Latest posts
-
The OTP Plugin Protecting Your Login Has a Flaw That Makes It Worthless
A plugin called User Verification by PickPlugins adds a one-time password step to your WordPress login. The idea is good β a second check before anyone gets in. The implementation has a bug that cancels the whole thing. An attacker types “true” as their OTP code. PHP accepts it. They are logged in as any…
-
The dangerous part is not the vulnerability headline. It is everything that stays exposed after it.
A plugin vulnerability warning feels like a clear task. Update the plugin, move on, and get back to work. That is exactly where many WordPress admins get trapped. The warning gets attention, but the real risk often sits in what nobody checks after the patch: weak settings, missed signs of compromise, and backups that exist…
-
π¨ WordPress Security Brief β Week of April 14β20, 2026
The Headlines This Week This week was one of the most dangerous in WordPress history. A coordinated supply chain attack hit over 30 plugins simultaneously, active exploits targeted millions of sites through file upload flaws, and researchers disclosed 154 new vulnerabilities β including 10 rated Critical β across 118 plugins and 23 themes in just…
-
π¨ WordPress Weekly Threat Report: April 6β11, 2026 β A Critical Zero-Day, 17 New CVEs, and WordPress 7.0 Delayed
Every week, hundreds of WordPress vulnerabilities are quietly published. Most site owners never see them. This week was not a quiet one. Between March 30 and April 9, 2026, the WordPress security ecosystem recorded over 70 new CVEs β spanning the Wordfence March 30βApril 5 window and the April 8β9 digest. One has no patch.…
-
WordPress Security Update β April 4, 2026: Quiet Day, But Vigilance Required
A relatively quiet day across major WordPress threat intelligence sources, with no new vulnerabilities disclosed in the last 24 hours per Wordfence, WPScan, and Sucuri. Recent highlights from the April 1 roundup include 225 disclosures, such as Lobot Slider CSRF (CVE-2026-2941) and LearnPress Broken Access Control (CVE-2026-3533), alongside WordPress core 6.9.4 with 10 security fixes.…
-
WordPress’s Unauthenticated Attack Surface Is Bigger Than You Think
wordpress-unauthenticated-attack-surface-2026 Three critical WordPress vulnerabilities disclosed today require zero authentication. A CVSS 8.5 SQL injection and an 8.1 file move bug show why unauthenticated attack vectors deserve more attention. Introduction Patchstack disclosed four critical WordPress vulnerabilities today. Three of them share something that should alarm every site operator: they require no authentication whatsoever. An attacker…