Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites

A cybercriminal group inadvertently exposed its own operations by leaving a server unprotected on the internet for three weeks. This oversight provided researchers with a rare glimpse into the group’s activities, including their hacking tools, logs, and a list of over 1.4 million targeted websites.

The operation, dubbed WP-SHELLSTORM, functions as a webshell access brokerage. In this scheme, attackers compromise websites en masse, implant hidden backdoors known as webshells, and then sell access to these infiltrated sites.

Unsecured Server Leads to Discovery

On June 11, 2026, SOCRadar’s threat intelligence team discovered an unprotected server at IP address 137.175.93[.]126. The server contained approximately 800MB of data across 434 files, including webshells, exploit scripts, scan results, command histories, and command-and-control configurations. This server had been left accessible without any authentication measures.

Another cybersecurity firm, Ctrl-Alt-Intel, had previously analyzed the same directory after finding it through Hunt.io’s open-directory platform. They published their findings on June 22, 2026. The exposure resulted from the attackers initiating a simple Python web server to transfer files and neglecting to secure it, leaving it open for 22 days.

Exploitation of Known Vulnerabilities

The WP-SHELLSTORM group leveraged publicly known vulnerabilities in website plugins, predominantly targeting WordPress sites. They developed automated scanners to exploit these vulnerabilities across extensive target lists sourced from FOFA, a Chinese search engine for internet-connected systems similar to Shodan.

Upon identifying a vulnerable site, the attackers deployed webshells—small scripts that allow remote command execution, file manipulation, password theft, and further network infiltration. The toolkit utilized by the group addressed 27 known vulnerabilities, with a few being particularly effective. Notably, a flaw in the Breeze caching plugin (CVE-2026-3844) was exploited against over 45,000 targets, resulting in more than 17,000 successful backdoors. However, this exploit was contingent on a non-default setting being enabled, limiting its effectiveness to certain configurations.

Scope of the Attack

While the attackers’ target lists encompassed over 1.4 million domains across various platforms, the actual number of compromised sites was significantly lower. Ctrl-Alt-Intel’s analysis identified 25,195 sites with confirmed evidence of compromise, whereas SOCRadar reported over 5,700 active webshells. For instance, an exploit targeting a Joomla vulnerability was attempted on more than 560,000 sites but succeeded in only 77 cases.

It’s crucial to understand that being listed as a target does not equate to a successful breach. This distinction underscores the importance of maintaining up-to-date software and robust security practices to mitigate potential threats.

The exposure of the WP-SHELLSTORM operation highlights the persistent risks associated with outdated plugins and misconfigured settings in widely used content management systems like WordPress and Joomla. Website administrators must prioritize regular updates and security audits to protect against such large-scale exploitation campaigns.