YellowKey, WordPress Takeovers, and Cameras With No Locks: This Week's Threats UK SMBs Cannot Ignore
Three significant vulnerabilities landed in the last 24 hours. All of them are relevant to UK small businesses. None of them require sophisticated attackers to exploit. Let us go through them in order of practical impact.
Story One: YellowKey Breaks BitLocker With a USB Stick
CVE-2026-45585, publicly named YellowKey, is a zero-day vulnerability in Windows BitLocker. A researcher published a working proof-of-concept exploit on GitHub on 12 May. Microsoft has now issued a mitigation, but there is no patch yet.
Here is what YellowKey actually does. An attacker with physical access to a Windows 11, Windows Server 2022, or Windows Server 2025 machine can bypass full-disk BitLocker encryption. The requirement: a USB stick loaded with the exploit, inserted at startup, followed by a key combination. The vulnerability, as the Dutch National Cyber Security Centre noted in their advisory, is not in the encryption itself. It is in the Windows Recovery Environment that surrounds BitLocker.
For UK small businesses, this matters immediately. If your staff carry laptops off-site, those devices are now at higher risk. If a laptop is lost or stolen, BitLocker is the control standing between your business data and whoever finds the device. YellowKey means that control is currently compromised.
The CVSS score is 6.8, which sounds moderate. Do not be misled by the number. A public exploit exists. The attack requires physical access, which limits remote opportunists, but does not limit a disgruntled former employee, a bag thief, or anyone who finds a laptop left on a train.
Microsoft’s mitigation is available now. It should be applied today, not at the next scheduled maintenance window.
Story Two: Three WordPress Plugins, Three Ways to Lose Your Website
Three separate WordPress plugin vulnerabilities were published in the last 24 hours, each carrying a CVSS score of 9.8. That score means critical severity. Together they represent a systematic risk to any UK small business running a WordPress site.
The first, CVE-2026-6555, affects the ProSolution WP Client plugin up to version 2.0.0. The flaw is in how the plugin validates file uploads. Only the first file in an upload array is checked for file type. Every subsequent file is processed without validation. An unauthenticated attacker can send a legitimate first file followed by a malicious PHP file, which then sits in a web-accessible directory and can be executed remotely. This is textbook remote code execution.
The second, CVE-2026-7284, affects the Easy Elements for Elementor plugin up to version 1.4.4. The user registration function does not restrict which roles a user can assign themselves. An unauthenticated attacker can simply register an account and select the administrator role. Full administrative access, no credentials required beyond the registration form.
The third, CVE-2026-7637, affects the Boost plugin up to version 2.0.3. This is a PHP Object Injection vulnerability via a cookie. On its own it requires a specific combination of installed plugins to cause maximum damage, but the underlying vulnerability is present and exploitable.
If your website runs WordPress and any of these plugins are installed, you have a problem that needs resolving before Friday. The attack surface is your public-facing website, which means no VPN or firewall stands between the attacker and the vulnerability.
WordPress plugins are the most common attack vector against small business websites in the UK. This week’s disclosures are not exceptional. They are routine. The question is whether your website is maintained with the same attention as your email or your accounting software. For most small businesses, the honest answer is no.
Story Three: ZKTeco Cameras Are Broadcasting Their Own Credentials
CVE-2026-8598 affects security cameras manufactured by ZKTeco. The vulnerability is an undocumented configuration export port that requires no authentication to access. When queried, it returns sensitive information about the camera, including account login credentials.
ZKTeco’s own advisory states that successful exploitation gives an attacker full administrative control over the device. The company is urging customers to apply a firmware update immediately. To obtain the patch, customers must contact ZKTeco or their regional partner directly.
For UK small businesses, ZKTeco cameras are common in retail environments, offices, and light commercial premises. They are frequently installed by facilities teams or low-cost integrators and then forgotten. They sit on the same network as business computers. They are rarely patched.
An attacker who gains administrative access to a network camera can, depending on network configuration, use that device as a foothold to probe the rest of the network. A camera on your office LAN is not an isolated device. It is a node.
This is the IoT (Internet of Things) security problem in miniature: devices installed for a specific purpose, connected to the business network, never updated, and carrying credentials that have not changed since the day they were installed.
Why These Three Stories Belong Together
YellowKey, the WordPress plugin cluster, and the ZKTeco camera flaw look like unrelated incidents. They are not.
All three share a common characteristic: they exploit something the defender has stopped thinking about. BitLocker is assumed to work. WordPress plugins are assumed to be maintained by someone. Security cameras are assumed to be outside the IT threat model.
The attacker’s playbook is built on those assumptions. The defender’s job is to break them.
For a UK small business, the realistic threat is not a nation-state actor deploying novel zero-days. It is opportunistic criminals scanning the internet for known vulnerable plugin versions, or a former staff member who knows your laptops leave the building every evening. The vulnerability intelligence published in the last 24 hours serves that threat model directly.
How This Gives You an Advantage
Being able to respond to specific named vulnerabilities within days of disclosure is a credible differentiator when you are speaking to clients who care about data security. Most small businesses cannot do this because most small businesses do not have someone reading the intelligence.
If you run a WordPress site for a client, patching their plugins proactively and telling them you did it is a concrete demonstration of value. If you have staff who carry laptops, applying the BitLocker mitigation before a client asks whether you have is the difference between a managed risk and an embarrassing conversation.
This is not about marketing. It is about the practical reality that clients increasingly ask security questions during procurement. Being able to answer them specifically, with reference to what you actually did last week, is worth more than a certification badge on a website.
Making the Business Case
If you need to justify the time and cost of addressing these vulnerabilities to a director or budget holder, three points:
The BitLocker bypass has a public exploit. The attack code is on GitHub. The question is not whether this will be used by criminals; it is whether it will be used against your laptops. Applying Microsoft’s mitigation costs nothing except time.
WordPress plugin attacks are automated. Attackers do not manually search for vulnerable sites. They run scanners. If your site runs a vulnerable plugin version, it will be found. A compromised website that serves malware to your clients is a GDPR incident, a reputational incident, and potentially a contractual incident simultaneously.
The ZKTeco patch requires a call to the vendor or reseller. That is the entire cost of fixing a vulnerability that could hand an attacker a foothold on your office network. The cost of not making that call is considerably higher.
What to Do This Week
1. Apply the Microsoft BitLocker mitigation for CVE-2026-45585 today. Do not wait for a patch. Microsoft’s mitigation guidance is available on their security advisory page. If you have an MSP, contact them this morning and ask specifically whether this has been applied to your Windows 11 and Windows Server machines.
2. Audit your WordPress plugins immediately. Log into the WordPress admin panel for every site you manage or have responsibility for. Check for ProSolution WP Client, Easy Elements for Elementor, and Boost. If any are installed, update them or remove them. If you do not know who manages your WordPress site, find out today.
3. Identify ZKTeco cameras on your network. If you have ZKTeco cameras, contact your supplier or ZKTeco directly to obtain the firmware update for CVE-2026-8598. If you do not know what cameras are on your network, that is a separate problem worth solving: ask your IT support to run a network scan and produce an inventory.
4. Review your laptop loss and theft procedure. Given the YellowKey disclosure, this week is a practical moment to verify that your mobile device policy is current. Confirm that BitLocker is enabled on all laptops, that the mitigation has been applied, and that you have a documented process for what happens when a laptop goes missing.
5. Brief your staff on physical security this week. YellowKey requires physical access. The simplest mitigation for a small business is staff awareness: laptops do not get left unattended in cars, in coffee shops, or in conference rooms. That briefing costs nothing and reduces the attack surface immediately.