WordPress Takeovers, Windows Blind Spots, and the Patch You Skipped Two Years Ago: Your Weekly Threat Brief
Two WordPress plugins scored 9.8 out of 10 on the severity scale this week. Both allow an unauthenticated attacker to take over an admin account. Separately, a Windows credential leak was published with no CVE number, no patch, and no fix date.
This is the week’s signal. Everything else is noise.
The WordPress Admin Takeover Problem (CVE-2026-8206 and CVE-2026-5076)
Let us be precise about what these vulnerabilities actually do, because the mechanics matter.
CVE-2026-8206 affects the Kirki page builder plugin for WordPress, versions 6.0.0 through 6.0.6. The flaw is in the password reset flow. When someone requests a password reset using a username rather than an email address, the plugin accepts an arbitrary email address from the attacker. The reset link goes to the attacker’s inbox. The attacker clicks it. They now control the account. No prior access required.
Kirki is a popular customisation and page builder plugin. If your website developer used it, and many do, you need to check your version today.
CVE-2026-5076 affects ARMember Premium, a WordPress membership and access control plugin, in all versions up to and including 7.3.1. This one is slightly more technical but equally serious. When a password reset is requested, the plugin stores a plaintext copy of the reset key in the WordPress database, in a field called arm_reset_password_key. WordPress core stores a hashed version. The plugin stores the actual key.
That plaintext key can be used with the plugin’s own reset function to set a new password for any account, including administrator accounts. Combined with a SQL injection vulnerability, this becomes a full site takeover chain.
Both vulnerabilities scored CVSS 9.8. The National Institute of Standards and Technology published both within 24 hours.
Why this matters to UK small businesses specifically: WordPress powers a significant proportion of UK small business websites. It is the default choice for accountants, solicitors, consultants, tradespeople, and anyone whose web developer defaulted to the most popular platform. Many of those sites handle client enquiries, booking forms, or payment integrations. An admin takeover gives an attacker access to all of it, including any stored customer data. That is a GDPR incident waiting to happen.
The Windows Vulnerability Nobody Has a CVE For
This one is more uncomfortable, because there is nothing to patch.
Researchers at Huntress published a detailed technical analysis of an NTLM credential leak in the Windows search: URI handler. NTLM is the Windows authentication protocol used across most business networks. The vulnerability allows an attacker to coerce a Windows machine into sending its NTLM credentials to an attacker-controlled server. Once captured, those credentials can be cracked offline or relayed to authenticate to other systems on the network.
The same class of vulnerability was previously identified and patched in the Windows Snipping Tool. This instance, in the search: URI handler, has no CVE number assigned. Microsoft has not issued a patch. There is no fix date.
Huntress made the implication explicit in their research: if your patching strategy relies entirely on CVE coverage, you have a structural blind spot. Vulnerabilities without CVE numbers do not show up in standard vulnerability scanners. They do not trigger alerts in most patch management tools. They exist, and they can be exploited, and your tooling will not tell you about them.
For small businesses, the relevant question is simple: does your IT provider or MSP monitor for threats that have not been assigned a CVE number? If they cannot answer that question clearly, you should be asking why.
The practical mitigation for the NTLM issue is to disable NTLM authentication where possible and enforce NTLMv2 at minimum, though the full details of the attack vector are technical enough to require specialist input.
The Pattern Worth Noting
Three of this week’s highest-priority items share a common thread: broken authentication logic.
The Kirki plugin trusts user-supplied email addresses in password reset flows. The ARMember Premium plugin stores credentials in a recoverable form. The Windows NTLM issue allows credential capture through a protocol the operating system trusts implicitly.
Attackers do not need to break encryption or find exotic zero-days when authentication logic is this forgiving. They walk in through the front door.
This pattern is not new. It is persistent. And it disproportionately affects smaller organisations that depend on third-party plugins, off-the-shelf software, and MSPs who may not be watching the right feeds.
How This Gives You an Edge
Most small business owners assume that staying secure requires keeping up with a firehose of technical alerts. It does not. It requires asking better questions of the people responsible for your systems.
This week’s threat brief gives you three specific questions you can put to your IT provider or MSP by end of day:
- Are Kirki and ARMember Premium installed on any of our WordPress sites, and if so, have they been updated or removed?
- Do your monitoring tools cover vulnerabilities that have not been assigned a CVE number?
- What is our current exposure to NTLM credential capture attacks?
If your provider cannot answer all three, that is intelligence. Use it.
Businesses that can demonstrate active, evidence-based security monitoring to clients and prospects have a genuine differentiator. Not the checkbox kind. The kind that comes from asking questions this week that most of your competitors will not ask until something goes wrong.
Making the Case to Whoever Controls the Budget
Three points that will land with a non-technical decision-maker:
The WordPress vulnerabilities are not theoretical. CVSS 9.8 is close to the maximum possible score. Both vulnerabilities allow a complete takeover of a business website with no prior access. A successful attack creates a GDPR notification obligation, potential ICO enforcement action, and reputational damage to clients. The cost of checking and updating plugins is measured in minutes. The cost of a breach is not.
The unpatched Windows issue illustrates a systemic gap. If your MSP only responds to CVE-listed vulnerabilities, they are working from an incomplete picture. This is not a criticism of any individual provider. It is a structural limitation of how most patch management tools work. Knowing the limitation exists is the first step to addressing it.
Patch debt compounds. This week’s KEV addition for Oracle WebLogic (CVE-2024-21182) is a two-year-old vulnerability now being actively exploited. Organisations that patched it when it was published are not affected. Organisations that did not are now on the wrong end of active attacks. The cost of patching does not decrease with delay. The risk does.
What to Do Before the End of This Week
-
Check your WordPress plugins. Log in to your WordPress admin panel and navigate to Plugins. If Kirki (versions 6.0.0-6.0.6) or ARMember Premium (up to version 7.3.1) appear, update them immediately. If updates are not available, deactivate and remove them until a patched version is confirmed.
-
Audit WordPress admin accounts. While you are in the admin panel, go to Users and review who has administrator-level access. Remove any accounts that should not be there. Ensure every admin account uses a strong, unique password and has multi-factor authentication enabled.
-
Ask your MSP the three questions above. Write them down. Send them by email so you have a record of the response. The answer will tell you something useful about how your security monitoring actually works.
-
Update your Android devices. Google released patches for 124 vulnerabilities in June 2026, including one actively exploited flaw (CVE-2025-48595). Update every Android phone and tablet used for business purposes. Settings, then System, then Software Update.
-
Flag the NTLM issue for your next IT review. You cannot patch it today because no patch exists. But you can ensure it is on your IT provider’s radar and ask them to assess your current NTLM exposure and what compensating controls are in place.