Topic

2026 · 44 pieces

WordPress 7.0.2 Fixes a Critical Flaw That Let Attackers Run Code on Your Site

WordPress 7.0.2 fixes a critical flaw that let anonymous attackers run code on unpatched sites. Confirm you're updated. Attacks are already happening.

Issue 10: 7.1 beta lands, and Mullenweg draws a line on AI in core

WordPress 7.1 Beta 1 brings responsive styling and a media overhaul, with final release set for August 19. WooCommerce adds a free Reddit Ads extension.

Why WooCommerce's AI Support Assistant Gave a Wrong Answer, and How It's Fixing That

WooCommerce built an AI system to keep its support docs current, so its AI assistant stops giving outdated answers about renamed features.

WooCommerce Launches a Free Reddit Ads Extension for Store Owners

WooCommerce's free Reddit Ads extension automates pixel setup, catalog sync, and campaign launches to reach Reddit's 121 million daily users.

WordPress 7.1 Beta 1 Is Out, Final Release Lands August 19

WordPress 7.1 Beta 1 is out for testers only, do not install it on a live site. The final release ships on August 19, 2026.

WordPress 7.1 Fixes the Confusing Back Button in Your Editor

WordPress 7.1 swaps the confusing W-logo back button for a chevron and shows the toolbar by default in the editor. Distraction Free mode still hides it.

Issue 9: WordPress backs off, patches up, and counts the cost

WordPress 7.0.1 patches a registration spam hole and 31 other bugs. The Classic block stays after a reversed plan, and plugin sales data shows real strain.

WordPress 7.0.1 Is Out: 31 Bug Fixes, No Action Required

WordPress 7.0.1 fixes 31 bugs in the block editor, admin UI, and media handling. Sites with auto-updates enabled will update on their own.

WordPress's AI Plugin Now Encrypts Your Stored API Keys

WordPress's official AI plugin 1.1.0 encrypts stored API keys and adds inline writing suggestions in the block editor. Update if you use it.

WordPress Reverses Course: The Classic Block Isn't Going Away

WordPress reversed course, the Classic block stays in the inserter in version 7.1. No action needed, remove the workaround plugin if you installed it.

Issue 8: AI gets official access, a customs deadline, and Elementor's reset

The EU's customs exemption ended July 1, and shipments now get rejected for bad HS codes. Elementor just cut 30% of its staff to chase AI.

WordPress 7.1 Will Let You Style Blocks Differently on Mobile, No CSS Needed

WordPress 7.1 will let you style blocks differently per device, right in the editor, no custom CSS needed. Testers can try it now on WordPress Playground.

Gutenberg 23.5 Adds In-Editor Image Cropping and a Resizable Canvas

Gutenberg 23.5 lets you crop images directly in the Cover block, resize the editor to any width, and turn off real-time collaboration per post type.

WordPress 7.1 Will Let AI Agents Read Your Settings, Content, and Users

A new WordPress 7.1 proposal lets AI tools read site settings, posts, and user data through permission-checked APIs. Nothing is exposed without your existing access controls.

New Free Plugin Lets Claude or ChatGPT Run Your WordPress Site by Chat

SeedProd's free Vibe AI plugin lets Claude or ChatGPT edit posts and fix SEO on your WordPress site by chat. Destructive actions need your approval first.

EU Drops Its €150 Customs Exemption July 1: What UK Sellers Must Fix Now

The EU's low-value customs exemption ends July 1. UK WooCommerce sellers need clean HS codes, matching invoices, and an EORI number to avoid rejections.

WordPress's First AI Leaders Cohort Just Graduated

40 students earned a new AI literacy credential by building real WordPress projects. The program shows what skilled, AI-fluent contributors look like.

Om Malik, an Early WordPress Adopter Who Helped Build Automattic, Has Died

Om Malik, one of WordPress's first users and the person who connected Matt Mullenweg to Automattic's founding team, died Wednesday at 59.

Issue 7: Security patches, a classic exit, and a community loss

Update Ultimate Member now or attackers can reset admin passwords. Avada Builder also needs a patch. A 13-year backdoor hit 44 WordPress plugins.

WP Rocket 3.22 Adds a Built-In Free CDN for Your Most Important Pages

WP Rocket 3.22 adds a free built-in CDN covering up to three pages. Point it at high-traffic pages to serve them faster for visitors far from your server.

Update Ultimate Member Now: Attackers Can Hijack Admin Accounts

Ultimate Member 2.11.4 and earlier lets contributor-level attackers reset admin passwords. Update to version 2.12.0 now.

WooCommerce 10.9: Track Failed Order Emails and a Faster Checkout

WooCommerce 10.9 adds failed order email logs, reduces checkout database load, and cleans up the admin for store owners.

WordPress 7.1 Will Hide the Classic Block From the Inserter

From WordPress 7.1, the Classic block is hidden from the block inserter. Existing Classic blocks stay intact and fully editable. Adding new ones will require a developer filter.

WordPress 7.1 May Give Your Site a Built-In Content Standards Hub

A merge proposal would add a Knowledge post type and Guidelines feature to WordPress 7.1, giving site owners a built-in place to store editorial rules.

The Official WordPress Swag Store Has a New Look

Mercantile, the official WordPress swag store, has been rebuilt on blocks and WooCommerce running WordPress 7.0.

Avada Builder has a critical file deletion flaw

Avada Builder users should update now. A patched flaw can let attackers delete server files without logging in.

Issue 6: Bad week for trusted updates

Trusted plugin updates spread malware this week. OptinMonster, TrustPulse, and ShapedPlugin Pro were all compromised. Check your admin accounts now.

Update Gravity SMTP now, attackers are targeting unpatched sites

Attackers are hitting a Gravity SMTP flaw that can expose email service keys, secrets, and login tokens.

ShapedPlugin Pro updates carried a backdoor

Attackers slipped a backdoor into ShapedPlugin Pro plugin updates sent through the official licensed channel.

Check for rogue admins if you use OptinMonster, TrustPulse, or PushEngage

A supply chain attack tampered with scripts from three marketing plugins and created hidden WordPress admin accounts.

Issue 5: Security got stricter

WordPress added a 24-hour delay before plugin auto-updates. UpdraftPlus patched a site takeover bug. Update now if you ever connected it to UpdraftCentral.

UpdraftPlus fixed a critical site takeover bug

If you use UpdraftPlus and connected it to UpdraftCentral, update now to close a critical admin takeover risk.

Issue 04: Patch now, watch 7.1

Three plugins have critical flaws under active attack. Burst Statistics, Everest Forms Pro, and Kirki all need updating before anything else this week.

Update Everest Forms Pro now, attackers are exploiting a critical bug

Attackers are exploiting a critical Everest Forms Pro bug that can let them take over unpatched WordPress sites.

Update Burst Statistics now, attackers are already using a site takeover flaw

Burst Statistics users should update to 3.4.2 now. Attackers are already exploiting a critical flaw that can take over a site.

Update Kirki now to stop an account takeover flaw

A Kirki plugin flaw could let attackers take over WordPress accounts, including admins. Update the plugin now.

Update WP Maps Pro now, this bug can hand over your site

A WP Maps Pro flaw lets attackers create admin accounts. If you use the plugin, update to 6.1.1 now.

Issue 3: Update now, lock it down

WordPress 7.0 had a strong first week. Most sites can update with confidence. WP Maps Pro has a critical flaw that lets attackers create admin accounts.

Issue 2: Test 7.0, patch checkout now

WordPress 7.0 is out. A critical FunnelKit flaw is stealing payment data from checkout pages. Recurring malware usually means a server breach.

Malware that keeps coming back may be a server breach, not a WordPress bug

If redirect malware returns after cleanup, your server may be compromised outside WordPress.

WordPress 7.0 Adds AI Tools, a New Dashboard, and Better Editing Controls

WordPress 7.0 is a major release with AI tools, a refreshed dashboard, new blocks, and stronger design controls.

Critical FunnelKit flaw lets attackers steal WooCommerce payment data

Attackers actively exploit a FunnelKit flaw to inject payment skimmers into WooCommerce checkout pages.

Issue 1: 7.0 Gets Real

WordPress 7.0 is nearly out. Burst Statistics and Avada Builder both have critical flaws to patch now. The AI plugin for WordPress hits 1.0 this week.

Update Burst Statistics and Avada Builder Right Away

Burst Statistics has a critical admin bypass. Avada Builder can expose files and database data. Update both plugins now.