WordPress sites have a critical flaw exploited by hackers – skipping patches
Unpatched WordPress installations are under active exploitation, with Cybernews reporting a critical flaw being leveraged against sites that skip core, plugin, and theme updates. The operational failure is not exotic — it is deferred maintenance.

The patching gap
According to Cybernews (02 July 2026), attackers are chaining the absence of patches with known exploit paths to compromise WordPress sites. The reported vector is not a zero-day novelty; it is the predictable exploitation of disclosed vulnerabilities on deployments where administrators have not run updates. In operational terms, this means CVE-level risk is correlated directly with the time delta between patch release and wp-core, plugin, and theme version drift. We treat this delta as the primary metric.
Diagnostic step for any operator:
1. Run wp core version and compare against the current stable release.
2. Run wp plugin list --update=available to enumerate plugins with pending updates.
3. Run wp theme list --update=available for theme drift.
4. Cross-reference every outdated component against the WPScan vulnerability database.
Any component older than its latest stable release is a candidate entry point. If it has a published CVE and an exploit PoC, it is a confirmed exposure surface.
Botnet enrollment of WordPress endpoints
CCB Belgium's 30 June 2026 warning states that WordPress sites are being targeted by a botnet to distribute malware. The implication for operators is straightforward: a compromised WordPress instance becomes a distribution node rather than just a defacement target. Payload delivery, phishing landing pages, and drive-by malware hosting are the reported outcomes. This shifts the threat model — a single unpatched site on shared infrastructure can affect neighboring tenants, IP reputation, and upstream blacklist propagation.
Mitigation baseline we apply:
- Enforce auto-updates for
wp-coreminor releases. - Maintain an allowlist of plugins; remove anything outside it.
- Disable file editing via
wp-config.php(define('DISALLOW_FILE_EDIT', true);). - Restrict
wp-adminby IP where architecture permits. - Rotate all administrator, database, and SFTP/SSH credentials on any site that has run outdated software for more than 30 days.
Expected baseline metrics after remediation
A clean post-patch state should report:
wp core versionequal to the current stable release.- Zero entries in
wp plugin list --update=available. - Zero entries in
wp theme list --update=available. - No PHP process anomalies in access logs (no
eval,base64_decode, orsystemchains inwp-includestraffic). - Clean status against Sucuri or Wordfence malware scans.
If any metric deviates, the site is not remediated — it is only superficially patched. Roll forward until all four match.