// #cms-security

2 articles

WordPress Plugin Security Is an Enterprise Problem That Keeps Getting Treated as a Web Developer Problem

Four CVSS 8.8 vulnerabilities in a 100,000-install WordPress plugin — discoverable by any registered member with a subscriber account — highlight the structural mismatch between how WordPress CMS security is governed in enterprise organisations and the actual risk it carries. Membership sites, intranet portals, and course platforms built on WordPress process regulated data and host privileged access, but rarely receive enterprise-grade security governance.

May 23, 2026 #wordpress +5

⚖️ Risk Mgmt

WordPress Redirect Plugin Carried Dormant Backdoor for Three Years Before Activation

Researchers have uncovered a dormant backdoor in a widely-installed WordPress redirect management plugin that remained inactive for approximately three years before being activated by the attackers. The backdoor, present across an estimated 200,000+ active installations, highlights the long-game threat of supply chain compromise in the WordPress plugin ecosystem and the limits of periodic security scanning.

Apr 30, 2026 #wordpress +5

Commentary tagged #cms-security

Opinion

WordPress Plugin Vulnerabilities Keep Hitting Enterprise Sites That Don't Know They're Enterprise Sites

Four CVSS 8.8 flaws in a 100,000-install WordPress membership plugin. The subscriber-to-admin escalation is technically straightforward. The real problem is not the code — it is that these WordPress deployments exist outside the security governance perimeter of the organisations that run them.

CipherWatch Editorial

Security Intelligence Platform

May 23, 2026