Wpmet A.I CyberSecurity Scoring
Wpmet
Company Information
Website:https://wpmet.com/agl2
Employees number:2
Number of followers:915
NAICS:5112
Industry Type:Software Development
Homepage:wpmet.com
Wpmet Risk Score (AI oriented)
Between 700 and 749
WpmetSoftware Development
Updated:
10/07/2026
10/07/2026
738/1000
Moderate
Ba
Wpmet Global Score (TPRM)
xxxx
WpmetSoftware Development
Score locked

WpmetModerate
Current Score
738Ba (MODERATE)
01000
2 incidents
-5.5 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
743
Vulnerability
09 Jul 2026 • Wpmet
Ninja Forms and Simple File List: Hackers Scan CMS Websites Globally to Deploy Webshells and Steal Credentials
Global CMS Exploitation Campaign Targets Unpatched Websites
738
CRITICAL-5
CYBWPM1783600441
Global CMS Exploitation Campaign Targets Unpatched Websites
A large-scale cyberattack campaign is actively targeting Content Management System (CMS) websites worldwide, with threat actors scanning for unpatched software and vulnerable plugins. Once exploited, attackers deploy malicious webshells to gain remote control over compromised systems, enabling website defacement, credential theft, and malware distribution.
The campaign has impacted organizations globally, particularly small- to medium-sized businesses, and reflects a broader trend identified by the Five Eyes cybersecurity agencies the increasing use of artificial intelligence to accelerate cyber operations. This shift has drastically reduced the time between a vulnerability’s public disclosure and its exploitation in the wild.
Attackers primarily exploit flaws allowing unauthenticated file uploads, remote code execution, server-side request forgery, or unsafe deserialization. Known vulnerabilities in popular WordPress plugins including Simple File List (CVE-2025-34085), WavePlayer (CVE-2025-12057), and Ninja Forms (CVE-2026-0740) have been weaponized in this campaign.
Once a webshell is deployed, hackers use it to disrupt operations, steal sensitive data, and distribute additional malware to unsuspecting visitors. Compromised servers may also serve as a foothold for deeper network infiltration.
The Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC) has urged administrators to proactively inspect CMS environments, as the rapid automation of attacks is shrinking the window for manual remediation. Organizations are advised to adopt continuous monitoring, automated security updates, and strict access controls to mitigate risks.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
JUNE 2026
749
Vulnerability
11 Jun 2026 • Wpmet
ThemeREX, Joomla, Simple File List, WP File Manager, Oracle and DigitalOcean: Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites
WP-SHELLSTORM Cybercrime Group's Exposed Server Reveals Mass Webshell Operation Targeting 1.4 Million Sites
743
CRITICAL-6
ORAJOOMANWPMDIGTHE1783693992
Cybercrime Crew’s Exposed Server Reveals Mass Webshell Operation Targeting 1.4 Million Sites
A cybercrime group, tracked as WP-SHELLSTORM, inadvertently exposed its operations for three weeks after leaving an unsecured server online. The incident, discovered by researchers at SOCRadar and Ctrl-Alt-Intel, provided an unprecedented look into a webshell access brokerage a scheme where attackers compromise websites en masse, install backdoors, and sell access to other criminals.
### The Exposure
On June 11, 2026, SOCRadar identified an unprotected server (IP: 137.175.93[.]126) hosting 800MB of data, including:
- Hacking tools (exploit scripts, webshells)
- Activity logs (command histories, scan results)
- Target lists naming 1.4 million websites (WordPress, Joomla, and others)
- Command-and-control (C2) configurations
The server, rented in the U.S., was left open due to a Python web server left running for 22 days a simple but costly oversight. Ctrl-Alt-Intel independently analyzed the same directory, publishing findings on June 22, before SOCRadar’s July 9 report.
### The Attack Method
The group exploited 27 known vulnerabilities, primarily in WordPress plugins, to deploy webshells small scripts granting remote control over compromised servers. Key flaws included:
- Breeze caching plugin (CVE-2026-3844) – Exploited against 45,000+ sites, successfully backdooring 17,000+ (only effective with a non-default setting enabled).
- Joomla JCE editor (CVE-2026-48907) – Targeted 560,000+ sites but only breached 77.
- Other WordPress plugins (e.g., ThemeREX Addons, Simple File List, WP File Manager).
The attackers used FOFA, a Chinese search engine for internet-connected systems, to build target lists. Their toolkit included:
- down.php – A heavily obfuscated webshell derived from BestShell (open-source Chinese malware).
- VShell – A stealthy backdoor disguised as a kernel process ([kworker/0:2]) to evade detection.
### Compromise Scale
While the 1.4 million figure represents targets, not breaches, researchers confirmed:
- Ctrl-Alt-Intel: 25,195 sites with evidence of compromise.
- SOCRadar: 5,700+ active webshells.
### Earlier Corporate Espionage Campaign
Before the WordPress spree, the same group ran a quieter operation in May 2026, targeting Java-based corporate systems via a Nacos configuration server flaw (CVE-2021-29441). They extracted:
- 613 configuration files from 11 systems across nine companies (fintech, e-commerce, logistics, gaming, electronics).
- Cloud credentials (AWS, Alibaba, Oracle, Tencent, DigitalOcean).
- Database passwords and Alipay RSA private keys.
SOCRadar suggests this was a "funding round" before scaling up the higher-volume webshell operation.
### Attribution & Sloppy Tradecraft
Researchers assess with medium-to-high confidence that the group is Chinese or Chinese-speaking, citing:
- Simplified Chinese in code and command logs.
- Use of FOFA (requiring a Chinese phone number for registration).
- Tools like Godzilla and VShell, common in Chinese-speaking cybercrime forums.
Despite a sophisticated toolchain, the group made basic errors:
- Left the server unprotected for weeks.
- Exposed a FOFA config file, traceable via law enforcement.
- Failed to sanitize command histories, revealing the full operation.
When alerted, the group deleted log entries between July 2–4, but the damage was already done.
### Broader Implications
WP-SHELLSTORM stands out not for its technical sophistication, but for its scale and opportunism. Using publicly known vulnerabilities and automated scanning, the group compromised thousands of sites without needing zero-days.
The incident mirrors a March 2026 exposure of Russia’s APT28 (Fancy Bear), where an open directory revealed phishing tools and logs. In both cases, human error not advanced hacking led to the unraveling of major cybercrime operations.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
MAY 2026
749
APRIL 2026
749
MARCH 2026
749
FEBRUARY 2026
749
JANUARY 2026
749
DECEMBER 2025
749
NOVEMBER 2025
749
OCTOBER 2025
749
SEPTEMBER 2025
749
AUGUST 2025
749
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for Wpmet ??
What was Wpmet's A.I Rankiteo Cyber Score in June 2026 ??
What was Wpmet's A.I Rankiteo Cyber Score in May 2026 ??
What was Wpmet's A.I Rankiteo Cyber Score in April 2026 ??
What was Wpmet's A.I Rankiteo Cyber Score in March 2026 ??
What was Wpmet's A.I Rankiteo Cyber Score in February 2026 ??
What was Wpmet's A.I Rankiteo Cyber Score in January 2026 ??
What was Wpmet's A.I Rankiteo Cyber Score in December 2025 ??
What was Wpmet's A.I Rankiteo Cyber Score in November 2025 ??
What was Wpmet's A.I Rankiteo Cyber Score in October 2025 ??
What was Wpmet's A.I Rankiteo Cyber Score in September 2025 ??
What was Wpmet's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on Wpmet's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with Wpmet ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view Wpmet's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?