WordPress Plugins, Microsoft Authenticator, and Your Email Server: The Threats That Landed Overnight
Three critical vulnerabilities landed in the last 24 hours. All three score 9.6 or above on the CVSS severity scale. All three affect technology that sits inside a significant proportion of UK small business environments. The data is below, without embellishment.
The WordPress Authentication Bypass You Need to Patch Today
CVE-2026-8181 carries a CVSS score of 9.8. It affects the Burst Statistics plugin for WordPress, specifically versions 3.4.0 through 3.4.1.1. The flaw sits in a function called is_mainwp_authenticated(), which validates application passwords from the authorisation header.
The validation logic is broken. An unauthenticated attacker who knows an administrator’s username can supply any random password and be treated as that administrator for the duration of the request. That is not a subtle bypass. That is the authentication check returning the wrong answer.
For UK small businesses running WordPress, the exposure is direct. A site using this plugin version is not protected by its login screen. Any attacker who can enumerate an admin username, which is often trivial, has a path to administrator-level access.
The fix is immediate: update the Burst Statistics plugin. If your site is managed by an MSP or web developer, contact them today and confirm the update has been applied. Do not accept “we’ll get to it next week” as an answer.
A second WordPress vulnerability published overnight compounds the picture. CVE-2026-6271, also CVSS 9.8, affects the Career Section plugin in all versions up to and including 1.7. The CV upload handler performs no file type validation. An unauthenticated attacker can upload executable files, which means remote code execution is possible on affected installations. If your business website has a job application or CV upload feature, verify which plugin is handling it and check its version immediately.
Microsoft Authenticator Is Leaking Information It Should Not
CVE-2026-41615 scores 9.6. The vulnerability is classified as exposure of sensitive information to an unauthorised actor. The affected product is Microsoft Authenticator, and the attack vector is a network.
The NVD description states that an unauthorised attacker can disclose information over a network. Microsoft Authenticator is the multi-factor authentication application that a substantial number of UK businesses use daily. It is the second factor protecting email, file storage, and line-of-business applications.
The precise nature of what information is exposed is not fully detailed in the published CVE data. What is confirmed: this is a CVSS 9.6 flaw in an authentication application, published by NIST on 14 May 2026. The remediation pathway is to ensure Microsoft Authenticator is updated to the latest version on every device your staff use.
This matters because MFA is widely, and correctly, recommended as a foundational control. A vulnerability in the MFA application itself does not mean MFA is useless. It means an unpatched version of Microsoft Authenticator may be providing less protection than expected. The response is to patch, not to abandon the control.
Check that automatic updates are enabled for Microsoft Authenticator on all company and personal devices used for business authentication. If you manage devices through a mobile device management system, push the update now.
Outlook Web Access Is Being Actively Exploited Right Now
CVE-2026-42897 is a spoofing vulnerability in Outlook Web Access, the browser-based email interface for on-premises Microsoft Exchange. It is being actively hunted in the wild, according to reporting published 15 May 2026.
This is the highest-urgency item in today’s brief. A vulnerability being exploited in the wild means attackers are not waiting for businesses to patch. They are scanning for exposed systems and attempting exploitation now.
On-premises Exchange servers are a common fixture in UK businesses that have not yet migrated to cloud email. The operational reasons for staying on-premises are legitimate. The security reality is that on-premises infrastructure requires timely patching, and the patch window for actively exploited vulnerabilities is measured in hours, not weeks.
If your business runs on-premises Exchange and staff access email through a web browser interface, apply Microsoft’s patch for CVE-2026-42897 immediately. If you do not have an IT function capable of doing this today, escalate to your MSP and get written confirmation of when the patch will be applied.
The FamousSparrow attribution context from Article 5 is also relevant here. A Chinese state-linked threat actor was recently confirmed to have breached an energy sector organisation by exploiting an unpatched Microsoft Exchange server, using the ProxyNotShell vulnerabilities CVE-2022-41040 and CVE-2022-41082. The pattern is consistent: Exchange servers that are not patched attract sustained attention from capable threat actors. Unpatched Exchange is not a minor oversight. It is a standing invitation.
How Staying Ahead of This Gives You an Edge
Most UK small businesses do not have a process for monitoring vulnerability disclosures. Their patching cycle is either ad hoc or tied to monthly maintenance windows, which means a CVSS 9.8 flaw published on a Thursday may not be addressed until the following month.
Businesses that do have a process, even a simple one, can act within hours of a critical disclosure. That is a meaningful operational advantage. It reduces exposure time. It reduces the probability of a successful attack. And it produces a documented record of timely remediation that is directly relevant to Cyber Essentials certification, GDPR accountability obligations, and client due diligence questionnaires.
If you supply services to larger organisations, the ability to demonstrate that you responded to a CVSS 9.8 vulnerability within 24 hours of publication is the kind of evidence that wins procurement conversations.
Making the Business Case to Your Board or Owner
Three arguments that hold up under scrutiny:
The cost of patching is fixed; the cost of a breach is not. Updating a WordPress plugin takes minutes. Recovering from a site compromise, including ICO notification obligations under UK GDPR if personal data is affected, takes weeks and costs significantly more.
Active exploitation removes the luxury of a deliberate patching schedule. CVE-2026-42897 is being exploited in the wild today. The question is not whether to patch; it is whether you patch before or after an attacker finds your server.
Microsoft Authenticator is a trust anchor. If the tool your business relies on to verify identity has a known flaw, the appropriate response is to update it immediately. Leaving a known-vulnerable authentication application in production is a governance failure that an ICO investigator, a client’s procurement team, or a cyber insurance assessor will find difficult to explain away.
What to Do Before the End of the Week
-
Audit your WordPress plugins. Log into every WordPress site your business operates. Navigate to Plugins and check for Burst Statistics and Career Section. If either is installed, update immediately. If your web developer manages this, email them today and request written confirmation that both plugins are on the latest version.
-
Update Microsoft Authenticator on every device. Go to the App Store or Google Play, search for Microsoft Authenticator, and update. Do this on your own phone and ask staff to confirm they have done the same. If you manage devices centrally, push the update through your MDM system.
-
Check whether you run on-premises Exchange. If you are unsure, ask your IT support provider. If you do run on-premises Exchange and staff access it via a web browser, contact your IT support and ask specifically about the patch status for CVE-2026-42897. Get a date.
-
Set up a basic vulnerability alert process. The NCSC’s Early Warning service is free for UK organisations. Sign up at ncsc.gov.uk. It will not catch everything, but it will notify you of high-severity vulnerabilities relevant to your infrastructure without requiring you to monitor NVD manually.
-
Document what you did. For each action above, note the date, what was done, and who did it. A one-line entry in a spreadsheet is sufficient. This documentation is the evidence you will need if a client, insurer, or regulator asks how you responded to a known critical vulnerability.