WordCamp Europe closed in Kraków with 2,458 attendees, a live CERN keynote, and WordPress 7.0 as the throughline. Two actively exploited plugin flaws Kirki page builder and Burst Statistics need immediate patching; Patchstack’s 2026 report adds urgency with 11,334 new vulnerabilities in 2025 and a five-hour median exploit window. WooCommerce 10.8 ships review request emails, coupon auto-generation, and a built-in GraphQL API. Gutenberg 23.3 debuted an experimental drag-and-drop dashboard but quickly reverted a React 19 upgrade. WPForms v1.10.1 adds AI-powered Smart Edit and an Entry Importer; Fluent Forms 6.2.3 brings tabbed steps, a Ranking field, and PayPal Checkout v2.

Peak Performance WordPress Hosting, No Compromises

Leave single-server hosting in 2015. Choose autoscaling Managed WordPress Hosting built for traffic surges, complex sites & demanding PHP workloads, all without missing a beat.

20i Managed WordPress Hosting

↑ Brought to you with support from these partners

💡 WordPress Spotlight

Critical Kirki Flaw Exploited to Hijack WordPress Admin Accounts: Attackers are actively exploiting CVE-2026-8206, a critical (CVSS 9.8) privilege escalation flaw in the Kirki Freeform Page Builder plugin (500,000+ installs). The vulnerability lets unauthenticated attackers hijack any account, including admins, via a password reset redirect. Wordfence blocked 222+ attempts in 24 hours, with ~150,000 sites still unpatched. Update to version 6.0.7 immediately or disable the plugin. (Source)

WooCommerce in 2026: 37% Market Share, MCP Live, but SaaS Rivals Are Closing In: WooCommerce holds ~37% of the global eCommerce market with 6.5M+ active stores, but growth is plateauing as Shopify and Wix expand. Recent releases (10.3–10.8) brought MCP beta support, HPOS caching improvements, email template sync, and N+1 query reductions. Meanwhile, Shopify’s new Agentic Plan lets non-Shopify merchants surface products in ChatGPT and Gemini, positioning itself as the AI commerce middleware layer. (Source) 

Patchstack’s State of WordPress Security in 2026: Patchstack recorded 11,334 new WordPress ecosystem vulnerabilities in 2025 a 42% YoY increase  with highly exploitable flaws up 113%. Plugins accounted for 91% of findings, and the median time from disclosure to first exploit attempt is just five hours. Premium components carried 3x more Known Exploited Vulnerabilities than free ones. Key 2026 risks include vibe-coded plugins, AI attack surfaces, and new EU Cyber Resilience Act requirements. (Source)

WooCommerce 10.8 Ships Review Requests, GraphQL, and Storefront Performance Gains: WooCommerce 10.8 (released May 26) raises the minimum WordPress requirement to 6.9 and adds an optional post-purchase review request email, coupon auto-generation per recipient, and a one-click email template reset. Under the hood, it introduces a built-in GraphQL API, new database indexes, and N+1 query reductions across cart, REST API, and HPOS order paths. (Source)

Jetpack Releases Latest Version with AI and MCP Improvements: The latest Jetpack release streamlines the MCP “Upgrade plan” flow for non-WordPress.com hosts and removes WordPress.com-specific upsell copy. It also retires the old newsletter UI in favor of the updated Jetpack → Newsletter screen and improves REST API performance via deferred loading in the Top Posts, Podcast Player, and Instagram Gallery endpoints. (Source)

WP Simple Pay 4.17.2 Ships Conditional Logic for Payment Forms: WP Simple Pay now supports conditional logic that shows or hides fields based on prior inputs  and hidden required fields won’t block checkout. Two new smart tags ({billing-country} and {billing-zip}) enable region-specific personalisation in confirmation pages and emails. The update also fixes overlay forms using Klarna, Afterpay/Clearpay, or Stripe automatic tax. (Source)

WordPress.com Details Its Response to the Essential Plugin Supply Chain Attack: In early April 2026, a backdoor hidden in 30+ acquired Essential Plugins activated and began delivering payloads to affected sites. WordPress.org patched and closed all 31 plugins on April 7; WordPress.com went further by deploying a DNS-level block, surgically removing malicious code across 2,200+ hosted sites, and coordinating with WPScan on vulnerability records. (Source)

✨ Fresh Features Rollout

WordPress Playground Gains Official MCP Support for AI Coding Agents: WordPress Playground now supports MCP server integration, letting AI agents (Claude Desktop, Cursor, etc.) create and manage local WordPress environments in the browser. Agents can install plugins, run WP-CLI commands, and iterate on code without touching production  providing a safe, disposable sandbox for development. (Source)

SureForms 2.10 Adds Global Style Presets and an HTML Form Importer: SureForms 2.10 introduces Global Style Presets for consistent branding across multiple forms in one click, plus a one-click HTML form importer that auto-converts raw HTML forms into native block-based SureForms. Live character counters with min/max enforcement on Textarea fields are also included. (Source)

WordPress 7.0 Upgrade Guide: PHP-Only Blocks, New Admin, and the Collaboration Delay: WordPress 7.0 brings an expanded Site Editor, refreshed admin UI, and PHP-only block registration without a JS build pipeline. Real-time collaborative editing was pulled from the release due to bugs and pushed to 7.1 (planned August). Complex sites should test on staging first, and watch for the iFramed Post Editor as a potential breaking change.  (Source)

AI Engine Crosses 100,000 Active Installs with MCP, Chatbots, and 7.0 Support: AI Engine now connects 100,000+ WordPress sites to OpenAI, Anthropic, Google, and more via a single interface covering chatbots, content generation, AI Forms, and a full MCP server for managing posts, WooCommerce, and SQL queries. Version 3.4.6 adds print-to-PDF for conversations and updated context window support for Opus 4.6 and Sonnet 4.6. (Source)

POSIMYTH Launches SproutOS: A Full-Access MCP Server Built on the WordPress Abilities API: SproutOS turns a WordPress site into an MCP server, giving AI agents granular access to pages, themes, files, PHP execution, and the database. Built on the WordPress Abilities API (introduced in 7.0), it includes a sandboxed directory for AI-generated PHP with crash recovery and a Safe Mode. The plugin is open-source on GitHub. (Source)

WordPress.org Calls for Testers on New Career Functionality: WordPress.org is testing a redesigned jobs.wordpress.net and updated contributor profiles that now support job history, accomplishments, and a “looking for jobs” toggle. Enabling the toggle makes profiles discoverable from the jobs board and optionally adds an “Open to work” Gravatar frame. Testing is open until June 25, 2026. (Source) 

🆕 Fresh Releases

WPForms v1.10.1 Introduces Smart Edit with AI and Entry Importer: Smart Edit (free for all users) lets anyone modify forms using plain conversational language  adding fields, writing conditional logic, configuring notifications, and more with one-click undo. Entry Importer (paid) enables migrations from CSV, Gravity Forms, Ninja Forms, and Contact Form 7 with smart field mapping and a failed entries report. (Source)

Fluent Forms 6.2.3 Ships Tabbed Steps, Ranking Field, and PayPal Checkout v2: Fluent Forms 6.2.3 adds a tabbed step indicator for multi-step forms, a drag-to-rank preference field with scoring, and full PayPal migration to Orders API v2 with cryptographic webhook verification. Additional updates include image cropping on uploads, pretty slug URLs for shared links, and native HTML <optgroup> support. (Source)

AI Agent Hub: MCP Server and 80+ AI Abilities for WordPress: AI Agent Hub is a free plugin offering a built-in MCP server, 80+ abilities across 10 modules (including 24 WooCommerce tools), role-based access control, JWT auth, and a Gutenberg AI experiments block. It exposes tools as JSON-RPC 2.0 and includes an Error Debugger that auto-generates fix commands for PHP errors. Tested through WordPress 7.0. (Source)

Official WordPress Browser Extension in Development to Move the Admin Bar Out of the Front-End Viewport: A browser extension in active development (led by 10up’s Jake Goldman and Fabian Kägy) moves WordPress admin bar actions like Edit Page and admin jumps  into the browser toolbar. This keeps the front-end viewport clean during design and testing without losing quick-access shortcuts. The icon auto-detects WordPress and turns blue when logged in. (Source) 

🗓️ Mark Your Calendar 

If you’re looking for opportunities to network and learn, check out these upcoming WordPress events and meetups:

Flagship WordCamps

August 16 – 19, 2026: WordCamp US 2026, Phoenix, Arizona.

April 09 – 11, 2027: WordCamp Asia 2027, Penang, Malaysia.

Offline Events for WordPress

September 23, 2026: LoopConf 2026, event for WP developers & engineers.

October 16, 2026: WP Suomi 2026, for Nordic WP enthusiasts, Oulu, Finland.

Upcoming WordCamps

July 03, 2026: WordCamp Mannheim 2026, Mannheim, Germany.

July 04, 2026: WordCamp Masaka 2026, Masaka, Uganda.

September 11, 2026: WordCamp Switzerland 2026, Fribourg, Switzerland.

September 18, 2026: WordCamp Bretagne 2026, Rennes, Brittany, France.

October 03, 2026: WordCamp Rajasthan 2026, Jaipur, Rajasthan, India.

November 05, 2026: WordCamp Canada 2026, Vancouver, Canada.

November 12, 2026: WordCamp Netherlands 2026, Netherlands.

November 13, 2026: WordCamp Pisa 2026, Pisa, Italy. 

Wrap-Up

That’s a wrap for this week’s WPDigest! Stay tuned for more exciting WordPress updates next week.

Want to feature your WordPress product, service, or update news? Submit it for free using our form, helping spread the goodness of WordPress!

📩 Enjoyed this digest? Share it with your network!