Patch or disable high-risk WordPress plugins from the May 22 Patchstack disclosures: BookingPress Pro, Easy Elements, and WP ERP Pro.
Patch Really Simple Security CVE-2026-8293, a WordPress two-factor bypass fixed in 9.5.10.1. Update, review admins, and reset risky sessions.
Critical Easy Elements for Elementor CVE-2026-7284 patch guide: update to 1.4.5, remove if unavailable, review admins, and replace unsafe builder add-ons.
Patch Gravity SMTP CVE-2026-4020 and CVE-2026-4162, rotate WordPress mail-service credentials, and review sending logs after active attack reports.
Windows Secure Boot certificates from 2011 begin expiring in June 2026. Patch, reboot, verify, and stage server rollout safely.
Update AI Engine to 3.5.0 or newer for CVE-2026-8719, then review MCP/OAuth connections, administrator users, content changes, and logs.
A practical first-30-minutes checklist after installing a WordPress builder plugin: modules, blank theme, draft page, mobile checks, SEO, and cache.
Patch FunnelKit Funnel Builder to 3.15.0.3 or newer after active attacks placed malicious scripts on WooCommerce checkout pages.
Patch Burst Statistics CVE-2026-8181, a critical WordPress authentication bypass affecting versions 3.4.0 through 3.4.1.1.
Patch Form Notify CVE-2026-5229, Frontend Admin CVE-2026-6228, and Quick Playground CVE-2026-6403, then review WordPress users, files, logs, and connected credentials.
