Security

What a Real WordPress Site Attack Looks Like (And How We Stopped It)

By Your WordPress Guy / Jul 13, 2026

Most articles about WordPress security talk in generalities: keep your plugins updated, use strong passwords, install a firewall. This post is different. This is a real WordPress site attack that hit one of our client sites on July 13, 2026, told with the actual numbers, the actual IP addresses, and the actual fixes we deployed…

Yoast SEO – Advanced SEO with real-time guidance and built-in AI Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘jsonText’ Block Attribute – CVE-2026-3427 | WordPress Plugin Vulnerability Report

By Your WP Guy / Mar 21, 2026

Plugin Name: Yoast SEO – Advanced SEO with real-time guidance and built-in AI Key Information: Software Type: PluginSoftware Slug: wordpress-seoSoftware Status: ActiveSoftware Author: yoastSoftware Downloads: 930,902,675Active Installs: 10,000,000Last Updated: March 22, 2026Patched Versions: 27.2Affected Versions: <= 27.1.1 Vulnerability Details: Name: Yoast SEO <= 27.1.1Title: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘jsonText’ Block AttributeType: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NCVE: CVE-2026-3427CVSS…

The Events Calendar Vulnerability – Missing Authorization to Authenticated (Subscriber+) Data Migration Control – CVE-2025-15043 | WordPress Plugin Vulnerability Report

By Your WP Guy / Jan 20, 2026

Plugin Name: The Events Calendar Key Information Software Type: PluginSoftware Slug: the-events-calendarSoftware Status: ActiveSoftware Author: stellarwpSoftware Downloads: 78,686,265Active Installs: 700,000Last Updated: January 22, 2026Patched Versions: 6.15.13.1Affected Versions: ≤ 6.15.13 Vulnerability Details Name: The Events Calendar ≤ 6.15.13 – Missing Authorization to Authenticated Data Migration ControlTitle: Missing Authorization to Authenticated (Subscriber+) Data Migration ControlType: Missing Authorization…

Newsletter – Send awesome emails from WordPress Vulnerability – Cross-Site Request Forgery to Newsletter Unsubscription – CVE-2026-1051 | WordPress Plugin Vulnerability Report

By Your WP Guy / Jan 19, 2026

Plugin Name: Newsletter – Send awesome emails from WordPress Key Information Software Type: PluginSoftware Slug: newsletterSoftware Status: ActiveSoftware Author: satolloSoftware Downloads: 32,725,200 Active Installs: 300,000 Last Updated: January 20, 2026 Patched Versions: 9.1.1 Affected Versions: ≤ 9.1.0 Vulnerability Details Name: Newsletter – Send awesome emails from WordPress ≤ 9.1.0 Title: Cross-Site Request Forgery to Newsletter UnsubscriptionType:…

Custom Fonts – Host Your Fonts Locally Vulnerability – Missing Authorization to Unauthenticated Font Deletion – CVE-2025-14351 | WordPress Plugin Vulnerability Report

By Your WP Guy / Jan 19, 2026

Plugin Name: Custom Fonts – Host Your Fonts Locally Key Information Software Type: PluginSoftware Slug: custom-fontsSoftware Status: ActiveSoftware Author: brainstormforceSoftware Downloads: 6,158,177Active Installs: 300,000Last Updated: January 22, 2026Patched Versions: 2.1.17Affected Versions: ≤ 2.1.16 Vulnerability Details Name: Custom Fonts – Host Your Fonts Locally ≤ 2.1.16 Title: Missing Authorization to Unauthenticated Font DeletionType: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NCVE: CVE-2025-14351CVSS Score: 5.3Publicly…

Essential Addons for Elementor – Popular Elementor Templates & Widgets Vulnerability – Missing Authorization to Unauthenticated Sensitive Information Exposure – CVE-2026-1004 | WordPress Plugin Vulnerability Report

By Your WP Guy / Jan 15, 2026

Plugin Name: Essential Addons for Elementor – Popular Elementor Templates & Widgets Key Information Software Type: PluginSoftware Slug: essential-addons-for-elementor-liteSoftware Status: ActiveSoftware Author: wpdevteamSoftware Downloads: 117,159,772Active Installs: 2,000,000Last Updated: January 22, 2026Patched Versions: 6.5.6Affected Versions: ≤ 6.5.5 Vulnerability Details Name: Essential Addons for Elementor ≤ 6.5.5 – Missing Authorization to Unauthenticated Sensitive Information ExposureTitle: Missing Authorization…

All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic Vulnerability – Missing Authorization to Authenticated (Contributor+) AI Access Token and Credit Disclosure – CVE-2025-14384 | WordPress Plugin Vulnerability Report

By Your WP Guy / Jan 15, 2026

Plugin Name: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic Key Information: Software Type: PluginSoftware Slug: all-in-one-seo-packSoftware Status: PatchedSoftware Author: smubSoftware Downloads: 196,420,959Active Installs: 3,000,000Last Updated: January 16, 2026Patched Versions: 4.9.3Affected Versions: ≤ 4.9.2 Vulnerability Details: Name: All in One SEO – Powerful SEO Plugin to Boost SEO…

Starter Templates Vulnerability – Authenticated (Author+) Arbitrary File Upload via WXR Upload Bypass – CVE-2025-13065 | WordPress Plugin Vulnerability Report

By Your WP Guy / Dec 5, 2025

Plugin Name: Starter Templates – AI-Powered Templates for Elementor & Gutenberg Key Information: Software Type: PluginSoftware Slug: astra-sitesSoftware Status: ActiveSoftware Author: brainstormforceSoftware Downloads: 86,521,101Active Installs: 2,000,000Last Updated: December 6, 2025Patched Versions: 4.4.42Affected Versions: ≤ 4.4.41 Vulnerability Details: Name: Starter Templates ≤ 4.4.41 – Authenticated (Author+) Arbitrary File Upload via WXR Upload BypassTitle: Authenticated (Author+) Arbitrary…

SiteSEO – SEO Simplified Vulnerability – Missing Authorization to Authenticated (Author+) Plugin Settings Update – CVE-2025-12367 | WordPress Plugin Vulnerability Report

By Your WP Guy / Oct 31, 2025

Plugin Name: SiteSEO – SEO Simplified Key Information: Software Type: PluginSoftware Slug: siteseoSoftware Status: ActiveSoftware Author: softaculousSoftware Downloads: 976,564Active Installs: 400,000Last Updated: November 1, 2025Patched Versions: 1.3.2Affected Versions: ≤ 1.3.1 Vulnerability Details: Name: SiteSEO – SEO Simplified ≤ 1.3.1 – Missing Authorization to Authenticated (Author+) Plugin Settings UpdateType: Missing AuthorizationCVE: CVE-2025-12367CVSS Score: 4.3 (Medium)Publicly Published:…