Unauthenticated attackers can upload executable PHP files to affected servers via a CVSS 9.8 flaw in the Ninja Forms File Upload add-on. Versions up to 3.3.17 are vulnerable; 3.3.18 is the fix.
PLUGINS
A critical authentication bypass vulnerability in the Burst Statistics plugin affects over 200,000 WordPress sites. Sites running version 1.5.7.2 or earlier need immediate updates.
Yoast AI Content Planner is now live for Premium users, generating site-specific post ideas and structured drafts directly inside the WordPress editor.
Gutenberg 23.1 ships a freeform image cropper, a no-code custom taxonomy manager, parallel thumbnail uploads, and two new @wordpress/ui primitives.