Infografika WordPress Security Update styczeń 2026: Krytyczne łatki i mapa drogowa do WordPress 7.0.

WordPress Security Update – January 2026: Critical Patches & Roadmap to 7.0

Piotr Kochanowski

4 min read

The start of 2026 marks a major transition for the WordPress ecosystem. Following the December 2, 2025 launch of WordPress 6.9 “Gene”, the focus has shifted toward the revolutionary WordPress 7.0. With the introduction of the Abilities API and deeper AI integration, the threat landscape is changing; attackers are now using automated AI tools to scan for vulnerabilities in these new interfaces faster than ever.

1. WordPress Core: The PHP 7.2 & 7.3 Sunset

On January 9, 2026, the Core team released a critical announcement regarding the upcoming WordPress 7.0 (scheduled for April 9, 2026). For a deep dive into what these changes mean for your site’s future architecture, read our full analysis here: [Link]

  • End of Support for Legacy PHP: WordPress 7.0 will officially raise the minimum required version to PHP 7.4. Sites still running on PHP 7.2 or 7.3 will be unable to update to the 7.0 branch. You can track official core discussions at: [Link]
  • WordPress 7.0 Beta 1: Expect the first public beta on February 19, 2026. This version will be the cornerstone of “Phase 3” of the Gutenberg project, focusing on real-time collaborative editing. More details can be found at: [Link]

2. Critical Plugin Vulnerabilities (Patch Immediately!)

The first two weeks of January 2026 have seen several high-priority (CVSS 7.5–9.8) vulnerabilities. You can monitor daily disclosures via the official Patchstack database: [Link]

High-Risk “Critical” Alerts:

  1. AS Password Field In Default Registration Form (<= 2.0.0)
    • CVE ID: CVE-2025-14996 (Published Jan 6, 2026).
    • Threat: Critical Privilege Escalation (9.8 CVSS).
    • Details: Allows unauthenticated attackers to reset administrator passwords.
  2. FS Registration Password (<= 1.0)
    • CVE ID: CVE-2025-15001 (Published Jan 9, 2026).
    • Threat: Authentication Bypass / Account Takeover.
    • Status: Reported via Wordfence Intelligence. Details: [Link]
  3. Shipping Rate By Cities (<= 2.0.0)
    • CVE ID: CVE-2025-14770 (Published Jan 14, 2026).
    • Threat: Unauthenticated SQL Injection (7.5 CVSS).
    • Details: Vulnerability in the ‘city’ parameter allows unauthorized data extraction.

3. Securing New Features in WP 6.9 “Gene”

WordPress 6.9 introduced features that require new security habits. Official documentation on these changes is available at: [Link]

  • The “Notes” System: The block-level commenting system is great for collaboration but creates new metadata. Regularly audit who has “Editor” access to prevent sensitive internal notes from leaking.
  • Hide Blocks Feature: Be aware that hidden blocks may still be accessible via the WordPress REST API unless you specifically restrict REST endpoints for those post types.
  • The Abilities API: In 2026, ensure your AI-driven plugins are using the native Abilities API to centralize permission management and prevent “AI prompt injection” style attacks.

4. January 2026 Security Checklist

  • PHP Audit: Check your hosting. If you are on PHP 7.3 or lower, migrate to 8.2+ before April.
  • Roadmap Alignment: Check if your custom themes/plugins are compatible with the 7.0 roadmap: [Link]
  • Enforce 2FA: With the rise in “Account Takeover” vulnerabilities this month, Two-Factor Authentication is your most reliable defense.

Is your site protected? Botnets in 2026 can exploit vulnerabilities within hours of disclosure. Instead of just reacting to threats, we recommend a proactive approach. To ensure your site is hardened against the latest exploits, request a comprehensive security review here: [Link]

Got questions after reading the blog?

We’ll be happy to help you turn that knowledge into real results.

Let’s talk
DeveloPress logo in footer

We are an innovation-driven WordPress agency with expertise covering the entire website creation and maintenance process.

© 2025 DeveloPress. All rights reserved.