The WP Week Newsletter

Curated updates for agencies, developers, and serious WordPress users. Delivered weekly.

✉️ View Latest Issue 📨 View Archive

#270 – Droip Merged into Kirki, Two More Plugin Backdoors, Open Letter to WooCommerce and Woo Community

Issue #270   |   May 5, 2026   |   Reading time: 22 mins

Hello!

This week on The WP Week Newsletter, we cover Themeum merging its no-code builder Droip into Kirki, Call for host cities for WordCamp India, an open letter to WooCommerce and Woo Community by Rodolfo Melogli, new UI for managing Custom Post Types in Gutenberg, new projects, and more.

Don’t forget to subscribe and listen to the podcast version of this newsletter, where you can hear more details and discussions about these topics and more.

New around here? Don’t miss the next issue, sign up now. Got something to share – connect with us.

See you next week!

Team WP-CONTENT.CO

🙌 This weekly newsletter is kindly sponsored by ProfilePress, 20i and WP Job Openings

ProfilePress – Create membership sites & sell subscriptions on WordPress Check it out  →

Always-on, always-fast WordPress Hosting you’ll fall in love with. Check it out  →

Create a career page and start recruiting talents in a few minutes Check it out  →

🗣️TALK OF THE TOWN

Themeum has integrated Droip into Kirki, transforming the widely used customizer toolkit framework plugin into a combined website builder and customizer, a move that expands its capabilities while sparking debate over its changing direction.

📰  WORDPRESS & AROUND

All the updates around WordPress and its closely related technologies

The WordPress Community team has officially opened the call for host cities for WordCamp India, which will debut as the fourth flagship WordCamp event. Applications are now being accepted, with a deadline at the end of June 2026.

  • Peer review requested for hands-on WordPress  Meetup Activity Library: Destiny Kanno is building a free library of structured, peer-reviewed kits to help WordPress meetup organizers run hands-on activities instead of just presentations. Each kit will include facilitator guides and slides across topics like plugin development, Gutenberg blocks, performance, SEO, security, WooCommerce, and more, with peer review support and an AI prompt set to help organizers create their own sessions.
  • WP Accessibility Knowledge Base updated: Rian Rietveld shared an April 2026 update to the WP A11y Docs, introducing new and expanded guidance on alternative text, headings, links,  an introduction to WCAG, and more. Work is also underway on accessibility testing documentation, updates to the Themes Handbook accessibility-ready tag, and a proposed “Can I Use” section for core block accessibility status.
  • WordPress Academy for young people in Krakow: This was a pilot project of the Polish WordPress community that brought over 60 high school students together for a hands-on introduction to WordPress, where they learned setup, SEO, accessibility, AI use, and live development while building seven different real-world school projects.
  • WordPress Student Clubs build momentum: WordPress Student Clubs are extending Campus Connect by turning one-time workshops into ongoing, student-led communities on campuses. This early impact is already visible in events like the International Women’s Day celebration in Ajmer, where more than 50% of attendees came from student clubs, showing how campus activity is beginning to connect directly with the wider WordPress community.
  • Gutenberg 23.2 will add a UI for managing Custom Post Types: This will allow users to manage custom post types natively and naturally from the WP admin interface.
  • WooCommerce Subscriptions Health Check Tool released: This allows WooCommerce store owners to review and find out subscriptions that are on manual renewal instead of auto-renewal. This tool comes as a response to a bug that was identified and reported by Sybre Waaijer.
  • Breeze Cache plugin security advisory: A security vulnerability in Breeze Cache (versions ≤ 2.4.4) that could allow unauthenticated file uploads and remote code execution under specific configurations has been patched. Users are advised to update to the latest version immediately.
  • Austin Ginder uncovers two more plugins with a backdoor: Scroll To Top plugin (20,000 installs) was found using a hidden external update channel that delivered a modified version with content-injection capabilities outside WordPress.org’s control. After the report, WordPress.org closed the plugin and released a cleaned version, but sites that previously received updates from the external channel may still remain affected unless manually cleaned. Secondly, the Quick Page/Post Redirect plugin was also found to have a backdoor, and the Plugins Team has temporarily closed the plugin for now.
  • cPanel zero-day exploited for months before patch release: A critical cPanel zero-day (CVE-2026-41940) has been actively exploited in the wild since at least February before a patch was released in April. The vulnerability was reportedly exploited before public disclosure, and although patches are now available, millions of exposed instances remain at risk, prompting urgent updates and firewall mitigations from hosting providers.
  • Wordfence Intelligence Weekly WordPress Vulnerability Report (April 20, 2026 to April 26, 2026): Last week, there were 157 vulnerabilities disclosed in 122 plugins and 27 themes.
  • PyTorch Lightning compromised with two malicious package versions published: A supply chain attack on the PyTorch Lightning package saw two malicious versions (2.6.2 and 2.6.3) uploaded, embedding code that steals developer credentials and propagates infected packages.
  • Court orders sworn declaration from Matt Mullenweg: The Judge has ordered Matt Mullenweg to provide a sworn declaration addressing alleged deletion and preservation issues involving Signal messages, X posts, Slack communications, and WordPress plugin reviews, citing incomplete discovery responses and requiring detailed explanations ahead of deposition. Also, the Judge has denied Automattic’s request to force a separate device search of Silver Lake executives.

🔧 TIP OF THE WEEK

Avoid Hardcoding URLs
Tip: Always use:

get_template_directory_uri()
home_url()
site_url()

👥 COMMUNITY NEWS

Updates and News from the WordPress Community

Rodolfo Melogli reflects on the WooCommerce ecosystem, highlighting its strength in open-source freedom and community, while urging WooCommerce and its users to collaborate more closely to shape its future.

🚀 NEW PROJECTS
What started as a small replacement for an abandoned plugin slowly turned into something much bigger: a flexible image creation system for WordPress publishing workflows.

Xaver about creating the CoverKit.
  • CoverKit: Created by Xaver, it allows users to turn their posts, products, and custom fields into repeatable, branded visuals on their own server, within their existing workflow.
  • WP HealthKit: This is an AI-powered WordPress plugin and theme security audit tool that runs 39 verification layers using 26 deterministic scanners and 4 AI engines. It analyzes uploaded ZIP files to deliver findings, severity levels, and exact code fixes, with features like an autofix engine and continuous site monitoring.
  • Recently Edited: Developed by Jon Schroeder, the plugin is designed to speed up site development by making it easier to navigate, manage, and edit content from anywhere, with features like quick navigation, inline editing, and one-click access to key post details.
  • EU Withdrawal Compliance: The plugin by Fernando Tellado, adds the EU online withdrawal function required by Directive (EU) 2023/2673, which is mandatory from 19 June 2026 for every online retailer in the European Union.
  • WP Block Composer: This is a dynamic WordPress block generation tool for exploring block configurations and generating boilerplate code.
  • WP Beacon: A new project by Austin Ginder, it tracks every plugin on WordPress.org, its authors, committers, and releases, to flag ownership transfers, dormant-then-activated takeovers, and release patterns that match known attacks.
  • Wp-block-grab: The new tool by Slava Abakumov helps AI coding assistants work more accurately with the WordPress Block Editor by pinpointing the exact source file, component, and line number behind any clicked element, making it easier to identify and edit the right code.
  • Shorthand for WordPress: The new plugin brings the Shorthand editor directly into WordPress, thereby allowing users to create and publish stories directly from their website without needing to create stories in Shorthand and later embed them.
  • GigPress Reborn:  András Guseo has revived the GigPress plugin, and this allows users to manage and display live shows, tour dates, artists, and venues.
  • Static Site Importer: Created by Chris Huber, this plugin allows users to import static HTML sites into WordPress block themes.
  • YouTube Video Sync for WP: The plugin by WebDevStudios connects users’ YouTube channels to their site and automatically imports videos as native Video posts with complete with titles, descriptions, featured images, and embed-ready links.
  • rtCamp has released three new connectors for the WordPress AI plugin: Connector for OpenRouter, Connector for LM Studio, and Universal Open AI Connector are now available.
  • CraftForms: A new form builder plugin that lets users create professional forms quickly with a visual drag and drop interface, built in spam protection, email template design, and built-in REST API endpoints.
  • Introducing The Guild: Remkus de Vries announced The Guild, a paid membership for WordPress builders, developers, and agencies focused on improving their craft through structured learning, practical frameworks, and focused discussions aimed at leveling up real-world skills and decision-making.

🔖 INTERESTING READS & PODCASTS

More posts and podcasts from the WordPress Community you don’t want to miss

  • On this episode of Do the Woo, hosts Katie Keith and James Kemp are joined by Patrick Rauland, Remkus de Vries, and Rodolfo Melogli to reflect on Checkout Summit in Palermo and share ideas and practical lessons from the event.
  • Robby McCullough, co-founder of Beaver Builder, joined the WP Tavern Jukebox podcast to reflect on over a decade of shaping WordPress workflows, unpack why his team held back on early AI hype, and more.
  • On The WP Minute’s Agency Action podcast, Toby and Kurt argue that AI isn’t replacing agencies, but that many are limiting growth through underpricing and should adapt by embracing AI, productizing services, and focusing on recurring, growth-driven models.
  • Ivana Cirkovic from WPBakery recaps CloudFest 2026 as a key industry event where the focus shifted to real-world infrastructure challenges, with AI, security, compliance, and digital sovereignty at the center. They also recapped Web Agency Summit 2026 as a four-day deep dive into how agencies must evolve, with key themes shifting from systems and AI adoption to ownership and clarity.
  • Daniel from WP103 tested WordPress by installing 300+ plugins on a fresh site, monitoring performance, errors, and server resources.
  • Chris Lema argues that while WordPress 7’s AI features improve content creation, they don’t solve the core challenge of design, which is an architectural problem about where design decisions live.
  • Daniel Miessler argues that most companies aren’t truly ready for AI, not because of the technology, but because they lack clear goals, structure, and self-awareness.
  • Mitchell Hashimoto announces that the Ghostty project is leaving GitHub, citing ongoing outages and reliability issues that have disrupted his workflow.
  • Lora Raykova explores how ACF Blocks and native Gutenberg blocks differ in real-world WordPress workflows, highlighting that the choice is less about capability and more about development approach.
  • Michal Barus shared why his agency left WordPress for a lean, AI-powered stack, trading plugins and manual work for faster performance, lower costs, and simpler workflows.
  • Varun Dubey breaks down how WooCommerce plugin bloat is hurting store performance in 2026, and shows how profitable stores avoid conflicts by running lean, well-audited plugin stacks.
  • Remkus de Vries says that AI is no longer just a tool for code or content in WordPress, but is reshaping how WordPress businesses operate, from products and services to support, strategy, and customer expectations.
  • Adithya Kane marks the 300th essay of HeroPress by reflecting on Topher DeRosia and his impact in creating a space for people across the WordPress community to share their stories.

🛠 GUIDE ZONE – HOWTO’S and MORE

Handpicked fresh guides from WordPress circle

📆 SAVE THE DATES

Do not miss a WordPress event ever again

🎁 WORDPRESS DEALS OF THE WEEK

Again, these are the best deals of the week, handpicked by yours!

EXCLUSIVE DEALS
  • 4 Months free offer on hosting plans of WP Engine (Coupon Code- FREEDOMTOCREATE)
  • 10% off on monthly & annual plans at SureTriggers (Coupon Code- WPCONTENT10)
  • Up to 84% off at Hostinger (Code NYSALE for an extra 10% off)
  • 15% off yearly plans at Videvo (Coupon Code – WPV15)
MORE DEALS

This weekly newsletter is kindly sponsored by awesome WordPress Companies 🦸‍♂️🙌

ProfilePress – Create membership sites & sell subscriptions on WordPress Check it out  →

Always-on, always-fast WordPress Hosting you’ll fall in love with. Check it out  →

Create a career page and start recruiting talents in a few minutes Check it out  →

Last but not least, updates from WP-CONTENT.CO 👇

How to Build PHP-Only Gutenberg Blocks in WordPress 7.0

WordPress development has long been divided into two distinct worlds: the PHP-driven backend that millions of developers built…

Read more

Themeum Merges Droip Into Kirki, Sparking Debate

Themeum has integrated Droip into Kirki, transforming the widely used customizer toolkit framework plugin into a combined website…

Read more

Call for Host Cities Now Open: WordCamp India Set to Join Flagship Lineup

The WordPress Community team has officially opened the call for host cities for WordCamp India, which will debut…

Read more

Hostinger Launches One-Click Node.js Deployment Platform with Flat Pricing

Hostinger has a new deployment solution for developers – “a new way to deploy Node.js apps”—focused on speed,…

Read more

Team WP-CONTENT.CO

Issue #270   |   May 5, 2026   |   Reading time: 22 mins

This weekly newsletter is kindly sponsored by ProfilePress, 20i and WP Job Openings

Built with Newsletter Glue.