WordPress Security Digest

Critical flaw in Tutor LMS Pro lets attackers bypass auth using their Google OAuth token with a swapped admin email—no verification.

• WAF blocked...

Core Security Release

• 🔥 WordPress 6.9.4: WordPress 6.9.4 is a maintenance and security release that addresses vulnerabilities and bugs in...

Urgent alert for NEX-Forms users: The plugin is vulnerable to Insecure Direct Object Reference in all versions up to and including the latest.

-...

WP plugin vuln trend alert: Recent info leaks via CVE-2026-1704 and CVE-2026-2373 highlight ongoing crisis in popular addons.

• Simply Schedule...

Essential tool for devs: Use WordPress.org's Plugin Check to test AI-generated plugins for security best practices, compatibility, performance, and...

WordPress 6.9.4 is a maintenance and security release addressing vulnerabilities and bugs in previous versions. Site managers and testers: Update core immediately to mitigate risks.

WP Security Ninja enables email alerts for vulnerabilities—ideal for proactive monitoring of high-impact plugin and core issues. Watch this 1:38 YouTube tutorial for a fast walkthrough.

New Vulnerability Disclosures

• 🔥 WordPress RCE in NVD Digest: The NVD published 215 new vulnerabilities between March 14 and 15, 2026, including...

• WordPress sites offer rich plugin vulnerabilities for recon prioritization
• Targets like shop.company.com (Shopify) have limited attack surface, earning lower priority
• Key for pen testers: Focus high-value WP recon to maximize bug bounty impact

Critical alert for WordPress users: A new security flaw in a popular plugin puts 250,000 websites at risk. Learn how to protect your site now.

Active threat targeting OpenClaw users: Attackers compromise WordPress-based OAuth callbacks (e.g., WooCommerce, WP OAuth Server) to steal...

Quick triage for WP site managers:

• NVD dropped 215 new vulnerabilities March 14-15, 2026
• 52 hit enterprise/developer environments
• Includes WordPress RCE – prioritize patch checks

Scan your sites now.

Ally Plugin SQL Injection (CVE-2026-2413)

• 🔥 Unauthenticated Data Theft Risk: Vulnerability in Elementor Ally plugin up to 4.0.3 allows...

Critical unauth SQLi in Ally plugin (<=4.0.3) enables time-based blind attacks to steal sensitive data like password hashes from DB.

• Affects...

Unusual rapid pace for WordPress: three updates in ~24 hours, starting with a security release against ClickFix malware campaigns using fake...

Massive scale: Over 250 sites compromised across 12 countries (Australia to US), including regional news, businesses, and a US Senate candidate's...

Low-urgency but risky: Subscribers in LearnPress ≤4.3.2.8 can trigger admin emails.

Immediate steps:

• Patch first: Update to 4.3.3+ via dashboard or...

Urgent for site managers: Update to WordPress 6.9.4 now – 6.9.2 and 6.9.3 failed to fully address 10 security vulnerabilities.

• 6.9.2 crashes (white...

WordPress Core Patches

• 🔥 WordPress 6.9.2 Release: WordPress 6.9.2 addresses 10 vulnerabilities including path traversal in PclZip, XXE in...

WordPress 6.9.2 security release (March 10, 2026) fixes 10 vulnerabilities including XSS, SSRF, and auth bypasses – a must-patch now.

• Path...