SURIQWordPress security
Core and plugin vulnerabilities, backdoors, and account-takeover flaws across WordPress, the web's most-deployed CMS, plus the patches that actually matter.
Gravity SMTP's 'medium' bug leaks live email API keys to anyone. Patching alone will not save you.
Gravity SMTP's CVE-2026-4020 hands live Amazon SES, Google, and OAuth keys to unauthenticated visitors on 100,000 WordPress sites. Patching alone will not undo
Police scrubbed SocGholish from 15,000 WordPress sites. The way in is still wide open.
Operation Endgame seized 106 SocGholish servers and cleaned 14,971 WordPress sites. The takedown hit an access broker, not the entry vector. Here is what to
Branda fixed this WordPress account takeover in January. It is back, and a public exploit is circulating.
CVE-2026-11551 is a CVSS 9.8 unauthenticated account takeover in the Branda WordPress plugin (versions up to 3.4.29). A public exploit is out. Update to 3.4.31
A WordPress form plugin lets a stranger delete your site, the moment an admin looks
CVE-2026-9843 lets an unauthenticated visitor plant a form entry that deletes WordPress files when an admin opens it. Update the CRM Perks entries plugin to
Awesome Motive's WordPress CDN backdoor only fired for logged-in admins. Your scanner missed it.
OptinMonster, TrustPulse and PushEngage served a backdoor that ran only for logged-in WordPress admins, evading visitor scanners. How to scope and hunt it.
Ready to meet the Guardians?
Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.