WordPress OTP Bypass and the Windows Kernel Flaw Your Business Needs to Patch Today
Two vulnerabilities disclosed in the past 24 hours carry a CVSS score of 9.8. Both affect infrastructure that UK small businesses depend on daily. Neither requires a sophisticated attacker to exploit.
This is not a theoretical threat landscape briefing. These are specific, confirmed flaws with working technical details now public. The clock is running.
Story One: The WordPress Plugin That Hands Over the Keys
CVE-2026-8760 affects the “Login with OTP” plugin for WordPress, in all versions up to and including 1.6. The vulnerability is an authentication bypass.
Here is how it works. When a user attempts to log in, the plugin generates a 6-digit one-time password. A rate-limit check was added in a previous patch attempt, but it was placed in the wrong branch of the code. The check runs during OTP generation. It does not run during OTP validation. An attacker who skips the generation step entirely faces no lockout, no throttle, and no expiry on the code.
The OTP space is 900,000 values. That sounds large. Automated tooling makes it trivial.
The result: an unauthenticated attacker can gain a valid authenticated session for any account on the site, including administrator accounts. Full admin access. No credentials required.
WordPress powers a significant proportion of UK small business websites. Many of those sites hold customer data, contact forms, booking systems, or e-commerce functionality. An attacker with admin access can install malicious plugins, exfiltrate customer data, redirect visitors to phishing pages, or use the server as infrastructure for further attacks.
The immediate question for any business running WordPress: is this plugin installed? Log into your WordPress dashboard, navigate to Plugins, and search for “Login with OTP.” If it is present and active, disable it until a confirmed patched version is available and verified.
If your website is managed by an agency or MSP, contact them today and ask for written confirmation that this has been checked and addressed.
Story Two: The Windows Kernel Flaw That Breaks Every Sandbox
CVE-2026-40369 is a Windows kernel vulnerability. It allows an attacker to achieve full SYSTEM-level privilege escalation, which is the highest privilege level on a Windows machine, from even the most restricted execution environments, including browser sandboxes.
This matters for a specific reason. Modern browsers run in sandboxed processes precisely to contain damage if a malicious website or script executes code. The sandbox is supposed to prevent that code from touching the rest of the system. CVE-2026-40369 breaks that containment. An attacker who gets code running inside a browser tab can use this flaw to escape the sandbox and take full control of the underlying machine.
For a small business, the practical attack chain is straightforward. An employee visits a compromised website or clicks a malicious link. The site delivers a payload that exploits the browser. The kernel flaw then escalates that foothold to SYSTEM. The attacker now owns the machine and, by extension, has access to everything that machine can reach on the network, including shared drives, email accounts, and any cloud services with saved credentials.
The fix is a Windows Update. That is it. The patch exists. The question is whether it has been applied.
Check Windows Update on every machine in your business. On Windows 10 and 11, go to Settings, then Windows Update, then Check for Updates. Confirm all pending updates are installed and the machine has been restarted if required.
If your machines are managed by an MSP, ask them to confirm in writing that this patch has been deployed across your estate. A response of “we’ll get to it” is not acceptable for a CVSS 9.8 kernel vulnerability with public technical disclosure.
Also on the Radar: The LiteSpeed cPanel Flaw
CISA added CVE-2026-48172 to its Known Exploited Vulnerabilities catalogue this week. This affects the LiteSpeed cPanel plugin and enables root privilege escalation on web hosting servers.
If your business uses cPanel-managed web hosting, contact your hosting provider today and ask whether this has been patched on your server environment. This is not something you can patch yourself; it sits at the hosting infrastructure level. But it is something you can and should ask your provider about directly.
CISA’s KEV designation means this is actively being exploited in real attacks, not theoretical. Hosting providers who have not yet patched this are running compromised infrastructure.
How This Gives You an Edge
Most small businesses will not hear about any of these vulnerabilities this week. Their IT provider may not mention them. Their MSP may quietly deploy patches without explanation. Or nothing will happen at all.
The businesses that treat threat intelligence as actionable, rather than as background noise, are the ones that get ahead of incidents rather than responding to them.
Being able to say to a client or partner, “we identified and patched two critical vulnerabilities within 48 hours of disclosure” is a factual, verifiable differentiator. It is the kind of evidence that holds up in a procurement questionnaire, a cyber insurance renewal, or a Cyber Essentials assessment.
More practically: knowing what to ask your IT provider, and asking it in writing, creates accountability. Providers who know their clients are watching patch timelines are providers who prioritise patch timelines.
Making the Case Internally
If you need to justify urgent action to a director or decision-maker, three points will land:
First, both CVE-2026-8760 and CVE-2026-40369 score 9.8 out of 10 on the industry severity scale. That is not a rounding error. The scoring reflects the combination of ease of exploitation, no authentication required, and full system compromise as the outcome.
Second, the LiteSpeed flaw is confirmed as actively exploited by CISA, the US government’s cybersecurity agency. “Actively exploited” means attackers are using this right now, against real targets. Small businesses are included in that population.
Third, the cost of patching is a staff member spending time on Windows Update and a five-minute conversation with your hosting provider. The cost of not patching is a potential breach, ICO notification obligation, customer notification, and reputational damage. The risk calculus is not complicated.
What to Do Before the End of the Week
-
Check every WordPress site your business operates. Log into the admin dashboard and confirm whether the “Login with OTP” plugin is installed. If it is, disable it immediately and contact the plugin vendor or your web developer for confirmation of a patched version before re-enabling.
-
Run Windows Update on every machine. Do not delegate this mentally. Physically confirm it on each device, or obtain written confirmation from your IT provider that the CVE-2026-40369 patch has been deployed and verified.
-
Contact your web hosting provider about the LiteSpeed cPanel flaw. Ask specifically whether CVE-2026-48172 has been patched on your hosting environment. Request a written response.
-
Document your actions. A brief email thread or a note in your incident log showing that you identified these vulnerabilities and took specific action is evidence of due diligence. It matters for insurance claims, ICO investigations, and client assurance.
-
Brief your staff on the Windows kernel flaw context. They do not need a technical briefing. They need to know: visiting a compromised website on an unpatched machine can result in full system compromise. Keep browsers updated. Do not dismiss update prompts.