WordPress Shops, cPanel Hosts, and Ivanti Devices: This Week's Threats Your Business Cannot Ignore
Three vulnerability disclosures landed in the last 48 hours that UK small businesses cannot treat as background noise. One allows unauthenticated attackers to create administrator accounts on WordPress e-commerce sites. A second represents the latest in a pattern of critical cPanel flaws, one of which already compromised 44,000 installations. The third is CISA-confirmed active exploitation of enterprise mobile device management software.
The data is unambiguous. The attack surface here is not theoretical. It is operational, and it maps directly onto the tools that UK small businesses use to run their online presence.
The WordPress Threat: No Password Required
CVE-2021-47932 was formally published on 10 May 2026 with a CVSS score of 9.8: the highest severity band before you reach a perfect 10. The vulnerability exists in the TheCartPress plugin for WordPress, version 1.5.3.6.
The mechanism is straightforward to explain and devastating in practice. An unauthenticated attacker, meaning someone with no existing access to your site whatsoever, can send a crafted POST request to the plugin’s AJAX handler. By setting a specific parameter to “administrator”, they create a fully privileged admin account on your WordPress installation. No brute force required. No credential theft required. One request.
A second related critical flaw published simultaneously is CVE-2021-47933, affecting WordPress MStore API version 2.0.6. This one allows unauthenticated attackers to upload arbitrary files, including PHP shells, to the server. In plain terms: an attacker who finds your site running this plugin can upload and execute code on your server. That is remote code execution (RCE), the most serious category of web vulnerability.
A third CVE published the same day, CVE-2021-47940, affects the Download From Files plugin (version 1.48 and earlier), allowing unauthenticated arbitrary file upload via a crafted request to WordPress’s admin-ajax endpoint.
For any UK business running an online shop or customer-facing WordPress site, the question is not whether these plugins are popular. The question is whether your site is running them and whether your hosting provider or IT support has applied available patches.
WordPress powers an estimated 43% of all websites globally. The number of UK small business sites running outdated or unpatched plugins is not a number the vendor publishes, but the attack surface is self-evidently enormous.
The cPanel Pattern: A Second Wave After 44,000 Compromises
cPanel and WHM (Web Host Manager) are the control panel interfaces that the majority of shared web hosting providers use. If your business website sits on shared hosting, the probability that your hosting provider uses cPanel is high.
On 9 May 2026, cPanel released patches for three new vulnerabilities: CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203. Two of these carry CVSS scores of 8.8, placing them in the high-severity band. CVE-2026-29202 specifically allows an authenticated attacker to execute arbitrary Perl code on the underlying server.
The context matters here. A separate cPanel vulnerability, CVE-2026-41940, was recently exploited to compromise 44,000 cPanel installations. That attack wave happened before these new patches were released. The pattern is established: cPanel vulnerabilities are being actively targeted, and the infrastructure underpinning many UK small business websites is directly in scope.
Patches are available. The practical action for a small business is not to patch cPanel yourself; that is your hosting provider’s responsibility. The action is to ask your hosting provider explicitly whether these patches have been applied and to get a written confirmation. If they cannot tell you, that is a data point about the quality of your provider.
CISA’s Known Exploited Vulnerabilities: Ivanti EPMM
CISA, the US Cybersecurity and Infrastructure Security Agency, maintains a catalogue of vulnerabilities that have been confirmed as actively exploited in the wild. Addition to the Known Exploited Vulnerabilities (KEV) catalogue is not a prediction or a risk assessment. It means exploitation has been observed.
CVE-2026-6973, an authenticated remote code execution vulnerability in Ivanti Endpoint Manager Mobile (EPMM), was added to the KEV catalogue on 10 May 2026. EPMM is a mobile device management (MDM) platform used to manage and secure smartphones and tablets across a business.
For most micro-businesses, Ivanti EPMM is not a product they are running directly. However, managed service providers (MSPs) often use MDM platforms to manage client devices. If your MSP uses Ivanti EPMM and has not patched, the devices they manage for your business may be at risk.
The question to ask your MSP this week: “Is Ivanti EPMM in your stack, and have you applied the patch for CVE-2026-6973?” If they look blank, that is a problem.
Why This Pattern Matters for UK Small Businesses
Three things are visible in this week’s intelligence that deserve explicit statement.
First: the WordPress vulnerabilities cluster around e-commerce and file management plugins. The businesses most exposed are those running online shops, booking systems, or document portals. These are not hobbyist sites. They hold customer payment data, personal information, and order histories. A breach triggers ICO notification obligations under UK GDPR.
Second: the cPanel situation demonstrates that infrastructure you do not control can still be your liability. Your hosting provider’s patch cadence is part of your security posture whether you treat it that way or not. A compromise of shared hosting infrastructure can affect every site on that server, not just yours.
Third: the Ivanti KEV addition illustrates the supply chain risk that sits inside MSP relationships. UK small businesses frequently grant MSPs significant access to their environments. When tools in that MSP’s stack are being actively exploited, the risk propagates downstream.
How to Use This as a Competitive Differentiator
If your business handles client data or operates in a supply chain where larger organisations audit their suppliers’ security, this week’s intelligence is an opportunity, not just a threat briefing.
Demonstrating that you have a patching process, that you know which plugins are running on your website, and that you ask your hosting provider and MSP the right questions puts you ahead of the majority of UK small businesses. Most do not.
If you are working towards Cyber Essentials certification, patch management is a core technical control. Documenting your response to critical CVEs is evidence of a functioning process. That documentation has value in supplier questionnaires and procurement conversations.
Making the Business Case to Your Decision Maker
Three points that will land with whoever controls the budget or signs off on IT decisions.
Regulatory exposure is concrete. A WordPress breach that exposes customer data triggers a mandatory ICO notification under UK GDPR. Failure to notify within 72 hours carries its own penalties, separate from the underlying breach. The cost of a patch is measured in minutes. The cost of notification, investigation, and potential enforcement action is measured in thousands of pounds and management time.
The precedent is documented. The cPanel story is not speculative. Forty-four thousand installations were compromised via a previous flaw in the same software. That is a published, verifiable number. The new patches address different vulnerabilities in the same attack surface. The risk is not theoretical.
Your MSP’s security is your security. If your managed service provider is running unpatched software to manage your devices, you are exposed by their failure. Asking the question costs nothing. The answer tells you whether your MSP relationship is worth the contract value.
What to Do Before the End of This Week
-
Audit your WordPress plugins today. Log in to your WordPress admin dashboard. Go to Plugins, then Installed Plugins. Look for TheCartPress, MStore API, and Download From Files. If any are present, check whether updates are available and apply them immediately. If you cannot do this yourself, contact whoever manages your website and make it an urgent request, not a scheduled task.
-
Contact your hosting provider about cPanel patches. Send an email or raise a support ticket asking specifically whether CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203 have been patched on your hosting infrastructure. Keep the response. If they cannot confirm, escalate or consider whether your hosting arrangement meets your security requirements.
-
Ask your MSP about Ivanti EPMM. If you have a managed service provider who handles your devices, ask them directly whether Ivanti EPMM is part of their toolset and whether CVE-2026-6973 has been patched. Document the response.
-
Review your WordPress plugin inventory more broadly. This week’s disclosures are not isolated. Outdated or unmaintained plugins are a persistent and well-documented attack vector. Any plugin that has not received an update in twelve months should be evaluated: either replace it with a maintained alternative or remove it. Unused plugins should be deleted, not just deactivated.
-
Check your ICO breach notification process. If a WordPress compromise did expose customer data, would you know what to do in the next 72 hours? If the answer is unclear, spend thirty minutes now reviewing the ICO’s guidance on personal data breach reporting. The process is straightforward. Not knowing it when you need it is the expensive version.