WordPress 6.8.2 included an update to the root security certificate bundle. This has now been backported to branches 4.7 to 6.7 and the updates to those versions are available now.

And the solution to AI bots scraping your data and Google now providing answers and not links to your site is … tollbooths. I’m not sure how much money Tollbit is collecting, but it looks like Cloudflare is going to do it also.

Patchstack released a mid-year vulnerability report. There is some self-congratulation of their success as Patchstack now reports far more CVE’s than others in the WordPress space, but also now they apparently file more security issues than Microsoft. An interesting insight is that more than half of the vulnerabilities reported so far this year can be exploited without needing to hack credentials or have site access.

Advanced Custom Fields version 6.4.3 is now available. This release contains several security fixes for ACF and ACF PRO, including additional HTML escaping for field group labels, post titles, and Select2 elements to prevent JS vulnerabilities in the WordPress admin. These vulnerabilities all required an ACF admin user to save malicious HTML. For this reason, it’s important to only ever import ACF JSON files from trusted sources.

Roger Montti pulls some highlights from Cloudflare’s report on DDoS attacks.

Supply chain attack found in Gravity Forms. Here are the details as they are unfolding.

A German court ruled that Meta tracking pixels on third party sites violates the GDPR.

It looks like WordFence is following in Patchstack’s footsteps and is now offering a Vulnerability Management service for plugin and theme developers.

If you are still running sites with WordPress 4.1 through 4.6 then take note that security back-ports will no longer be available. Usage of these versions is very low.