TL;DR

• This Patch Tuesday release addresses 79 vulnerabilities, including three critical flaws. 
• High-priority fixes include an SQL Server elevation of privilege, .NET denial-of-service, and a zero-click Excel flaw that could cause Microsoft Copilot to exfiltrate sensitive data.
• We’re also tracking active exploits of a five-year-old unpatched vulnerability in an abandoned WordPress plugin that’s recently been used to install unauthorized cryptomining software. 

As March marks the arrival of spring, it comes with the usual chorus of advice about decluttering, fresh starts, and getting your house in order. In the security world, that advice can take on a more literal meaning. As organizations shake off the slower pace of the winter months, Patch Tuesday arrives as a timely reminder that a little maintenance now can prevent a much bigger headache down the road.

Patch Tuesday: March 10, 2026

This month’s release includes 79 new CVEs, including three classified “critical.” Here are three vulnerabilities we recommend addressing first:

• SQL Server Elevation of Privilege Vulnerability (CVE-2026-21262): This SQL vulnerability is centered around how the SQL Server engine validates authorization requests. If a remote, authenticated attacker executes a specially crafted command, they could trick the system into granting them sysadmin privileges on the vulnerable database, allowing them to read or modify its contents.
• .NET Denial of Service Vulnerability (CVE-2026-26127): This is a denial-of-service (DoS) vulnerability in .NET that can occur because of an out-of-bounds read error in its memory handling process. An attacker can use this flaw to send specially crafted requests to an application running on an impacted version of .NET, resulting in the application becoming unresponsive or crashing.
• Microsoft Excel Information Disclosure Vulnerability (CVE-2026-26144): This is a zero-click, information disclosure vulnerability in Excel, which is particularly notable for its interaction with Microsoft Copilot. Using this vulnerability, an attacker could take advantage of improper neutralization of input in Excel, causing a Copilot agent to inadvertently disclose sensitive data over the network. An unauthorized actor could essentially bypass typical memory protections and capture internal data that would be inaccessible otherwise.

Exploit tales: Kaswara WordPress plugin

Abandoned software doesn’t disappear, it lingers, and in time can become a liability. There are few places where this is more apparent than in the WordPress plugin ecosystem, where outdated plugins can quietly expose sites to vulnerabilities that will never be patched.  

The Kaswara Modern WPBakery Page Builder plugin (CVE-2021-24284) is an example of this. This is a five-year-old unpatched flaw in a long-abandoned plugin that attackers are still actively exploiting right now. The vulnerability has a CVSS score of 9.8, and continues to be an easy target for attackers scouring the internet for their next victim.

Just this month, we’ve seen activity where attackers have been using this vulnerability to take over WordPress websites. This flaw allows an unauthenticated attacker to upload malicious code directly to a vulnerable server and execute it remotely. In this case, the attackers were using the exploit to ultimately install unauthorized copies of the XMRig cryptomining software.

This vulnerability gained notoriety for being the vehicle behind massive botnet campaigns in 2021 that used the NDSW/BNTS malware to inject malicious redirects into thousands of WordPress sites worldwide.

The vulnerability lives inside a feature originally designed to let site owners upload custom icons in the ZIP format. The problem is that the plugin doesn’t perform any authentication checks or file validation before processing whatever it receives. An exploit can work like this:

1. The attacker creates a ZIP file containing a malicious PHP script and sends it to the vulnerable server via a simple POST request.
2. The plugin unzips the contents into the publicly accessible wp-content/uploads/kaswara/fonts_icon/ directory on the server.
3. The attacker navigates to the PHP file’s URL within this directory and executes it, essentially taking control of the server.

Unfortunately, the original plugin developer has long since abandoned the project, and five years on, no patch is available. The plugin has since been removed from the WordPress plugin repository, leaving users exposed who have yet to phased out the legacy plugin.

If you’re still using this plugin (or others that are no longer supported) we suggest deleting it immediately. Check the plugin’s If you’re still using this plugin (or others that are no longer supported) we suggest deleting it immediately. Check the plugin’s wp-content/uploads/kaswara/fonts_icon/ upload directory for any PHP files that shouldn’t be in there. If anything suspicious turns up, consider a full security audit, or at the very least check for any recently modified files across your WordPress installation.