WordPress Authentication Bypasses, a Linux Root Exploit, and a Nation-State Group Still Using Five-Year-Old Patches: Your Threat Brief for 6 May 2026
Three stories this week. Each one is actionable. Each one has a victim worth defending.
No padding. No vendor announcements dressed up as intelligence. Just the data, and what it means for a business running on a 20-person budget with a part-time IT arrangement.
Story One: WordPress Authentication Bypass (CVE-2026-5722 and CVE-2025-13618)
Two separate WordPress plugins published critical vulnerabilities yesterday, both scoring CVSS 9.8. That is the maximum end of the scale.
The first, CVE-2026-5722, affects the MoreConvert Pro plugin in all versions up to and including 1.9.14. The flaw sits in the guest waitlist verification flow. An attacker does not need to know your password. They obtain a verification token using their own email address, swap the email to a target account, and authenticate as that user, including administrator accounts. The token is never invalidated when the email changes. It is a logic error, not a sophisticated cryptographic attack.
The second, CVE-2025-13618, affects the Mentoring plugin in all versions up to and including 1.2.8. The registration function does not properly restrict which user roles can be selected at sign-up. An unauthenticated attacker can simply register with administrator-level privileges. There is no barrier. The function is publicly accessible.
What this means in plain terms: if your website runs either of these plugins and you have not patched, someone on the internet can right now create an administrator account on your WordPress site or take over an existing one. From there they can install malicious plugins, redirect visitors to phishing pages, exfiltrate customer data, or encrypt your site’s content and hold it to ransom.
WordPress powers a significant proportion of UK small business websites. Many are maintained by web designers who set them up years ago and no longer monitor plugin security. This is the gap attackers target.
Check your plugin list today. Log into your WordPress admin panel, go to Plugins, and search for MoreConvert Pro and Mentoring. If either is present and unpatched, deactivate and update immediately. If your site is managed by an agency or IT provider, forward them this article with a read receipt.
Story Two: ‘CopyFail’ Linux Kernel Flaw Under Active Exploitation (CVE-2026-31431)
CISA confirmed on 5 May 2026 that CVE-2026-31431, nicknamed ‘CopyFail’, is being actively exploited in the wild. The vulnerability sits in the Linux kernel. A working root-level exploit was published by researchers, and according to The Register, it did not sit idle for long.
Root-level access means complete control of the system. Not limited access. Not read-only. Full control, including the ability to create hidden accounts, exfiltrate data silently, install ransomware, or pivot to other systems on the same network.
Linux is not just for large enterprises. It runs a substantial proportion of UK web hosting infrastructure, including shared hosting platforms used by small businesses. It runs network-attached storage devices. It runs the servers behind many SaaS tools. And it runs the infrastructure of MSPs serving small business clients.
The question to ask your IT provider or MSP this week: have you applied the kernel patch for CVE-2026-31431 across all managed Linux systems? Get that answer in writing. If they cannot tell you, that is itself important information about the quality of their patch management process.
If you manage your own Linux servers, check your distribution’s security advisories and apply the relevant kernel update. On Debian or Ubuntu systems this typically means apt update && apt upgrade followed by a reboot. On RHEL or CentOS derivatives, yum update kernel and a reboot.
Patching the kernel requires a reboot. Schedule it. Do not defer it indefinitely because reboots are inconvenient.
Story Three: SHADOW-EARTH-053 Is Still Walking Through Unpatched Exchange Servers
This one requires a different kind of response. Not urgency. Clarity.
A China-aligned threat group tracked as SHADOW-EARTH-053 has been actively exploiting Microsoft Exchange Server vulnerabilities to conduct cyberespionage. The CVEs being exploited include CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Those were disclosed and patched in March 2021. That is five years ago.
These are not zero-day attacks. These are not sophisticated novel techniques. These are known vulnerabilities with patches that have been available for five years, being successfully used against organisations that have not applied them.
The targeting reported focuses on government and defence-linked organisations. That does not mean small businesses are irrelevant to this threat. Supply chain access matters. A small business that holds contracts with a government body, a defence supplier, or a critical infrastructure organisation is a pathway. Attackers who cannot get in through the front door look for the supplier with the unpatched server.
The direct question: if your organisation runs Microsoft Exchange Server on-premises, when was it last patched? Not “recently”. Not “our IT team handles it”. The specific date of the most recent cumulative update. If you do not know, that is the problem.
Microsoft has released multiple cumulative updates for Exchange Server since 2021. Applying the 2021 ProxyLogon patches was the minimum. You need to be current, not merely patched against a five-year-old vulnerability.
If you are running Exchange Server on-premises and do not have dedicated IT resource to maintain it, the honest conversation is whether the risk of running it outweighs the cost of migrating to Microsoft 365. That is not a vendor recommendation. It is a risk calculation. An unpatched on-premises Exchange server is an active liability.
Why This Gives You an Edge
Most small businesses are passive about threat intelligence. They wait for their MSP to tell them about problems, or they read about a breach after the fact and wonder whether they were affected.
The businesses that act on intelligence before an incident have a measurable advantage in three areas: lower incident rates, faster recovery when incidents do occur, and stronger positioning in supplier due diligence.
If your competitors are running unpatched WordPress plugins and you are not, you are not just less likely to be breached. You are a more credible supplier to any client that asks about your security posture. The bar in UK SMB security is low enough that clearing it consistently is a genuine differentiator.
Making the Business Case
If you need to justify patching time and budget to a director or business owner, here are three arguments that land:
The liability argument. Under UK GDPR, failure to implement appropriate technical measures to protect personal data is a compliance failure. An unpatched plugin on a customer-facing WordPress site storing any personal data is a measurable exposure. The ICO has issued fines for exactly this category of failure.
The supply chain argument. Your clients’ procurement teams are increasingly asking about security posture. An incident caused by an unpatched vulnerability you knew about is harder to explain than one caused by a genuine zero-day. The documentation trail matters.
The cost argument. The cost of patching is measured in hours. The cost of a WordPress site compromise, an Exchange breach, or a ransomware incident affecting a Linux server is measured in days of downtime, customer notification obligations, legal costs, and reputational damage. The ratio is not close.
What to Do Before Friday
-
Check your WordPress plugins. Log in to every WordPress site your business operates. Search for MoreConvert Pro (update or remove if present, versions up to 1.9.14 are vulnerable) and the Mentoring plugin (update or remove if present, versions up to 1.2.8 are vulnerable). While you are there, check when your other plugins were last updated. Anything with an update available should be applied.
-
Ask your MSP or hosting provider about CVE-2026-31431. Send the question by email so there is a record. Ask specifically: have all managed Linux systems been patched for the CopyFail kernel vulnerability? If they cannot answer within 24 hours, escalate.
-
Audit your Exchange Server patching status. If you run Exchange on-premises, find out the version and cumulative update level. Compare it against Microsoft’s published current update for your version. If there is a gap, raise it as a priority item.
-
Review your patch management SLA with your IT provider. Critical patches should have a defined response time. If your current arrangement does not specify this, it needs to. NCSC guidance recommends critical patches be applied within 14 days. For actively exploited vulnerabilities, that window is shorter in practice.
-
Log what you checked and when. If you face a compliance question or a supplier due diligence request, being able to demonstrate that you reviewed and responded to a specific threat on a specific date is evidence of appropriate security governance. A simple spreadsheet is sufficient.