Joomla and WordPress hack wave, summer 2026: what to do
Summer 2026 has become a season of mass hacks against Joomla and WordPress sites. Through June and July, CISA added several maximum-severity flaws in popular Joomla extensions to its Known Exploited Vulnerabilities catalog, while a WP-SHELLSTORM campaign backdoored thousands of WordPress sites. The attackers are automated bots, and they hit whoever failed to update: the window between a patch shipping and mass exploitation is measured in days. Below: exactly which extensions are under attack, how to tell if you are already in the blast radius, and what to do first.
What is happening this summer
This is not a single hack but a wave. The pattern is the same in every case:
- Researchers find a critical flaw in a popular extension, a patch ships.
- Within days a ready-made mass exploit appears, and bots start scanning the whole internet for the vulnerable extension.
- Whoever did not update gets hacked. No account is needed: the attacks run without authentication.
Several of these flaws were added by CISA to its Known Exploited Vulnerabilities (KEV) catalog, with a mandatory patch deadline for US federal agencies. For a small-site owner the takeaway is simple: if an extension from the list below is installed and not updated, you are in the queue.
Check your site right now
The tool opens your site from the outside the way a search engine and a mobile visitor see it. Defacement, a redirect, cloaking and an outdated CMS version show up at once. No access to the site is required.
Joomla: four critical flaws of summer 2026
All four are exploited in real attacks. If you have the extension installed, update it to the version below immediately:
- iCagenda (CVE-2026-48939, CVSS 10.0). Arbitrary file upload through attachments leads to PHP execution. Exploited as a zero-day since 15 June 2026. Fixed in versions 4.0.8 and 3.9.15.
- Balbooa Forms (CVE-2026-56291, CVSS 10.0). File upload through a form leads to remote code execution. Versions up to and including 2.4.0 are vulnerable. Fixed in 2.4.1.
- JCE, the Joomla Content Editor (CVE-2026-48907, CVSS 10.0). Creating an editor profile without authentication lets an attacker upload and run PHP. Versions 1.0.0 through 2.9.99.4 are vulnerable. Fixed in 2.9.99.6. A working exploit is already public.
- Helix3, the JoomShaper template framework (CVE-2026-49049, CVSS 7.5). Unauthenticated write into the template settings in the database. All versions up to 3.1.1 on Joomla 3, 4 and 5 are exposed. Fixed in 3.1.2.
The "Hacked by AntonKill" defacement on Helix3: why the hosting antivirus stays silent
Helix3 is behind a noticeable wave of defacements: since early July, bots have been tagging sites with a full-screen skull overlay reading "Hacked by AntonKill" or "Hacked by trenggalek6etar". The key detail: the malicious code is written not into files but into the template parameters in the database. Every page loads JavaScript straight from the template settings.
That is why the hosting antivirus reports "all clean" while the defacement is right there: the scanner checks files against signatures, and the code sits in the database. You have to clean the database, not just the files. More on removing this defacement on the hack recovery page.
WordPress: the WP-SHELLSTORM campaign
WordPress saw a separate campaign this summer. On an exposed attacker server, researchers found traces of mass backdooring: by the attackers' own count, more than 45,000 sites were targeted and over 17,000 backdoored, with access resold.
- The main entry point of the campaign was the Breeze caching plugin (CVE-2026-3844), fixed in version 2.4.5. Important: the flaw only fires when the non-default "Host Files Locally - Gravatars" setting is on, so not every install is exposed.
- The toolkit covered 27 known plugin flaws in total. These were not zero-days: they attacked things long since patched but left un-updated on sites.
The lesson is the same as with Joomla: mass hacks come not through secret flaws but through neglected, un-updated plugins.
How to tell if you are already under attack
The signs that a site is already hacked:
- A full-screen defacement with a skull and a "Hacked by..." message, or foreign content instead of your home page.
- The site redirects to casinos, pharmacies or spam, especially on mobile or from search.
- Users or editor profiles you never created have appeared in the admin area.
- Unknown .php files in the uploads, media or cache folders.
- The host suspended the account for malware, or Google flagged the site as hacked.
What to do right now
- Update the vulnerable extensions to the fixed versions: iCagenda 4.0.8 / 3.9.15, Balbooa Forms 2.4.1, JCE 2.9.99.6, Helix3 3.1.2, Breeze 2.4.5.
- Change every password and key: admin, FTP and SSH, database, hosting panel, CMS secret keys.
- Check the list of administrators and editor profiles, remove any you did not create.
- For Helix3, check the template parameters in the database (the
#__template_stylestable) for foreign JavaScript. - Find and delete web shells: unknown .php files, often via
eval(base64_decode(...)). Check cron jobs.
Important: updating closes the way in but does NOT remove a backdoor that was already uploaded. If the site is already hacked, an update alone is not enough, it needs cleaning.
When to call a specialist
It is worth not wasting time if:
- the site is already defaced, redirecting or flagged by Google;
- you updated the extension but the infection remains;
- the code is in the database (Helix3) and the hosting antivirus stays silent;
- the host suspended the account;
- there is no working clean backup.
I clean sites hit by this wave on any CMS: remove the defacement and backdoors (including database-side code on Helix3), close the entry point and update the vulnerable extensions so it does not happen again. Diagnostics are free. I work with site owners from Ukraine and Poland, and with Russian speakers across the EU. I do not work with legal entities registered in Russia: that is an EU sanctions restriction.
Details and requestFrequently asked questions
I updated the extension. Am I safe?
Updating closes the way in, but it does not remove what was already uploaded before the update. If the site was hacked before you updated, the backdoor remains and the infection returns. After updating, always check the site for defacement, redirects and web shells.
The hosting antivirus says all clean, but the defacement is there. How?
That is typical of the Helix3 defacement: the malicious code lives in the template parameters in the database, not in files. The hosting antivirus checks files against signatures and does not see the database. So it honestly reports clean while the defacement is right there. You have to clean the database.
I run Joomla 4 or 5, not 3. Does this not affect me?
It does. This summer's flaws are not in the Joomla core but in extensions: iCagenda, Balbooa Forms, JCE and Helix3 install and get hacked on Joomla 3, 4 and 5 alike. The core version does not protect you, what matters is whether the extensions themselves are updated.
Why is it mass exploitation, my site is small?
Because the attacks are not manual but run by bots: they scan the whole internet and hit any site with a vulnerable extension installed. The bot does not care whether your site is big or small, only that it is vulnerable. Small sites suffer more often because they update less.
Will I manage to update in time myself?
If the site is not hacked yet, update immediately: the window between a patch and mass exploitation is only a few days. But if the site already shows a defacement, a redirect or foreign profiles, an update no longer cures it, it only closes the way in for the future, while removing the infection and finding the backdoor is a separate job.