ### The Attack Method The group exploited 27 known vulnerabilities, primarily in WordPress plugins, to deploy webshells small scripts granting remote control over compromised servers. Key flaws included: - Breeze caching plugin (CVE-2026-3844) – Exploited against 45,000+ sites, successfully backdooring 17,000+ (only effective with a non-default setting enabled). - Joomla JCE editor (CVE-2026-48907) – Targeted 560,000+ sites but only breached 77. - Other WordPress plugins (e.g., ThemeREX Addons, Simple File List, WP File Manager). The attackers used FOFA, a Chinese search engine for internet-connected systems, to build target lists. Their toolkit included: - down.php – A heavily obfuscated webshell derived from BestShell (open-source Chinese malware). - VShell – A stealthy backdoor disguised as a kernel process ([kworker/0:2]) to evade detection. ### Compromise Scale While the 1.4 million figure represents targets, not breaches, researchers confirmed: - Ctrl-Alt-Intel: 25,195 sites with evidence of compromise. - SOCRadar: 5,700+ active webshells. ### Earlier Corporate Espionage Campaign Before the WordPress spree, the same group ran a quieter operation in May 2026, targeting Java-based corporate systems via a Nacos configuration server flaw (CVE-2021-29441). They extracted: - 613 configuration files from 11 systems across nine companies (fintech, e-commerce, logistics, gaming, electronics). - Cloud credentials (AWS, Alibaba, Oracle, Tencent, DigitalOcean). - Database passwords and Alipay RSA private keys. SOCRadar suggests this was a "funding round" before scaling up the higher-volume webshell operation. ### Attribution & Sloppy Tradecraft Researchers assess with medium-to-high confidence that the group is Chinese or Chinese-speaking, citing: - Simplified Chinese in code and command logs. - Use of FOFA (requiring a Chinese phone number for registration). - Tools like Godzilla and VShell, common in Chinese-speaking cybercrime forums. Despite a sophisticated toolchain, the group made basic errors: - Left the server unprotected for weeks. - Exposed a FOFA config file, traceable via law enforcement. - Failed to sanitize command histories, revealing the full operation. When alerted, the group deleted log entries between July 2–4, but the damage was already done. ### Broader Implications WP-SHELLSTORM stands out not for its technical sophistication, but for its scale and opportunism. Using publicly known vulnerabilities and automated scanning, the group compromised thousands of sites without needing zero-days. The incident mirrors a March 2026 exposure of Russia’s APT28 (Fancy Bear), where an open directory revealed phishing tools and logs. In both cases, human error not advanced hacking led to the unraveling of major cybercrime operations.
INCIDENT DETAILS -
TYPE
Webshell AttackData BreachCybercrime Brokerage
MOTIVATION
Financial gainCybercrime brokerageCorporate espionage
IMPACT
Configuration filesCloud credentials (AWS, Alibaba, Oracle, Tencent, DigitalOcean)Database passwordsAlipay RSA private keysWebsite backdoor accessWordPress sites (45,000+ targeted, 17,000+ compromised)Joomla sites (560,000+ targeted, 77 compromised)Java-based corporate systems (11 systems across 9 companies)Operational Impact: Mass compromise of websites for resale of access; potential data exfiltration and further attacks by buyersBrand Reputation Impact: Potential reputational damage to affected entities due to compromise and data exposureIdentity Theft Risk: High (due to exposure of PII and credentials)Payment Information Risk: High (Alipay RSA private keys exposed)
DATA BREACH
Configuration filesCloud credentialsDatabase passwordsAlipay RSA private keysWebshell access logsNumber Of Records Exposed: 613 configuration files from 11 systems; 1.4 million websites targetedSensitivity Of Data: High (credentials, private keys, PII)Data Exfiltration: Yes (data sold on dark web implied)Configuration filesLogsWebshell scriptsPersonally Identifiable Information: Likely (credentials and private keys)
MAY 2026
767Before Incident
APRIL 2026
767Before Incident
MARCH 2026
767Before Incident
FEBRUARY 2026
767Before Incident
JANUARY 2026
767Before Incident
DECEMBER 2025
767Before Incident
NOVEMBER 2025
767Before Incident
OCTOBER 2025
767Before Incident
SEPTEMBER 2025
767Before Incident
AUGUST 2025
767Before Incident

Frequently Asked Questions

?
What is the current A.I Rankiteo Cyber Score for Joomla! ?
?
What was Joomla!'s A.I Rankiteo Cyber Score in June 2026 ?
?
What was Joomla!'s A.I Rankiteo Cyber Score in May 2026 ?
?
What was Joomla!'s A.I Rankiteo Cyber Score in April 2026 ?
?
What was Joomla!'s A.I Rankiteo Cyber Score in March 2026 ?
?
What was Joomla!'s A.I Rankiteo Cyber Score in February 2026 ?
?
What was Joomla!'s A.I Rankiteo Cyber Score in January 2026 ?
?
What was Joomla!'s A.I Rankiteo Cyber Score in December 2025 ?
?
What was Joomla!'s A.I Rankiteo Cyber Score in November 2025 ?
?
What was Joomla!'s A.I Rankiteo Cyber Score in October 2025 ?
?
What was Joomla!'s A.I Rankiteo Cyber Score in September 2025 ?
?
What was Joomla!'s A.I Rankiteo Cyber Score in August 2025 ?
?
What is the average per-incident point impact on Joomla!'s A.I Rankiteo Cyber Score over the past 12 months ?
?
Where can I access detailed records of all cyber incidents associated with Joomla! ?
?
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ?
?
Where can I view Joomla!'s profile page on Rankiteo ?
?
How accurate is the A.I Rankiteo Risk Scoring methodology ?
Joomla! Cyber Scoring History | Rankiteo