WordPress 7.0 Release Candidate 5 available ahead of May 20 final release

WordPress 7.0 Release Candidate 5 is now available for download and testing ahead of the scheduled final release on May 20, 2026. Testers can access RC5 via the WordPress Beta Tester plugin, direct zip download, WP-CLI command, or WordPress Playground. The core team urges contributors to test on non-production environments and report any bugs to the support forums or WordPress Trac.

Drupal issues highly critical security patch urging immediate installation

Drupal has issued a highly critical security patch for its core CMS, urging administrators to apply it immediately. The organization is withholding vulnerability details but the fixes extend back to the unsupported 8.9 branch, signaling the severity of the issue. Drupal site owners should prioritize patching without delay.

PHP Foundation launches Ecosystem Security Team to triage AI-generated vulnerability spam

Livewire CVE-2025-54068 actively exploited within 60 hours with credential-harvesting shell

Twig 3.25.0 adds sandbox detection option and deterministic compiled output

Twig 3.25.0 introduces three notable changes: a new `needs_is_sandboxed` option for filters, functions, and tests that allows callables to detect and adapt behavior when running inside a sandbox; deterministic compiled output for templates using `{% embed %}`, enabling reproducible pre-compiled builds; and the ability to override `EscaperRuntime` via any runtime loader. Symfony 8.1's TwigBundle also benefits from the EscaperRuntime change, registering it as a service and adding a `twig.safe_class` resource tag.

PHP RFC proposes OPcache Static Cache with volatile and persistent shared-memory backends

FunnelKit Funnel Builder flaw actively exploited to skim credit cards on WooCommerce sites

A critical unauthenticated vulnerability in the FunnelKit Funnel Builder WordPress plugin (versions before 3.15.0.3) is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages. Attackers exploit an unprotected checkout endpoint to modify the plugin's global settings and insert a payment card skimmer disguised as a Google Analytics script. The skimmer steals credit card numbers, CVVs, billing addresses, and other customer data via a WebSocket connection to an attacker-controlled server. The plugin is active on over 40,000 websites. FunnelKit released a patch in version 3.15.0.3 and recommends updating immediately and reviewing checkout external scripts for rogue injections.

Avada Builder 3.15.3 patches file read and SQL injection flaws on 1 million sites

Two security vulnerabilities have been discovered in the Avada Builder WordPress plugin, which has approximately one million active installations. CVE-2026-4782 is an arbitrary file read flaw exploitable by authenticated users with subscriber-level access, allowing them to read sensitive files like wp-config.php containing database credentials. CVE-2026-4798 is an unauthenticated time-based blind SQL injection affecting sites that previously used WooCommerce, enabling extraction of password hashes from the database. Both were reported via the Wordfence Bug Bounty Program. A full patch is available in version 3.15.3, released May 12, and site owners are urged to update immediately.

StellarWP dissolves and reorganizes plugins under Kadence, LearnDash, Give and Events Calendar

StellarWP, the WordPress plugin portfolio brand owned by Liquid Web, is being dissolved. Its products are being reorganized under four core offerings: Kadence, LearnDash, Give (formerly GiveWP), and The Events Calendar. Products like SolidWP, IconicWP, Restrict Content Pro, and MemberDash are being absorbed into Kadence or other flagship products. Existing licenses remain valid as long as subscriptions stay active, but lapsed subscriptions lose legacy pricing permanently. Security patches for absorbed products continue through April 2027. The post recommends alternatives for each affected category: Charitable for donations, MemberPress for LMS/memberships, OptinMonster for popups, Duplicator for backups, Sugar Calendar for events, and Merchant/Sydney/Botiga for WooCommerce and themes.

Burst Statistics WordPress plugin auth bypass CVE-2026-8181 actively exploited on 115,000 sites

A critical authentication bypass vulnerability (CVE-2026-8181) in the Burst Statistics WordPress plugin is being actively exploited. The flaw, introduced in version 3.4.0 on April 23, allows unauthenticated attackers to impersonate admin users during REST API requests by supplying any arbitrary password in a Basic Authentication header. The root cause is incorrect handling of the 'wp_authenticate_application_password()' function results. Wordfence has already blocked over 7,400 attacks in 24 hours, and an estimated 115,000 sites remain unpatched. Users should upgrade to version 3.4.2, released May 12, 2026, immediately.