Digest 111: New Plugin Threat Hits 20K+ Sites | Automattic Acquires Clay

From critical plugin vulnerabilities to major acquisitions and emerging tools, this biweekly roundup brings you the most important updates shaping the future of WordPress. Stay informed, secure, and ahead of the curve.

Kinsta – High-Performance Hosting for WordPress

Trusted by 120,000+ businesses, Kinsta delivers high-performance, secure hosting for WordPress sites of all sizes. Built on Google Cloud’s Premium Tier with the fastest C2 and C3D servers and 37+ global data centers, Kinsta ensures your site loads fast, anywhere in the world. Explore Kinsta Hosting.

SERP Forge – SEO That Gets You Found

SStruggling to rank? SERP Forge helps WordPress brands skyrocket to the top with battle-tested SEO and content marketing strategies. More traffic, more conversions – without the guesswork. Know more.

↑ Brought to you with support from these partners

💡 WordPress Spotlight

WordCamp Europe 2026: Call for Organizers is Open
Want to shape the biggest WordPress event in Europe? WordCamp Europe 2026 is calling for organizers! If you’re passionate about community and logistics, now’s your chance to help build something amazing in the WordPress space. (Source)
WordPress & AI: A New Publishing Era Ahead?
WordPress is exploring how AI can deeply enhance web publishing, from smarter workflows to AI-generated content blocks. A must-read for creators curious about the platform’s future direction. (Source)
Study: AI Assistants Often Cite Different Sources
Ahrefs reveals that AI tools like ChatGPT, Gemini, and Claude rarely agree on which sources they cite most. If your content is missing from their radar, you might be missing out on visibility. (Source)
WordPress Has a New Events App
Say hello to a smoother WordCamp experience! The new WC + WP Events app (iOS & Android) is here, helping attendees discover upcoming events, connect with others, and stay updated in real time. (Source)
WCEU 2025 Wrap-Up: Big Ideas, Bigger Community
WordCamp Europe 2025 wrapped up in Torino, Switzerland, bringing thousands of WordPress contributors and enthusiasts together. The event focused on AI, accessibility, multilingual support, and the future of the open web, solidifying WordPress’s role in shaping tomorrow’s internet. (Source)
17,000+ WordPress Sites Hacked & Used in Malware Attacks
A major cybersecurity incident has compromised over 17,000 WordPress sites. Hackers are injecting malicious JavaScript into legitimate sites, redirecting visitors to fake browser update pages. If you’re a site owner, it’s crucial to scan your site and update plugins immediately. (Source)
WordPress Development Unpaused but Concerns Linger
After a temporary pause, WordPress core development is officially back in motion. However, the break has sparked community discussions about speed, sustainability, and the challenges of modern web publishing. Is WordPress evolving fast enough to stay competitive? (Source)
WCEU 2025: Full Coverage by TechRadar
From AI to the future of blocks, TechRadar’s live blog of WCEU 2025 captured every important session and keynote in real time. Great resource if you missed the event or want a quick summary of major announcements. (Source)
42,000+ WordPress Sites at Risk Due to Critical Vulnerabilities
Two new security disclosures have put a combined 42,000+ WordPress sites at high risk. (Source)
- WP User Frontend Pro: Arbitrary file upload & deletion vulnerability affects ~9,000 sites.
- RealHomes Theme: Privilege escalation flaw could impact 33,000+ sites. If you’re using either, update immediately and review security logs.

WordPress Sets New Rules for GitHub Repo Management
The WordPress project has shared formal criteria for creating or migrating repositories under its GitHub organization. This move aims to improve structure, maintainability, and transparency across open-source contributions. (Source)
New Deputy Joins WordPress Training Team
The Training Team has announced its second-ever Deputy Representative as part of its revamped leadership model. This role will help streamline educational content, contributor coordination, and onboarding efforts. A strong step for scaling the Learn.WordPress.org ecosystem. (Source)
From Figma to WordPress in Minutes?
A bold claim, but Fueled’s latest blog shows how they’re experimenting with going from Figma design to a live WordPress site in just minutes. Powered by modern design systems, block themes, and automation tools, this might redefine how fast you can launch client sites. (Source)
WP Mayor x Coursera: Pro-Level WordPress Training Now Live
Big news for career-focused WordPress users: WP Mayor has partnered with Coursera to launch expert-level training programs. These courses cover everything from mastering WordPress to integrating AI, and come with certificates to power up your resume. Ideal for freelancers, developers, and agencies looking to upskill. (Source)
SiteGround Customers Targeted in Phishing Scam
SiteGround has issued a phishing alert after reports surfaced of fake emails asking users for payment under the guise of a renewal. The emails closely mimic official communication. If you’re a SiteGround customer, don’t click suspicious links and check directly through your dashboard. (Source)
WP Engine Celebrates 15 Years of WordPress Innovation
From powering blogs to enterprise websites, WP Engine is marking its 15th anniversary as a major player in the WordPress hosting world. Their celebration reflects on community contributions, product evolution, and future plans, including AI and performance advancements. (Source)
Domain for Sale: Themexy.com
Looking to launch a brand in the WordPress or theme space? Themexy.com – a short, brandable domain is now up for grabs. Could be ideal for theme shops, agencies, or tools focused on design and customization. (Source)
Critical PayU Plugin Flaw Could Let Attackers Hijack WordPress Accounts
A severe vulnerability in the WordPress PayU India plugin could allow attackers to take over user accounts, even admin ones, if left unpatched. The flaw impacts over 20,000 active installations. If you’re using this plugin, update immediately and review your site’s access logs. (Source)
Linux Foundation Unveils Decentralized Plugin Manager for WordPress
The Linux Foundation has introduced a decentralized WordPress plugin manager, aiming to improve transparency, trust, and user control. This project builds on the FAIR Package Manager framework and could reshape how we install and manage plugins outside the .org repo. (Source)
Matt Mullenweg Responds to FAIR Project’s Ambitions
WordPress co-founder Matt Mullenweg shared his thoughts on the FAIR Project and its implications for the WordPress ecosystem. While acknowledging the value of innovation, he highlighted the importance of open collaboration and maintaining ecosystem stability. (Source)
What is the FAIR Package Manager? Linux Foundation’s Big Bet
Designed to work across platforms and reduce central dependency, the FAIR Package Manager allows decentralized distribution of plugins, themes, and software packages. WordPress users may soon see alternative plugin management workflows enabled by this tech. (Source)
Automattic Welcomes Clay – A New Chapter Begins
Automattic has acquired Clay, a social relationship management tool. With this move, Automattic continues to expand beyond WordPress, adding features focused on contact management and digital presence. (Source)

🏷️ Exclusive Deals Digest

Unlock incredible lifetime deals on the best WordPress tools and services, saving you money while enhancing your website. Don’t miss out on exclusive offers that can transform your WordPress experience.

Browse Lifetime Deals Now

✨ Fresh Features Rollout

WooCommerce 9.9: Faster Than Ever with Smart New Features
WooCommerce 9.9 is all about speed, delivering up to 95% faster load times in admin areas, even for stores with over a million orders. This release also brings a new Product Filters block, selective product exports, conditional checkout fields, and automatic database updates. It’s a major performance upgrade with plenty of practical enhancements. (Source)
Divi 5 Public Alpha 16: Packed with Power
Divi 5 Alpha 16 is here, bringing 84+ fixes, performance boosts, and three new features: Extend Attributes, Attribute Management, and Settings Search & Filtering. Behind the scenes, seven teams are hard at work on major updates like Flexbox Layouts (90% done), Relative Colors, WooCommerce Modules, and the game-changing Loop Builder. (Source)
Schema Pro Adds 3 New Schema Types
Schema Pro’s latest update introduces Vehicle Listing, Podcast, and Movie Carousel schema types, helping your content stand out in search results. Highlight car details, boost podcast visibility, or showcase movies in a rich carousel. No coding needed, just update Schema Pro and apply the new schema with a few clicks for better SEO and engagement. (Source)
SureForms 1.7.2: Smarter Tags, Better Controls, Stronger Security
The latest SureForms update introduces a new {current_page_url} smart tag, giving you more dynamic form capabilities. You now have the option to disable input fields with default values for better control, plus improved compatibility with the Kadence theme. This version also patches a security issue (thanks to Dmitrii Ignatyev from CleanTalk), fixes an OttoKit settings save bug, and resolves UI overflow in conditional logic inputs. Update to SureForms 1.7.2 for smarter tagging, cleaner controls, and enhanced reliability. (Source)
Modern Cart 1.0.6: More Design Control and Better Compatibility
Modern Cart 1.0.6 introduces new layout styles for cart slider items and color customization options for the header and quantity badge, making it easier to match your cart with your brand. It also includes a key fix for WooCommerce Product Bundles, ensuring product IDs are retrieved correctly. Update now to enjoy more flexibility in design and smoother compatibility with bundled products. (Source)
SureMail 1.7.0: Easier Setup and Improved Email Handling
SureMail 1.7.0 introduces a new guided onboarding process to help users get up and running faster with a smoother setup experience. This update also improves reply-to handling in the Elastic Email connection, ensuring your emails land exactly where they should. Update now for a more intuitive and reliable email management experience. (Source)

🆕 Fresh Releases

Klasio: Beginner-Friendly LMS for Course Creators
Klasio is an easy-to-use LMS for coaches and educators to create and sell online courses without technical skills. It features AI-powered course outlines, one-click templates, live class integration, and real-time student insights. Currently in free public beta with lifetime deals available. (Source)
ASD Passkey Login
ASD Passkey replaces passwords with secure biometric and hardware key logins for WordPress. It offers easy integration, advanced encryption, and enhanced security without complex API setups, improving both safety and user experience. (Source)
Figmentor: Convert Figma Designs to Elementor
Figmentor lets you instantly convert Figma designs into responsive Elementor templates with one-click import, real-time sync, and easy editing. Ideal for designers and developers working with Figma and WordPress. (Source)
Patchstack AI Code Review & Security Suite
Patchstack’s new Security Suite includes AI-powered code reviews, team management, and a discussion board to speed up vulnerability fixes for WordPress plugins. It helps plugin developers stay secure and compliant with upcoming EU regulations. (Source)