WordPress Sites Under Siege as 29,000 Attacks Target Unpatched Flaw, While Microsoft and Google Rush Out Critical Fixes
12.06.2026 - 01:03:21 | boerse-global.de
A massive wave of cyberattacks is hammering WordPress installations worldwide, exploiting a critical vulnerability in the Everest Forms Pro plugin that allows complete administrator account takeover. Security firms have logged more than 29,300 attack attempts since mid-April, even though a patch has been available since March—a stark reminder that many site operators still lag on updates. Separately, Oracle warned this week of a critical flaw in PeopleSoft Enterprise PeopleTools (CVE-2026-35273, CVSS 9.8) that lets unauthenticated attackers inject malicious code through crafted HTTP packets. No active exploitation has been reported, but the vulnerability's ease of exploitation makes immediate patching advisable.
On 9 June 2026, Microsoft released its largest-ever batch of security fixes, plugging 206 vulnerabilities—shattering the previous record of 170 patches from October 2025. More than 30 of the flaws are rated critical. Among the most urgent is CVE-2026-41091, an actively exploited privilege-escalation hole in Microsoft Defender. Three additional remote-code-execution vulnerabilities (each scoring CVSS 9.8) hit the Windows kernel, the HTTP service, and the DHCP client. Adding to the concern, security researchers published a proof-of-concept exploit called RoguePlanet that leverages a separate, still-unpatched Defender weakness. Alongside the security fixes, Microsoft delivered functional improvements for Windows 11, including a Low Latency Profile for faster app launches and support for parallel Bluetooth audio output.
Google issued an emergency Chrome update a day earlier, on 8 June, pushing version 149.0.7827.102/.103 to address CVE-2026-11645, a zero-day in the V8 JavaScript engine that is already being exploited in the wild. Attackers can execute arbitrary code within the browser sandbox by luring users to a malicious website. This marks the fifth Chrome zero-day patched in 2026. Because Microsoft Edge, Opera, and other browsers share Chromium's codebase, those vendors also released updates. Germany's BSI and the U.S. cybersecurity agency CISA are urging immediate installation, with a compliance deadline of 23 June for federal agencies in the United States.
Beyond browser and operating system patches, the supply-chain threat is escalating. Researchers uncovered a campaign dubbed Shai-Hulud, orchestrated by a group called TeamPCP, which planted 471 malicious packages in the NPM and PyPI repositories. The attackers employ geofencing and delayed code activation to evade detection, aiming to steal cloud credentials and GitHub tokens—with a particular focus on AI developers and cloud service providers. In response, Microsoft introduced a new safety feature in VS Code 1.123 that postpones automatic updates for third-party extensions by two hours, giving security communities a window to flag suspicious code before widespread installation.
Vulnerabilities are also lurking in older Linux installations. Researchers disclosed CVE-2026-23111, a flaw in the kernel's Nftables subsystem caused by a misplaced exclamation mark in the program code. The bug allows local privilege escalation to root level. While a patch has been available since February 2026, it may not yet be applied on Debian or Ubuntu systems running older updates. On the same day as the Microsoft patch dump, authorities warned about CVE-2026-49975, a denial-of-service vulnerability in HTTP/2 implementations that affects web servers such as Apache, NGINX, and Microsoft IIS. Operators are urged to check for vendor updates immediately.
