Act
active
Exposed Server Reveals WP-SHELLSTORM Mass WordPress Backdoor Campaign
- Engineer — Act: If you host WordPress sites, audit them now for backdoors and unknown admin accounts; review your web server logs for indicators matching this campaign’s mass-exploitation pattern.
- SOC/IR — Act: Review logs for WordPress admin-panel anomalies and unexpected file writes since the campaign has been active; hunt for web shells or unusual PHP execution tied to mass-compromise tooling.
- Leader — Learn: Provides useful context on the scale of opportunistic WordPress compromise operations, but no immediate board-level action is required without confirmed organizational exposure.
This entry was curated and judged by AI (Claude) with automated enrichment
(CISA KEV / EPSS / public PoC). Verify against the original source before
acting. Found a bad verdict?
Report it —
confirmed errors go to the corrections log.