#268 - Woo Subscriptions Bugs Hit Revenue, Vulnerability Actively Exploited, WP Core Dev Environment Toolkit

Issue #268 | April 21, 2026 | Reading time: 23 mins

Hello!

This week on The WP Week Newsletter, we cover the Woocommerce Subscription bugs that caused revenue loss, the new WordPress Core Dev Environment Toolkit, the recent developments in the Automattic vs WP Engine Case, new projects, and more.

Don’t forget to subscribe and listen to the podcast version of this newsletter, where you can hear more details and discussions about these topics and more.

New around here? Don’t miss the next issue, sign up now. Got something to share – connect with us.

See you next week!

Team WP-CONTENT.CO

🙌 This weekly newsletter is kindly sponsored by ProfilePress, 20i and WP Job Openings

Modern WordPress Membership Plugin

ProfilePress – Create membership sites & sell subscriptions on WordPress Check it out →

20i WordPress Hosting

Always-on, always-fast WordPress Hosting you’ll fall in love with. Check it out →

Easy-peasy Recruitment Plugin

Create a career page and start recruiting talents in a few minutes Check it out →

🗣️TALK OF THE TOWN

WooCommerce Subscriptions Bug Linked to Thousands in Lost Revenue: Sybre Waaijer uncovers critical WooCommerce bugs

He identified four critical bugs in WooCommerce Subscriptions that can silently break automatic renewal payments by incorrectly switching subscriptions to manual mode. This prevents charges from being attempted and stops renewal emails, leaving subscriptions to go on hold without any clear warning. Based on his findings, around 7% of subscriptions created over several years may have been affected. Adam Preiser also shared data from analysing one of their smallest Woo Stores, “ $37,000 lost in annual subscriptions! $100,000 estimated loss of revenue!”.

📰 WORDPRESS & AROUND

All the updates around WordPress and its closely related technologies

WordPress Core Dev Environment Toolkit launched

It has been launched to tackle a long-standing challenge in contributing to WordPress core, namely the often time-intensive and complicated process of setting up a local development environment. By simplifying the setup process, the tool addresses a recurring issue during Contributor Days, where participants often spend a significant portion of their time getting their environments ready instead of contributing.

New AI-powered tools for creating WordPress learning materials: Destiny Kanno introduces new AI-powered prompts and a Claude plugin designed to help contributors create standardized WordPress learning materials more efficiently. The tools support tasks like course writing, workshop guides, and slides, while emphasizing that AI acts as a co-creator.
2026 Global Partners has been announced: Automattic (Jetpack + WordPress.com), Woo, and Hostinger have been announced as this year’s Global Partners. They will fund and support global WordCamps, Meetups, and community programs by covering key operational costs like venues, A/V, insurance, and Meetup infrastructure.
Matt Mullenweg requests automation on WordPress.org: He has invited the community to suggest manual tasks on WordPress.org that could be automated, aiming to explore ways to save time and streamline workflows.
What’s new in WordPress AI plugin v0.7.0: This version introduces a new Content Classification experiment, new meta description generation, bulk alt text generation and various other improvements.
Twenty Twenty-Seven theme team announced: The team includes lead designer Henrique Iamarino, Maggie Cabrera, and Carolina Nymark as co-leads, and Juanfra Aldasoro will take on the role of the lead mentor.
Automattic moves to compel discovery from Silver Lake executives: Automattic has filed a motion asking the court to compel two senior Silver Lake executives to produce documents in the WP Engine lawsuit, arguing they are central to decisions about the company’s strategy, finances, and valuation. The motion claims Silver Lake effectively controls WP Engine and that the requested documents are not being adequately produced through existing discovery. WP Engine is also seeking a sworn declaration from Matt Mullenweg over missing WhatsApp, Signal, and Telegram messages in their filings.
Attackers actively exploiting critical vulnerability in Ninja Forms – File Upload plugin: The vulnerability allows unauthenticated attackers to upload malicious files and achieve remote code execution. Users are strongly urged to update to version 3.3.27 immediately.
Wordfence Intelligence Weekly WordPress Vulnerability Report (April 6, 2026 to April 12, 2026): Last week, there were 154 vulnerabilities disclosed in 118 plugins and 23 themes.
WooCommerce 10.7 released: The latest version brings performance gains, improved analytics, accessibility fixes, and broader Store API and checkout stability improvements. It also includes enhancements to the experimental email editor and security hardening, along with API updates and so on.
Supply chain attack hits Vercel: User data is being sold on BreachForums for $2M: A compromised Context AI employee triggered a chain of events that reached a Vercel employee’s Workspace account, leading to a Vercel database breach now being sold on BreachForums for $2M.
Cloudflare Mesh launched: This is a secure private networking system designed for both humans and AI agents to access private resources like APIs, databases, and internal services.

🔧 TIP OF THE WEEK
Use has_block() for Conditional Loading

Tip: Detect block usage before loading assets.

if (has_block(‘acf/slider’)) {
wp_enqueue_script(‘block-slider’);
}

Great for performance in block-based themes.

👥 COMMUNITY NEWS

Updates and News from the WordPress Community

Matt Mullenweg on the Yoast redirect pop-up in the dashboard

Matt Mullenweg sparked discussion after pointing out a Yoast dashboard pop-up that creates redirects when a post URL changes, asking why a core WordPress feature is being wrapped in plugin UI.

Community member Joe di Stefano said the core feature is half-baked, with no visibility into created redirects, no ability to edit or remove them, only the last change persisting, and no documentation. Mian Shahzad Raza criticized Yoast for wrapping core WordPress features in upsell pop-ups that make it hard to distinguish what is native. Marco Almeida clarified that the pop-up relates to a Yoast Premium feature, not the core 301 redirect itself, and explained that a redirect is created every time a post slug changes and all of them persist rather than replacing previous ones. Panos Sakalakis added that Rank Math SEO appears to do similar things.

WP Engine AI Agency Trends Report: The report shows AI is rapidly reshaping digital agencies, with 63% investing in AI tools and 72% already adapting their development practices.
Cloudflare and GoDaddy partner to help enable an open agentic web: GoDaddy is integrating Cloudflare’s AI Crawl Control into its hosting platform, while the partnership also promotes standards like Agent Name Service and Web Bot Auth to help website owners manage AI access, verify agent identities, and support a more transparent, trusted AI-driven web.
The Evergreen Platform launched by Servebolt and Crowd Favorite: The new platform combines Servebolt’s infrastructure (hosting, performance, scalability) with Crowd Favorite’s platform strategy and development. The joint offering provides end-to-end ownership to help enterprises manage complex environments and reduce technical debt.
Modular DS wins the Startup Leóni4 2026 Award: They have been recognized for their international growth and innovation in developing SaaS solutions from León.
Build your store with WooCommerce free course by WordPress.com: This is a free self guided WooCommerce course that teaches you how to build and run an online store step by step. It covers setting up your store, adding products, configuring payments, shipping, taxes, and managing orders.
Building a block theme from scratch workshop resources: Birgit Pauli-Haack shared the complete materials from her WordCamp Asia 2026 workshop in Mumbai on building a WordPress block theme from scratch. The GitHub bundle includes a reference theme, demo content, and setup instructions using WordPress Studio or Playground.
Michael B highlights a drop in April plugin sales: He asks fellow WordPress plugin owners how their April sales are performing, noting that his own numbers are down significantly. Halfway through the month, he has made only about 25% of his usual revenue, putting him on track for his worst month so far, with renewals helping slightly offset the decline.
Danny van Kooten adds login delay to block bots on WordPress sites: He shared that he implemented a 2.5 second delay on WordPress login pages to slow down and effectively block many automated bot login attempts. The code is now available on GitHub.
Brian Coords explores AI-native content modeling for WordPress: He highlighted how content types in WordPress have traditionally relied on third-party plugins built for the pre-block editor era, and introduces an early alpha prototype that reimagines this approach.
Jonathan Bossenger on WordPress needing collaborative editing: He challenges the view that collaborative editing isn’t necessary in WordPress, emphasizing that in many real-world setups, multiple contributors need to work on the same content simultaneously, making collaboration a practical requirement rather than an optional feature.
Sumit Singh receives the Yoast Care fund for his contribution to the WordPress community: Sumit Singh, a member of the WordPress Community Team is the latest recipient of the Yoast Care fund.
FluentCart’s Q1 2026 roundup: FluentCart reports a major quarter with over 1500 commits and delivery of key roadmap goals including a visual email builder, SKU based inventory, Mercado Pago integration, Elementor compatibility, and ghost products.
Style Variables introduced in Themify: The new feature has been added to the Builder and Customizer, allowing users to define reusable values for colors, fonts, and spacing and apply them across the site for consistent design.
Tutor LMS 4.0 Beta 2 launched: This introduces a new Graph quiz type, a new question preview functionality in the quiz builder, improvements to the Instructor Quiz Attempts view, and so much more.
Activity Log Pro v1.0.5 now live: This version adds new security alerts, an option to exclude media attachments deleted from Excluded Post Types, and so on.
FluentAffiliate v1.4.0 released: This release introduces recurring Commissions for WooCommerce, new SliceWP migration, improved data export tools, and much more.
Claudaborative Editing v0.5.2 released: The update introduces new connection support with Claudaborative Cloud, a resizable Compose sidebar, and improved language-aware prompts.
Cover block parallax style v1.2.0 is now available: This version resolves inconsistencies between editor and frontend speeds, fixes bugs related to mobile resizing and initialization, and limits infinite iframe polling in the editor. The update also adds a new per-block “Disable on mobile” option, increases background oversizing to prevent visual gaps, and improves performance by moving scripts to the footer.
Customize with AI coming in Strakture 1.2: The upcoming feature will allow users to edit any block or pattern in the WordPress block editor using simple prompts. Users will be able to update images, rewrite copy, adjust colors, and modify settings across any block, pattern, or theme.
Steve Burge highlights media library improvements set for WordPress 7.1: Steve highlighted ongoing improvements to the WordPress Media Library ahead of version 7.1, with increased activity on the Gutenberg repository. Key short-term goals include support for HEIC images, Ultra HDR, and more reliable uploads for large files.
Jeff Chandler notes overlap in Featured and Recommended plugins: He points out that on a fresh WordPress install, the plugins shown in the Featured and Recommended tabs appear to be identical.
Introducing Online Lunch and Learn: The new initiative by Michelle Frechette offers live remote educational sessions for individuals and organizations, including monthly open sessions available to anyone and custom-scheduled sessions for companies or organizations.
The 2026 AI Index Report: It finds that AI capabilities and adoption are accelerating rapidly, with models reaching new performance levels and usage spreading across organizations, education, and everyday consumers. It also highlights tightening global competition, especially between the U.S. and China, alongside growing concerns around safety, uneven access, and policy gaps.

🚀 NEW PROJECTS

“So instead of saying: “Plugins BAD. Plugins SLOW!”
You can check what kind of performance impact you can expect from each plugin.“

Marcin Dudek about creating Make WordPress Fast Again.

Make WordPress Fast Again: This is a WordPress performance lab built by Marcin Dudek, which is focused on diagnosing and fixing backend bottlenecks like database queries, autoload bloat, and PHP inefficiencies.
Gravity Merge: Developed by Richard Best, this is a five-plugin suite for WordPress and Gravity Forms that automates document creation. It enables users to generate structured Word files from form submissions, with additional AI-powered tools for building templates, forms, and reports.
LeanPlugin: The project by Razvan Cojocariu, allows users as well as plugin developers to look up the website performance impact of their plugin.
WellPlayed WordPress Plugins: The project by Marcus Burnette gives access to a growing library of 20+ plugins under a single license. Instead of buying tools individually, users get one subscription that includes all plugins, auto updates, email support, and a central dashboard to manage everything. The Founding member pricing is live now.
PrincipalWP: A new initiative by Stéphane JPM Boisvert, this is a consulting practice focused on helping enterprise WordPress teams shift from using AI individually to using it at an organizational level.
Optrion: The plugin by Kazuto Takeshita allows users to track, score, quarantine, and clean orphaned wp_options rows.
Serve Markdown: Developed by Azey, allows users to serve Markdown versions of their posts and pages to AI agents and crawlers.
Turn Off AI Features: Created by Deepak Gupta, the plugin allows users to turn off AI features in WordPress without touching code.
Kintsu AI: This lets users vibe code their existing WordPress site using natural language prompts.
Context & Authority Toolkit: A plugin from Matt Cromwell automatically links glossary terms with tooltips, while adding SEO-friendly schema. It’s a modernized fork of the WordPress.org Glossary plugin.
Media Library Manager: The plugin by Bhargav allows users to identify and remove duplicate files in the Media Library.
WP REST API Playground: Created by Chandra, with this plugin, users can test and explore the WordPress REST API directly from the frontend.
WP Career Board: A new job board plugin built on Gutenberg blocks and the WordPress Interactivity API, no shortcodes, no jQuery, and no page reloads.
Template Jump: The plugin by Jason Cosper adds an “Edit Template” link to the WordPress admin bar for block themes.
Query Forge: A visual node-based query builder for WordPress. Works with the Gutenberg block editor and Elementor (Free or Pro).
WPRankThis: A SaaS tool for plugin developers that helps improve plugin directory rankings by offering keyword tracking, competitor analysis, and performance insights to boost visibility.
Site Audit Snapshot: The plugin by Rafi Abro generates a full site audit covering plugins, themes, server details, database, cron jobs, and security, with options to export the report as a PDF or share it via a temporary link.

🔖 INTERESTING READS & PODCASTS

More posts and podcasts from the WordPress Community you don’t want to miss

In Seriously, Bud?, Bud Kraus conversed with WordPress developer James Welbes about his career path from the U.S. Navy to web development, building a local client base in Iowa, and navigating life after the military.
On this episode of the PublishPress podcast, Steve Burge conversed with Brian Coords, discussing how GitHub Copilot is now listed as a contributor to WooCommerce, highlighting AI’s growing role in development and its potential impact on how online shopping works.
On this episode of WP Tavern Jukebox, Anne Bovelett discusses how web accessibility can improve traffic, SEO, and revenue.
Eric Karkovack is joined by Donata Stroink-Skillrud, president of Termageddon, on this episode of The WP Minute+ to discuss the importance of website privacy compliance.
In this episode of the Melapress Live show, Robert Abela is joined by Dan Knauss, where they explore the gap between enterprise perceptions of WordPress security and real production risks.
Mateusz Zadorożny set out to benchmark EmDash against a hand-coded WordPress setup, building two identical content sites and running thousands of performance tests to compare real-world speed. Despite expecting EmDash to win, the data showed WordPress consistently outperforming it. Misha Manko also covered EmDash and highlighted how it has no spending cap, and it was also brought to wider attention by Matt Mullenweg on X.
Amy Kamala reflects on the buzz around EmDash following WordCamp Asia 2026, pushing back against claims that WordPress is in decline.
Marcin Dudek argues that WordPress is built on myths of being free, open, and community-driven, while in reality it has a weak core, heavy plugin dependence, and an ecosystem where complexity and value are unevenly distributed.
James LePage outlines how AI is taking shape across the WordPress ecosystem, pointing to a surge of community-built tools, plugins, and integrations.
Jos Velasco recounts how a digital magazine was at risk after its owner passed away and the host suspended the site. He, along with others, used AI scripts and archived data to recover and preserve the content.
Jono Alderson argues that headless websites often add complexity and slow down marketing, while most organisations are better served by simpler, conventional setups.
Sé Reed reflects on a spontaneous moment at PressConf where people pushed tables together as a metaphor for the WordPress community’s inclusive and collaborative spirit, arguing that true community is built on openness and shared belonging, not control or centralized authority.
Pablo Postigo introduces Studio Code, an AI-powered coding agent for WordPress that lets users build and manage entire sites locally through simple prompts.
Benjamin Zekavica explains how to prepare your plugins and sites for WordPress 7.0, focusing on metaboxes and real-time collaboration, updating to PHP 7.4 or higher, testing block API and iframe behavior, and more.
Darin Kotter explains that WordPress 7.0 does not ship AI features, but instead ships AI infrastructure.
Ganga Kafle reflects on five years at Rank Math, sharing his journey of learning, contribution, and growth within the company and the WordPress ecosystem.
Javier Casares explains how versioning works in WordPress plugins and themes, clarifying how it differs from strict semantic versioning.
Joost de Valk says the open web is declining economically as publishers lose revenue and move away. He argues that defending it is not enough and calls for building a more sustainable open web with better infrastructure and viable business models.
At WordCamp Kolhapur, WPoets spoke with Bhargav about his 12+ year journey from working with Joomla and Magento to building a career in WordPress, along with his focus on learning, community, and teaching others.
Varun Dubey says a large single CLAUDE md file causes confusion, outdated rules, and poor results. The better approach is to split knowledge into layers, rules, facts, procedures, and tools, so only the relevant context is used.
Jonathan Bossenger described the process of building a WordPress block theme using Claude and MCP tools entirely through chat.

🛠 GUIDE ZONE – HOWTO’S and MORE

Handpicked fresh guides from WordPress circle

Enterprise guide to migrating from Strapi to WordPress: From rtCamp
Running LocalWP CLI without clicking “Site Shell”: From Bokor Attila
Using local AI models with WordPress 7.0: what I learned connecting Ollama: From JuanMa Garrido
Build a WordPress website with AI in minutes: From Elliot Richmond
How to convert HTML to WordPress using WPBakery GPT: From WPBakery
Using WordPress as a headless CMS (Next.js + Netlify): From microayatron

📆 SAVE THE DATES

Do not miss a WordPress event ever again

Checkout Summit 2026 on April 23-24, 2026: The call for sponsors is now open. The tickets are now available.
WordCamp Europe 2026 on June 4-6: The call for sponsors is now open. The tickets are also now available and the Side Event applications are now open. The full schedule has been published.
WordCamp US, Phoenix on August 16 -19 2026: The call for organizers is now open.
WordCamp Rajasthan 2026 on 3–4 October: The call for organizers is now open.
WordPress Accessibility Day 2026 on October 7th-8th: The call for sponsors is now open.
WordCamp Canada 2026 on November 5-6: The call for sponsors is now open.
CMS Conf 2026 on 12-14 November: The call for speakers is now open and the tickets are now available.

🎁 WORDPRESS DEALS OF THE WEEK

Again, these are the best deals of the week, handpicked by yours!

EXCLUSIVE DEALS

4 Months free offer on hosting plans of WP Engine (Coupon Code- FREEDOMTOCREATE)
10% off on monthly & annual plans at SureTriggers (Coupon Code- WPCONTENT10)
Up to 84% off at Hostinger (Code NYSALE for an extra 10% off)
15% off yearly plans at Videvo (Coupon Code – WPV15)

MORE DEALS

30% off for 4 months on Cloudways + 10 Free migrations ( Promo code- TREAT25).
Up to 50% off on BookingPress plugin
Up to 50% off on Paid Membership Pro plans.
Up to $100 OFF Essential Blocks PRO plugin.
50% off 3 months on Liquid Web’s Bare Metal server hosting
20% off for Constellation plugin
28.65% off for the lifetime plan for the Modern Cart for WooCommerce plugin.
33% off for the Uncanny Automator plugin.