Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

Global Exploitation Campaign Targets Vulnerabilities in Joomla and WordPress Extensions


THN has obtained exclusive information on a global exploitation campaign targeting vulnerabilities in popular content management systems (CMS) and plugins, including Joomla and WordPress extensions. Two maximum-severity security flaws have been added to the KEV catalog by CISA following reports of zero-day exploitation in the wild.

  • The Threat Intelligence News Network (THN) has reported on a global exploitation campaign targeting vulnerabilities in content management systems (CMS) and plugins, including Joomla and WordPress.
  • Two maximum-severity security flaws have been added to the Known Exploited Vulnerabilities (KEV) catalog by CISA, following reports of zero-day exploitation in the wild.
  • The first vulnerability, CVE-2026-48939, affects the iCagenda extension for Joomla and allows arbitrary file uploads, leading to PHP code execution.
  • The second vulnerability, CVE-2026-56291, affects the Balbooa Forms extension for Joomla and allows arbitrary file uploads, leading to remote code execution.
  • Both vulnerabilities have been rated 10.0 on the CVSS scoring system, indicating extreme severity.
  • Australian Cyber Security Centre (ACSC) has issued an alert warning of a global exploitation campaign targeting various vulnerabilities in CMS software and plugins.
  • Other targeted security vulnerabilities include CVE-2025-6389, CVE-2025-7852, and more.
  • Federal Civilian Executive Branch (FCEB) agencies have until July 13, 2026, to implement fixes in their networks.
  • The discovery highlights the importance of keeping software up-to-date and patching known security flaws.



  • Threat Intelligence News Network (THN) has obtained exclusive information on a global exploitation campaign that is targeting vulnerabilities in content management systems (CMS) and plugins, including popular extensions for Joomla and WordPress. According to the latest reports, two maximum-severity security flaws have been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), following reports of zero-day exploitation in the wild.

    The first vulnerability, CVE-2026-48939, is a critical flaw in the iCagenda extension for Joomla that allows the upload of arbitrary files via the file attachment feature, leading to PHP code upload and execution. This vulnerability has been reported to have been exploited as a zero-day since June 15, 2026, in automated attacks aimed at Joomla sites on which iCagenda is installed.

    The second vulnerability, CVE-2026-56291, is a critical flaw in the Balbooa Forms extension for Joomla that allows the upload of arbitrary files, leading to remote code execution. This vulnerability has also been reported to have been exploited as a zero-day since June 15, 2026.

    Both vulnerabilities have been rated 10.0 on the CVSS scoring system, indicating that they are extremely severe and could be exploited by attackers to gain unauthorized access to vulnerable systems. The affected versions of iCagenda and Balbooa Forms extensions include 4.x up to and including 4.0.7, as well as Legacy 3.x versions from 3.2.1 up to and including 3.9.14.

    It's worth noting that the Australian Cyber Security Centre (ACSC) has issued an alert warning of a global exploitation campaign targeting various vulnerabilities in CMS software and plugins. According to the ACSC, malicious cyber actors are actively scanning websites for opportunities to deploy web shells, leveraging various vulnerabilities affecting CMS software and plugins.

    The ACSC also lists several other security vulnerabilities that are being targeted by attackers, including CVE-2025-6389, CVE-2025-7852, CVE-2025-12352, CVE-2025-32432, CVE-2026-0740, CVE-2026-3395, CVE-2026-3844, and CVE-2026-29014.

    In light of the active exploitation, Federal Civilian Executive Branch (FCEB) agencies have until July 13, 2026, to implement the fixes in their networks. Site owners are advised to check for suspicious PHP files in the "images/icagenda/frontend/attachments/" folder and remove them.

    The discovery of these vulnerabilities highlights the importance of keeping software up-to-date and patching known security flaws. It also underscores the need for organizations to have robust cybersecurity measures in place to protect against zero-day attacks.

    In addition to the Joomla and WordPress extensions, other CMS platforms such as Sneeit Framework, WPBookit (WordPress), Gravity Forms (WordPress), Craft CMS, Ninja Forms (WordPress), MaxSite CMS, Breeze Cache (WordPress), WavePlayer (WordPress), and MetInfo CMS are also being targeted by attackers.

    The ACSC noted that advances in AI are accelerating the speed and scale of cyber operations, reducing the time between vulnerability disclosure and exploitation. This highlights the importance of staying vigilant and up-to-date with the latest security patches and best practices to protect against these types of attacks.

    In conclusion, the global exploitation campaign targeting vulnerabilities in Joomla and WordPress extensions is a reminder that cybersecurity threats are constantly evolving and require proactive measures to prevent and mitigate. Organizations must prioritize software updates, patching, and robust cybersecurity protocols to stay ahead of these threats.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Global-Exploitation-Campaign-Targets-Vulnerabilities-in-Joomla-and-WordPress-Extensions-ehn.shtml

  • https://thehackernews.com/2026/07/icagenda-and-balbooa-forms-joomla-flaws.html

  • https://howtofix.guide/balbooa-icagenda-cves-cisa-kev-joomla-rce/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-6389

  • https://www.cvedetails.com/cve/CVE-2025-6389/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-7852

  • https://www.cvedetails.com/cve/CVE-2025-7852/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-12352

  • https://www.cvedetails.com/cve/CVE-2025-12352/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-32432

  • https://www.cvedetails.com/cve/CVE-2025-32432/

  • https://nvd.nist.gov/vuln/detail/CVE-2026-0740

  • https://www.cvedetails.com/cve/CVE-2026-0740/

  • https://nvd.nist.gov/vuln/detail/CVE-2026-3395

  • https://www.cvedetails.com/cve/CVE-2026-3395/

  • https://nvd.nist.gov/vuln/detail/CVE-2026-3844

  • https://www.cvedetails.com/cve/CVE-2026-3844/

  • https://nvd.nist.gov/vuln/detail/CVE-2026-29014

  • https://www.cvedetails.com/cve/CVE-2026-29014/


  • Published: Mon Jul 13 02:04:52 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us