Your WordPress Site Has a Backdoor. Your Shared Host Has a Symlink Problem. And Microsoft Just Patched Your Emails Being Stolen With One Click.
Three stories landed in the last 24 hours. Two involve active exploitation confirmed by CISA. One was patched before most people noticed it existed. All three are directly relevant to UK small businesses.
Let us go through them in order of immediate risk.
Story One: Your WordPress Plugins Were Used Against You
An attacker tampered with JavaScript files used by three widely-deployed WordPress plugins: PushEngage, OptinMonster, and TrustPulse. All three are products of Awesome Motive, a company whose tools are installed on millions of sites globally.
The mechanism is straightforward and worth understanding. The plugins loaded external JavaScript files from a shared CDN. An attacker compromised those files and modified them to execute code when a site administrator was logged in. The payload created rogue administrator accounts and planted hidden backdoors.
The key phrase there is “when a site administrator was logged in.” The attacker did not need to break your password or bypass your login page. They waited for you to authenticate, then used your authenticated session to do the damage.
If you run a WordPress site with any of these plugins installed, the immediate action is simple: log into WordPress, go to Users, and look for accounts you do not recognise. Then check your installed plugins against the versions currently listed in the WordPress plugin repository. If your version predates the tampered window, you may be clean. If it does not, assume compromise until you can confirm otherwise.
This is a supply chain attack. The software you trusted had its distribution infrastructure compromised. The lesson is not “stop using plugins.” The lesson is that plugins are third-party code running with full access to your site, and their integrity depends on the security of every organisation in their distribution chain. That chain is longer than most people realise.
Story Two: Shared Hosting Is Not a Sandbox (CISA-Confirmed Active Exploitation)
CISA added CVE-2026-54420 to its Known Exploited Vulnerabilities catalogue on 15 June. The affected product is the LiteSpeed cPanel plugin, which is deployed by hosting providers running CloudLinux with CageFS.
CageFS is the technology shared hosting providers use to isolate customers from each other. The idea is that your files stay in your cage and you cannot see what is in your neighbour’s. CVE-2026-54420 is a symlink-following vulnerability. In plain terms: an attacker with FTP access or a web shell on one account can use it to escape their isolated environment and traverse the filesystem of the host, potentially accessing data belonging to other customers on the same server.
This is not a theoretical risk. CISA only adds vulnerabilities to the KEV catalogue when there is reliable evidence of active exploitation in the wild.
For UK small businesses, the direct exposure here is twofold. First, if you are on shared hosting, your data sits on a server with other tenants. If any of those tenants has a compromised account, this vulnerability means that compromise is not contained to them. Second, if your hosting provider runs cPanel with LiteSpeed and has not patched, the cage around your account is not functioning as advertised.
The required action from CISA is patching in accordance with vendor instructions. That is the hosting provider’s responsibility, not yours. But you have a right to ask them whether they have applied it, and you have a right to consider the answer when evaluating whether your current hosting arrangement is adequate.
Story Three: One Click and Your Microsoft 365 Data Was Gone (Patched, But Read This Anyway)
Researchers at Varonis Threat Lab disclosed details of CVE-2026-42824 on 15 June. Microsoft patched it on 4 June.
The vulnerability was in Microsoft 365 Copilot Enterprise Search. The attack chain required the target to click once on a link from a legitimate Microsoft domain. That single click was sufficient for an attacker to exfiltrate emails, calendar entries, files indexed from SharePoint and OneDrive, and MFA codes.
Read that last item again. MFA codes. The very mechanism you are relying on to protect your account could have been harvested through this flaw.
The patch is live. If your Microsoft 365 environment updates automatically, you are likely protected. The reason this still matters after patching is what it tells you about the architecture.
Microsoft 365 Copilot, in its Enterprise Search configuration, indexes everything. Emails, documents, calendar data, all of it. That index is a concentrated target. One vulnerability in the system that exposes it means all of that data is potentially accessible in a single request. The Varonis researchers noted the flaw was “relatively simple in design” and that the only requirement was a single user interaction: clicking a link from a trusted Microsoft domain.
For small businesses that have adopted Microsoft 365 Copilot because it was bundled with their subscription or recommended by their IT provider, this is worth a conversation. What data is Copilot indexing? Who has access to Enterprise Search? Has your IT provider reviewed the Copilot configuration against Microsoft’s own hardening guidance?
If the answer to that last question is “I do not know,” that is the answer that needs to change first.
Why These Three Stories Belong Together
Surface-level, these are three separate products with three separate vulnerabilities. The underlying pattern is the same.
In all three cases, the attack leveraged trust. Trust in a plugin’s distribution infrastructure. Trust that a shared hosting cage contains a compromised account. Trust that a link from a legitimate Microsoft domain is safe to click.
Security controls that do not account for the abuse of legitimate trust are incomplete. Firewalls did not help here. Antivirus did not help here. The question in each case was: who has access to what, and how do we know if that access has been abused?
The answer to that question requires visibility, not just prevention. Log monitoring. User account audits. Regular review of third-party software and its update status. None of those things require a large budget. All of them require deliberate attention.
Why This Gives You an Edge
Most of your competitors are not reading CISA’s KEV catalogue. They are not auditing their WordPress user accounts after a supply chain event. They are not asking their hosting provider whether a specific CVE has been patched.
You now have the information. Acting on it puts you in a materially different position from businesses that discovered the same problems after a breach rather than before.
If you work with clients who ask about your security posture, the ability to say “we monitor active threat intelligence and respond to confirmed exploitation within 24 hours” is a verifiable, specific claim. It is the kind of claim that distinguishes a business that takes security seriously from one that has a certificate on the wall.
Making the Business Case
Three points worth raising with whoever controls budget and policy in your organisation.
The WordPress incident is a supply chain failure, not a user error. The plugins were legitimate. The distribution infrastructure was compromised. This is the argument for reviewing all third-party software dependencies, not just the obvious attack vectors.
The shared hosting flaw is your provider’s responsibility, but your risk. If they have not patched CVE-2026-54420, the isolation between your data and other tenants on the same server is compromised. The question of whether shared hosting is appropriate for your data is a business decision, and it requires accurate information about the environment.
The Microsoft 365 Copilot vulnerability demonstrates that AI feature adoption needs a security review. The flaw existed because Enterprise Search had broad access to indexed data. The patch addresses the specific vulnerability; it does not change the architecture. If Copilot is indexing sensitive business data, the question of who can query it and under what conditions is a governance question, not just a technical one.
What to Do Before the End of This Week
-
If you run WordPress: Log in and audit your user accounts immediately. Remove any accounts you do not recognise. Check the versions of PushEngage, OptinMonster, and TrustPulse against the current versions in the WordPress plugin repository. Update everything.
-
If you are on shared hosting: Contact your provider and ask specifically whether CVE-2026-54420 in the LiteSpeed cPanel plugin has been patched on your server. Document their response. If they cannot confirm patching, escalate the question to their support management or consider whether your hosting arrangement needs to change.
-
If you use Microsoft 365 Copilot: Confirm that your environment is receiving automatic updates from Microsoft. Review which data sources Copilot Enterprise Search is permitted to index. If you do not know, ask your IT provider to walk you through the current configuration.
-
Regardless of the above: Check whether your IT provider or MSP is monitoring CISA’s KEV catalogue and acting on confirmed exploitation events. If they are not, ask them why not, and what their equivalent process is.
-
Audit your external-facing software inventory. All three of today’s stories involve software that interacts with the internet: a website, a hosting environment, a cloud productivity suite. Know what you are running, who is responsible for patching it, and how quickly that patching happens after a vulnerability is confirmed as actively exploited.
The data is in front of you. The question is whether you act on it before someone else does.
Before you go: follow the show wherever you listen, leave a rating or review, drop a comment with your thoughts, and share it with someone who would find it useful. If today’s briefing was useful to you, it will be useful to someone else in your network.