What API development services do you offer?

We offer REST API development, GraphQL APIs, third-party API integration, Laravel API development, and API security implementation. We also provide DevOps services including AWS infrastructure and CI/CD pipelines.

Where are you based and do you work with clients across the UK?

We're based in Leeds, West Yorkshire, but we work with clients across the entire United Kingdom including London, Manchester, Birmingham, and beyond. We work remotely with businesses throughout Britain.

What technologies do you specialise in?

We specialise in Laravel and PHP for backend development, along with RESTful APIs, GraphQL, Node.js, AWS, Docker, Kubernetes, and CloudFlare. We also work with MySQL and PostgreSQL databases.

Do you provide ongoing support after project completion?

Yes, we offer ongoing support and maintenance packages to ensure your APIs and applications continue running smoothly. This includes monitoring, updates, security patches, and performance optimisation.

WordPress 6.9.4: Ten Vulnerabilities, Three Releases, One Day

WordPress released three security updates on 11 March 2026. The first, 6.9.2, addressed ten vulnerabilities. The second, 6.9.3, fixed a template-loading bug introduced alongside it. The third, 6.9.4, arrived because the WordPress Security Team discovered that not all of the security fixes in 6.9.2 had been fully applied. If you updated to 6.9.2 or 6.9.3 and stopped there, you are still exposed. Update to 6.9.4 now.

What Was Fixed

The ten vulnerabilities addressed across this release cycle cover a wide range of severity classes:

Blind SSRF - server-side request forgery allowing internal network probing
Stored XSS in nav menus - persistent cross-site scripting via navigation menu fields
Stored XSS via the data-wp-bind directive - a second stored XSS vector in the block interactivity API
XSS overriding client-side templates in the admin area - a third XSS path via admin template injection
PoP-chain weakness in the HTML API and Block Registry - a property-oriented programming chain that could be used in deserialization attacks
Regex DoS in numeric character references - a denial-of-service path via malformed HTML input
AJAX query-attachments authorisation bypass - unauthenticated access to media attachment queries
Authorisation bypass on the Notes feature - privilege bypass in the editorial notes system
PclZip path traversal - directory traversal in the built-in ZIP library
XXE in the external getID3 library - XML external entity injection in the audio/video metadata parser bundled with WordPress core

The getID3 fix is particularly notable because it required coordinating a patch with an external upstream maintainer, James Heinrich. An updated version of getID3 has been released separately for projects that bundle it outside of WordPress.

The Incomplete Patch Problem

Three releases in one day is unusual even for WordPress. The sequence - 6.9.2, then 6.9.3 for a bug, then 6.9.4 because the security fixes were not fully applied - is a reminder that security patches themselves can be incomplete. Applying the first available fix and assuming the job is done is a risky posture, particularly for high-severity vulnerabilities under active research.

This is also the second significant WordPress security event this week, following the CVE-2026-2413 SQL injection in the Ally plugin. If you manage WordPress sites, this week has been an unusually active one for your patch queue.

What to Do

Update to WordPress 6.9.4 - not 6.9.2 or 6.9.3
Check that auto-updates have run and confirm the version in your dashboard
If you use getID3 in any non-WordPress project, update that dependency separately
Note that WordPress 7.0 is scheduled for release on 9 April 2026 - security fixes from this cycle are being backported to all supported branches (currently 4.7 and above)

WordPress 6.9.4: Ten Vulnerabilities, Three Releases, One Day

What Was Fixed

The Incomplete Patch Problem

What to Do

Ready to Start Your Project?