Your WordPress Site Is Being Attacked Right Now. Your Magento Store Too.
Two vulnerabilities were added to CISA’s Known Exploited Vulnerabilities catalogue yesterday. Both are being actively used against real targets. Both affect platforms that underpin the websites of hundreds of thousands of UK small businesses.
This is not a vendor warning dressed up as urgency. This is CISA’s KEV list, which only gets updated when exploitation is confirmed in the wild. The signal is as clean as it gets.
What Is Actually Being Exploited
The first is CVE-2026-45247, a critical remote code execution flaw in the Mirasvit Full Page Cache Warmer extension for Adobe Magento. If your e-commerce site runs on Magento and uses this extension, an unauthenticated attacker can execute arbitrary code on your server. No login. No credentials. Just a crafted HTTP request.
The second is CVE-2026-3300, a critical unauthenticated PHP code injection vulnerability in the Everest Forms Pro plugin for WordPress. Attackers are injecting and executing arbitrary PHP code on vulnerable sites. Again, no authentication required. The exploit is public. The barrier to entry is low enough that script kiddies are running it, not just organised threat actors.
Both were published as critical by NIST NVD and both are now confirmed exploited by CISA. That is the highest-confidence threat signal available to the public.
Why This Matters to UK Small Businesses Specifically
WordPress powers approximately 43% of all websites globally. Magento is the platform of choice for a significant portion of UK small e-commerce businesses. These are not niche enterprise products. They are the infrastructure your website almost certainly runs on.
The uncomfortable truth is that most small business websites are treated as a one-time project rather than an ongoing operational asset. A developer builds the site, launches it, and then the plugin update cadence quietly dies. Security researchers have a term for this: drift. Your site was secure on day one. It has been drifting toward compromise ever since.
For UK businesses, a compromised website is not just a technical problem. Under UK GDPR, if customer data is exposed through the breach, you have a 72-hour notification obligation to the ICO. Miss that window and you are looking at enforcement action on top of the incident itself.
The ICO’s published guidance is explicit: organisations must implement appropriate technical measures to protect personal data. Running an unpatched content management system with publicly disclosed critical vulnerabilities is not an appropriate technical measure. It is the opposite.
The Exploit Code Is Already Public
This is the detail that changes the risk calculation. When CISA adds a vulnerability to its KEV catalog, it means real attackers are already using it. When exploit code is publicly available, as it is for both of these vulnerabilities, the population of potential attackers expands dramatically.
You are no longer only exposed to sophisticated threat actors with custom tooling. You are exposed to anyone who can run a script they downloaded from a public repository. Automated scanning tools are already probing the internet for vulnerable instances. Your site is being scanned whether or not anyone has specifically targeted your business.
The relevant question is not whether you are a target. The relevant question is whether your site will be caught by an automated sweep before you apply the patch.
A Note on the Broader Vulnerability Picture This Week
The KEV additions are the priority, but this week’s NVD data contains a pattern worth noting for businesses running any kind of managed device or IoT equipment. Several critical CVEs published in the last 24 hours relate to the FieldX MDM platform, covering command injection via unverified payloads, unauthenticated MQTT broker access allowing device enumeration, root command execution through a misconfigured utility, and hard-coded API keys exposed through error pages.
These are not individually CISA-confirmed exploitations today, but the cluster of vulnerabilities in a single product line is a meaningful signal. If your business uses FieldX MDM for device management, treat this as requiring immediate vendor contact and patch assessment. Hard-coded credentials and unauthenticated root access are not theoretical risks. They are architectural failures that attackers search for systematically.
How to Use This as a Competitive Advantage
If your business handles customer data through a website, demonstrating that you actively monitor and respond to confirmed threat intelligence is a genuine differentiator. Most of your competitors have not read this. Most of their websites are running unpatched plugins.
If you supply into a supply chain that requires vendor security assurances, being able to document that you responded to a CISA KEV alert within 24 hours is the kind of evidence that satisfies procurement questionnaires and builds long-term client confidence. It is also exactly the kind of posture that supports Cyber Essentials certification, which requires that critical vulnerabilities are patched promptly.
This is not about marketing your security. It is about building a documented practice of responding to real intelligence, which creates defensible evidence if you ever face regulatory scrutiny.
Making the Business Case
If you need to justify the cost of immediate action to a decision-maker, three arguments that land:
The ICO clock is already ticking. If an attacker is already on your server because of an unpatched plugin, you may already be in breach of UK GDPR. The 72-hour notification window starts from when you become aware of the incident. Acting now reduces the probability of an incident you will have to disclose.
The cost of patching is hours. The cost of a breach is months. Updating a plugin takes minutes. Responding to a data breach, notifying customers, managing reputational damage, and engaging legal counsel takes months and costs significantly more than any patch ever will.
CISA confirmation removes the ‘maybe’ from the risk calculation. This is not a vendor claiming something might be exploited to sell a product. This is the US government’s own cyber security agency confirming active exploitation with evidence. The risk is not hypothetical.
What to Do Before the End of the Week
1. Audit your website plugins and extensions today. Log into your WordPress or Magento admin panel. List every active plugin or extension. Note the version number of each. This takes 15 minutes and you need the information regardless of what you do next.
2. Apply available patches immediately. If you run the Mirasvit Full Page Cache Warmer extension on Magento, update it now. If you run Everest Forms Pro on WordPress, update it now. If you run any other plugins with pending updates, apply those too. The update queue is not a to-do list for later.
3. If your website is managed by an MSP or web agency, contact them in writing today. Ask specifically: what action have you taken in response to CVE-2026-45247 and CVE-2026-3300? Ask for written confirmation of the patches applied and the dates. If they cannot tell you, that is a procurement conversation you need to have.
4. Check your backup. If you do not have a recent, tested backup of your website and its database, that gap is more urgent than the patch itself. You cannot restore from a backup that does not exist.
5. Review your ICO notification readiness. Know where your ICO report portal login is before you need it. Understand what constitutes a reportable breach under UK GDPR. The 72-hour clock does not pause while you locate your credentials.
| Source | Article |
|---|---|
| CISA | Known Exploited Vulnerabilities Catalog |
| Cyber Security News | CISA Warns of critical Magento Cache Warmer RCE flaw Exploited in Attacks |
| Cyber Security News | Hackers Actively Exploiting WordPress Plugin Vulnerability to Inject Malicious PHP Code |
| TheCyberThrone | CISA adds Three Vulnerabilities to KEV Catalog |
| NIST NVD | CVE-2026-45247 Detail |
| NIST NVD | CVE-2026-3300 Detail |
| ICO | Security (UK GDPR guidance) |
| NCSC | Vulnerability management guidance |