# Abu Hurayra

> Security engineer and SDET. Writing about application security, test automation, and the open-source web.

Author: Abu Hurayra — https://hurayraiit.com
Contact: hello@hurayraiit.com

## Site
- [Home](https://hurayraiit.com/)
- [Blog](https://hurayraiit.com/blog/)
- [Categories](https://hurayraiit.com/categories/)
- [About](https://hurayraiit.com/about/)
- [Now](https://hurayraiit.com/now/)
- [Bookmarks](https://hurayraiit.com/bookmarks/)
- [RSS feed](https://hurayraiit.com/rss.xml)
- [Sitemap](https://hurayraiit.com/sitemap-index.xml)
- [Corpus schema (JSON-LD)](https://hurayraiit.com/schema/posts.json)
- [Full content](https://hurayraiit.com/llms-full.txt)

## Sadakah
- [Masjid Fundraising: How to Give Sadaqah Jariyah](https://hurayraiit.com/blog/sadakah-jariya-for-a-mashjid/) — মসজিদের জন্য সাদাকায়ে জারিয়া ফান্ডরেইজিং — সর্বমোট ২,২০,০২০ টাকা সংগ্রহের বিবরণ এবং কীভাবে এই ক্যাম্পেইনে অংশ নেওয়া যায় তার তথ্য।

## hisnul-muslim
- [Zikr When Waking Up - ঘুম থেকে জেগে উঠার সময়ের যিক্‌রসমূহ](https://hurayraiit.com/blog/zikr-when-waking-up/) — Morning adhkar from Hisnul Muslim — the recommended duas and zikr to recite upon waking up, with Arabic text, transliteration, and Bengali and English meanings.
- [The Excellence of Zikr - যিক্‌রের ফযীলত](https://hurayraiit.com/blog/the-excellence-of-zikr/) — The excellence of Zikr from Hisnul Muslim — Quranic verses and hadith on the virtue of remembering Allah and its profound benefits for the believer.

## history-geography-politics
- [কীভাবে ভোট জালিয়াতি করবেন?](https://hurayraiit.com/blog/kivabe-vote-jaliyati-korben/) — একজন নির্বাচন পর্যবেক্ষকের চোখে বাংলাদেশের ভোট জালিয়াতির বাস্তব চিত্র — জাল ভোট, ডামি এজেন্ট ও কৃত্রিম ট্রাফিক জ্যামের বিস্তারিত ঘটনা।
- [The Soviet Mapmaker’s Secret: Why Post-USSR Peace Failed](https://hurayraiit.com/blog/soviet-mapmaker-secret/) — How Soviet mapmakers deliberately drew borders to mix ethnic groups, ensuring lasting instability — and why post-USSR conflicts were by design, not accident.
- [রাশিয়ার ইতিহাস](https://hurayraiit.com/blog/russiar-itihash/) — রাশিয়ার ইতিহাস — কিয়েবান রুশ থেকে মঙ্গোল আক্রমণ, জার আইভান দ্যা টেরিবল এবং সাইবেরিয়া পর্যন্ত সাম্রাজ্য বিস্তারের সংক্ষিপ্ত কালানুক্রমিক বিবরণ।

## islam
- [সূরা আলে ইমরানের শিক্ষাসমূহ](https://hurayraiit.com/blog/lessons-from-surah-al-imran/) — সূরা আলে ইমরানের শিক্ষাসমূহ — বদর ও উহুদ যুদ্ধ, ঈসা আলাইহিস সালামের জন্মবৃত্তান্ত এবং সূরার গুরুত্বপূর্ণ আদেশ ও নিষেধ।
- [How Much Can Your Kid Earn? Financial Lessons for Parents](https://hurayraiit.com/blog/how-much-does-your-kid-earn-per-month/) — আপনার শিশু সন্তান কি আসলেই ইনকাম করে? রিজিক ও পরিবারে বারকাহর গভীর সংযোগ নিয়ে শিবলী মেহদির একটি অনুপ্রেরণামূলক ও চিন্তাশীল লেখা।
- [যখন আল্লাহ কাউকে ভালবাসেন](https://hurayraiit.com/blog/when-allah-loves-someone/) — আল্লাহ যখন কাউকে ভালবাসেন তার পরিচয় কী — সম্পদ বা ক্ষমতা নয়, নেক আমলের তাউফিক ও ইবাদতের মিষ্টতাই তাঁর ভালোবাসার প্রকৃত নিদর্শন।
- [সন্তানের মৃত্যু কীভাবে মেনে নেবো?](https://hurayraiit.com/blog/dealing-with-the-loss-of-a-child/) — সন্তানের মৃত্যুকে কীভাবে মেনে নেবো — ইসলামের দৃষ্টিতে একজন মুসলিম অভিভাবকের জন্য আল্লাহর কাছ থেকে সান্ত্বনা ও দিকনির্দেশনা।
- [লোকমান হাকিমের পরিচয়](https://hurayraiit.com/blog/about-luqman-hakeem/) — লোকমান হাকিমের পরিচয় — আল্লাহ কর্তৃক হিকমাহপ্রাপ্ত এই মহান ব্যক্তির জীবন, গুণাবলী এবং কুরআন ও হাদিসের আলোকে তাঁর বিস্তারিত পরিচয়।
- [শিশুর সংশোধন - প্রশংসা ও উপদেশ](https://hurayraiit.com/blog/shishuder-jonno-proshongsha-o-upodesh/) — শিশুর সংশোধনে প্রশংসা ও উপদেশের ভূমিকা — ইবনু উমর ও ইমাম গাযালির উদ্ধৃতিতে ইসলামী শিশু প্রতিপালনের কার্যকর পদ্ধতি ও শিক্ষা।
- [দুঃখ ও মুসিবতে ধৈর্যধারণ](https://hurayraiit.com/blog/dukkho-o-musibote-dhorjo-dharon/) — দুঃখ ও মুসিবতে ধৈর্যধারণ — সাহাবি আউফের বন্দিত্ব ও লা হাওলার বরকতে মুক্তির অলৌকিক ঘটনা এবং তাওয়াক্কুলের ফজিলত।
- [সন্তানকে তার উপযোগী কাজ দেওয়া আবশ্যক](https://hurayraiit.com/blog/sontanke-tar-upojogy-kaj-deoa/) — সন্তানকে উপযোগী কাজে নিয়োজিত করা — ইসলামের দৃষ্টিতে ফরজে আইন শিক্ষা দেওয়া এবং সন্তানের প্রবণতা অনুযায়ী পথ দেখানোর গুরুত্ব।
- [বিধর্মীদের উৎসব সংক্রান্ত কিছু প্রশ্নোত্তর](https://hurayraiit.com/blog/qa-non-muslims-festivals/) — বিধর্মীদের উৎসবে মুসলিমদের করণীয় — ইমাম ইবনে তাইমিয়ার মতামতসহ পণ্য বিক্রয়, শুভেচ্ছা ও অংশগ্রহণের ইসলামী বিধান বিস্তারিত।
- [দাওয়াত, দুআ ও কাচ্চি](https://hurayraiit.com/blog/dawat-dua-and-kacchi/) — দাওয়াতে কাচ্চির সুন্দর গল্পের মাধ্যমে একটি গভীর শিক্ষা — আল্লাহর কাছে চাওয়া কেন সর্বোত্তম পন্থা এবং দুআর মাধ্যমে ইচ্ছা পূরণ হয়।
- [তুমি কি এমন সময় ঘুমাচ্ছ যখন রিজিক বণ্টন করা হচ্ছে?](https://hurayraiit.com/blog/early-rising-and-rizk/) — ফজরের পর সূর্যোদয় পর্যন্ত জিকিরের ফজিলত এবং ভোরে না ঘুমানো রিজিকে বরকতের কারণ — রাসুলুল্লাহ ﷺ-এর হাদিস থেকে প্রমাণ।
- [শিশুর মৃত্যুতে রাসুলুল্লাহ (সা:) কাঁদতেন এবং শিশুর পরিবারকে সমবেদনা জানাতেন](https://hurayraiit.com/blog/rasulullah-sa-on-loss-of-a-child/) — রাসুলুল্লাহ ﷺ কীভাবে শিশুর মৃত্যুতে কাঁদতেন এবং পরিবারকে সান্ত্বনা দিতেন — উসামা বিন যায়েদের বর্ণিত হাদিসের আলোকে।
- [Social Media Giveaways in Islam: Are They Permissible?](https://hurayraiit.com/blog/are-social-media-giveaways-permissible-in-islam-a-scholarly-perspective/) — Are social media giveaways halal in Islam? A scholarly analysis of the conditions that make follow-to-win contests permissible or impermissible for Muslims.
- [দুআ তে শব্দচয়ন কেন জরুরি](https://hurayraiit.com/blog/dua-te-shobdo-choyon-kano-joruri/) — দুআতে সঠিক শব্দচয়ন কেন জরুরি — রাসুলুল্লাহ ﷺ-এর হাদিস ও কুরআনের আলোকে ইউসুফ আলাইহিস সালামের ঘটনা থেকে গুরুত্বপূর্ণ শিক্ষা।
- [আধুনিক পরিবারের সংকট - ইসলামী সমাধান](https://hurayraiit.com/blog/modern-family-challenges-and-their-islamic-remedies/) — আধুনিক পরিবারের সংকট ও ইসলামী সমাধান — ড. মানজুরে ইলাহি ও শিবলী মেহদির ওয়েবিনারের মূল আলোচনার সারসংক্ষেপ ও গুরুত্বপূর্ণ পয়েন্ট।
- [প্রকৃত মুমিনের পাঁচটি গুণ](https://hurayraiit.com/blog/bn-5-signs-of-a-believer/) — প্রকৃত মুমিনের পাঁচটি গুণ — কুরআনের আলোকে সূরা আনফালের বর্ণনা এবং সত্যিকারের ঈমানদারের পরিচয় বাংলা ও ইংরেজিতে।
- [সূরা বাকারার আদেশ ও নিষেধসমূহ](https://hurayraiit.com/blog/lessons-from-sura-bakarah/) — সূরা বাকারার আদেশ ও নিষেধসমূহ — কুরআনের দীর্ঘতম সূরার মূল নির্দেশনাগুলো আয়াত নম্বরসহ সংক্ষিপ্তভাবে সংকলিত।
- [সূরা ফাতিহার শিক্ষাসমূহ](https://hurayraiit.com/blog/lessons-from-sura-fatiha/) — সূরা ফাতিহার শিক্ষাসমূহ — কুরআনের উম্মুল কিতাবের তিনটি মূল বিষয় এবং প্রতিদিন সতেরো বার হেদায়েত চাওয়ার গুরুত্ব ও ব্যাখ্যা।

## linux
- [CVE-2026-31431: Copy Fail — A Decade-Old Linux Kernel Privilege Escalation](https://hurayraiit.com/blog/cve-2026-31431-copy-fail-linux-kernel/) — CVE-2026-31431 (Copy Fail) is a critical Linux kernel LPE affecting every major distribution since 2017. A 732-byte Python script gives any local user root. Here's how it works.
- [Mailpit: Capture & Inspect Emails Locally for WordPress, Laravel, and PHP](https://hurayraiit.com/blog/mailpit-local-email-testing-wordpress-laravel-php/) — Set up Mailpit on macOS to intercept all outgoing emails from your local WordPress, Laravel, and custom PHP sites — no real emails sent, everything visible in a browser UI.
- [Bun Install Deep Dive: Speed & Optimization Secrets](https://hurayraiit.com/blog/bun-install-deep-dive-optimizations-that-redefine-js-package-management/) — A deep dive into how bun install achieves up to 17x faster package installation than npm or yarn using Zig, fewer syscalls, and smarter binary caching.
- [Linux seq Command Explained with Examples for Beginners](https://hurayraiit.com/blog/linux-seq-command-explained-with-examples-for-beginners/) — A beginner’s guide to the Linux seq command — generate number sequences with custom increments, separators, and formatted output for scripts and automation.
- [Hetzner Cloud VPS: Why It's a Game Changer for Developers](https://hurayraiit.com/blog/hetzner-is-a-game-changer-for-developers-in-2025/) — Why Hetzner Cloud VPS stands out in 2025 — transparent pricing, generous traffic quotas, GDPR compliance, and solid performance for developers worldwide.
- [php.ini Configuration for Nginx and OpenLiteSpeed [Guide]](https://hurayraiit.com/blog/intro-to-php-ini-for-nginx-openlitespeed/) — Learn how to locate and edit php.ini on Ubuntu for both Nginx and OpenLiteSpeed — configure memory limits, short tags, and other PHP settings step by step.
- [What Is SSH? Beginner's Guide to Secure Shell Protocol](https://hurayraiit.com/blog/what-is-ssh/) — What is SSH? A clear introduction to Secure Shell — how it encrypts remote connections, how to use it from the terminal, and practical examples for developers.
- [GoAccess Setup Guide for xCloud: Real-Time Web Analytics](https://hurayraiit.com/blog/setting-up-goaccess-in-xcloud/) — How to set up GoAccess on xCloud for real-time web log analysis — monitor site traffic visually from the terminal without relying on third-party analytics.
- [How to Create and Manage Users in Linux: A Beginner’s Guide](https://hurayraiit.com/blog/how-to-create-and-manage-users-in-linux/) — A beginner's guide to creating and managing Linux users — covers useradd, usermod, userdel, groups, and file permissions on Ubuntu with practical examples.

## meta
- [Hello, World](https://hurayraiit.com/blog/01-hello/) — Abu Hurayra introduces his personal blog covering application security, CVE research, test automation, and open-source WordPress contributions.
- [Markdown Cheat Sheet: Quick  Reference for All Syntax](https://hurayraiit.com/blog/03-markdown-cheat-sheet/) — Master Markdown fast with this concise cheat sheet covering headings, bold, italic, links, code blocks, tables, and all essential syntax elements.

## php
- [What Is PHP SAPI? A Complete Beginner's Guide [2026]](https://hurayraiit.com/blog/php-sapi-beginners-guide/) — What is PHP SAPI? A beginner's guide to understanding CLI, PHP-FPM, mod_php, and how PHP connects to web servers like Apache and Nginx behind the scenes.

## productivity
- [Personal Domain as Digital Ownership: Why It Matters](https://hurayraiit.com/blog/a-personal-domain-is-digital-ownership/) — A personal domain is more than a website — it's digital ownership, professional credibility, and flexibility that no social platform can give you.
- [The Muslim Creator’s Guide to Ethical AI Image Generation](https://hurayraiit.com/blog/muslim-creators-guide-ethical-ai-generation/) — A Muslim creator's guide to ethical AI image generation — 6 prompt templates for architecture, calligraphy, and geometry visuals that follow Islamic guidelines.
- [কমেন্ট করার আগে ভাবুন - রেজ বেইট কিনা](https://hurayraiit.com/blog/rage-bait-think-before-you-comment/) — রেজ বেইট কী এবং কেন কমেন্টের আগে ভাবা উচিত — সোশাল মিডিয়ার প্ররোচনামূলক পোস্টে এনগেজ না করাই সবচেয়ে বুদ্ধিমানের কাজ।
- [3 AI Prompts Every SQA Tester Should Use in 2026](https://hurayraiit.com/blog/3-ai-prompts-for-sqa-testers/) — Three AI prompts for SQA testers to analyze code changes in any SaaS app — covering security auditing, functional test cases, and automation design.
- [প্রাইস কত? ইনবক্স চেক করুন!](https://hurayraiit.com/blog/check-inbox/) — ফেসবুকে অনলাইন শপের ইনবক্স কৌশল কেন বিরক্তিকর এবং কীভাবে একটি মজার কমেন্ট ট্রিক দিয়ে আসল দাম বের করা যায়।
- [আমাকে জিজ্ঞেস করা কমন কিছু প্রশ্নের উত্তর](https://hurayraiit.com/blog/answer-to-some-common-questions-from-social-media/) — সোশাল মিডিয়ায় আমাকে করা কমন প্রশ্নগুলোর উত্তর — সালাম, কেমন আছেন, ক্যারিয়ার পরামর্শসহ সবকিছু এক জায়গায় সংকলিত করা হয়েছে।
- [Atomic Habits: Walk Slowly, But Never Backward](https://hurayraiit.com/blog/walk-slowly-but-never-backward-atomic-habits/) — Inspired by Atomic Habits — why taking imperfect action beats endless planning, and how consistent small steps compound into remarkable long-term results.
- [Best Articles of September 2025: Monthly Reading Picks](https://hurayraiit.com/blog/favorite-articles-of-september-2025/) — A curated list of the best blog articles Abu Hurayra read in September 2025 — covering QA, software testing, personal growth, and tech insights worth sharing.

## security
- [CVE-2026-8679: AudioIgniter IDOR Exposes Private Playlist Data (CVSS 7.5)](https://hurayraiit.com/blog/cve-2026-8679-audioigniter-unauthenticated-idor-playlist-data-exposure/) — CVE-2026-8679 is a CVSS 7.5 High severity Unauthenticated IDOR in AudioIgniter Music Player <= 2.0.2 that lets any visitor read private, draft, or trashed playlist track metadata.
- [CVE-2026-9011: Ditty Plugin Exposes Non-Public Content to Anyone (CVSS 7.5)](https://hurayraiit.com/blog/cve-2026-9011-ditty-unauthenticated-information-disclosure/) — CVE-2026-9011 is a CVSS 7.5 (High) Missing Authorization vulnerability in the Ditty WordPress plugin that lets anyone read non-public Ditty content.
- [CVE-2026-8719: AI Engine Privilege Escalation via MCP OAuth (CVSS 8.8)](https://hurayraiit.com/blog/cve-2026-8719-ai-engine-privilege-escalation-mcp-oauth/) — CVE-2026-8719 (CVSS 8.8) lets any Subscriber invoke admin-level MCP tools in AI Engine 3.4.9, including creating administrator accounts.
- [CVE-2026-6403: Unauthenticated File Read in Quick Playground (CVSS 7.5)](https://hurayraiit.com/blog/cve-2026-6403-quick-playground-unauthenticated-file-read/) — CVE-2026-6403 (CVSS 7.5) is a path traversal vulnerability in Quick Playground that lets unauthenticated attackers ZIP and download arbitrary server files.
- [CVE-2026-5229: Form Notify Auth Bypass via LINE OAuth Callback (CVSS 9.8)](https://hurayraiit.com/blog/cve-2026-5229-form-notify-auth-bypass-line-oauth/) — CVE-2026-5229 (CVSS 9.8 Critical): auth bypass in Form Notify ≤ 1.1.10. Any visitor can hijack any WordPress account, including admin, via LINE OAuth.
- [CVE-2026-4094: FOX Currency Switcher Config Deletion (CVSS 8.1)](https://hurayraiit.com/blog/cve-2026-4094-fox-currency-switcher-config-deletion/) — CVE-2026-4094 (CVSS 8.1): Missing Authorization in FOX Currency Switcher for WooCommerce lets Contributors delete the multi-currency config.
- [CVE-2026-3718: ManageWP Worker Unauthenticated Stored XSS (CVSS 7.2)](https://hurayraiit.com/blog/cve-2026-3718-managewp-worker-unauthenticated-stored-xss/) — CVE-2026-3718 is a CVSS 7.2 High stored XSS flaw in ManageWP Worker ≤ 4.9.31 that lets unauthenticated attackers inject malicious scripts into the admin.
- [CVE-2026-6271: Unauthenticated RCE in Career Section Plugin (CVSS 9.8)](https://hurayraiit.com/blog/cve-2026-6271-career-section-unauthenticated-file-upload/) — CVE-2026-6271 scores CVSS 9.8 Critical in Career Section (≤ 1.7) — unauthenticated attackers can upload PHP files and execute arbitrary server-side code.
- [CVE-2026-8181: Auth Bypass to Admin Takeover in Burst Statistics Plugin (CVSS 9.8)](https://hurayraiit.com/blog/cve-2026-8181-burst-statistics-auth-bypass-admin-takeover/) — CVE-2026-8181 is a CVSS 9.8 Critical authentication bypass in Burst Statistics 3.4.0–3.4.1.1. An unauthenticated attacker with any admin username can mint a WordPress Application Password and take over the admin account.
- [CVE-2026-3892: Motors Plugin Arbitrary File Deletion (CVSS 8.1)](https://hurayraiit.com/blog/cve-2026-3892-motors-car-dealer-arbitrary-file-deletion/) — CVE-2026-3892 is a CVSS 8.1 High severity arbitrary file deletion vulnerability in the Motors WordPress plugin. Any subscriber can delete critical server files including wp-config.php.
- [CVE-2026-5395: Fluent Forms <= 6.2.0 IDOR Exposes Form Entries (CVSS 8.2)](https://hurayraiit.com/blog/cve-2026-5395-fluent-forms-idor-exposes-form-entries/) — CVE-2026-5395 (CVSS 8.2) is an IDOR in Fluent Forms <= 6.2.0. Authenticated users can bypass per-form access controls and export any form's submissions.
- [CVE-2026-7330: Stored XSS in Auto Affiliate Links Plugin](https://hurayraiit.com/blog/cve-2026-7330-stored-xss-auto-affiliate-links/) — CVE-2026-7330 is a CVSS 7.2 Stored XSS in Auto Affiliate Links <=6.8.8. An unauthenticated attacker can inject JavaScript into the WordPress admin panel.
- [CVE-2026-6929: JoomSport Unauthenticated SQL Injection (CVSS 7.5)](https://hurayraiit.com/blog/cve-2026-6929-joomsport-unauthenticated-sql-injection/) — CVE-2026-6929: CVSS 7.5 unauthenticated SQL injection in JoomSport (<=5.7.7) exposes database data to any unauthenticated visitor via the sortf parameter.
- [CVE-2026-5396: Fluent Forms Authorization Bypass via form_id (CVSS 8.2)](https://hurayraiit.com/blog/cve-2026-5396-fluent-forms-authorization-bypass-form-id/) — CVE-2026-5396 is a CVSS 8.2 High severity Authorization Bypass in Fluent Forms <= 6.1.21. A restricted Fluent Forms Manager can read, modify, and delete submissions from any form.
- [CVE-2026-42668: Omnisend WooCommerce Account Takeover (CVSS 7.5)](https://hurayraiit.com/blog/cve-2026-42668-omnisend-woocommerce-account-takeover/) — CVE-2026-42668 (CVSS 7.5 High): Unauthenticated account takeover in Omnisend for WooCommerce <= 1.18.0 via predictable SHA-256 token. Update to 1.18.1.
- [CVE-2026-4029: Unauthenticated DB Export in WP Database Backup (CVSS 7.5)](https://hurayraiit.com/blog/cve-2026-4029-unauthenticated-db-export-wp-database-backup/) — CVE-2026-4029 (CVSS 7.5) lets unauthenticated attackers export database tables on WordPress Multisite sites using Database Backup for WordPress <= 2.5.2.
- [CVE-2026-6320: Arbitrary File Read in Salon Booking System](https://hurayraiit.com/blog/cve-2026-6320-arbitrary-file-read-salon-booking-system/) — CVE-2026-6320 is a CVSS 7.5 High path traversal in Salon Booking System letting unauthenticated attackers read any server file via booking confirmation emails.
- [CVE-2026-5324: Unauthenticated XSS in Brizy Page Builder](https://hurayraiit.com/blog/cve-2026-5324-unauthenticated-xss-in-brizy-page-builder/) — CVE-2026-5324 is a CVSS 7.2 unauthenticated stored XSS in Brizy – Page Builder (≤ 2.8.11) that lets attackers inject scripts executed in the WordPress admin.
- [CVE-2026-5063: Stored XSS in NEX-Forms via Form Submission](https://hurayraiit.com/blog/cve-2026-5063-stored-xss-in-nex-forms-via-form-submission/) — CVE-2026-5063 is a CVSS 7.2 unauthenticated stored XSS in NEX-Forms ≤9.1.11. Crafted POST requests store JavaScript that executes in any admin's browser.
- [CVE-2026-4019: Unauthenticated Private Post Content Disclosure In Complianz Plugin](https://hurayraiit.com/blog/cve-2026-4019-complianz-private-post-content-disclosure/) — CVE-2026-4019 is a CVSS 5.3 Medium missing authorization vulnerability in the Complianz plugin. Unauthenticated attackers can read private post content via a REST endpoint.
- [CVE-2026-6741: Critical Privilege Escalation in LatePoint Plugin (CVSS 8.8)](https://hurayraiit.com/blog/cve-2026-6741-agent-privilege-escalation-in-latepoint/) — CVE-2026-6741 is a CVSS 8.8 privilege escalation flaw in LatePoint (≤ 5.4.1) that lets an authenticated agent reset the admin's password for full site takeover.
- [CVE-2026-5364: Unauthenticated Arbitrary PHP Upload in CF7 Drag and Drop Plugin](https://hurayraiit.com/blog/cve-2026-5364-arbitrary-php-upload-in-cf7-drag-and-drop/) — CVE-2026-5364 (CVSS 8.1 High): Unauthenticated arbitrary file upload in the CF7 Drag and Drop plugin <= 1.1.3 allows PHP webshell upload and potential RCE.
- [CVE-2026-6393: Authenticated Missing Authorization in BetterDocs Plugin](https://hurayraiit.com/blog/cve-2026-6393-missing-authorization-betterdocs-ai-write/) — CVE-2026-6393 (CVSS 4.3 Medium) is a Missing Authorization flaw in BetterDocs <= 4.3.11 that lets subscribers abuse the site's paid OpenAI API key.
- [CVE-2026-5428: Authenticated Stored XSS in Royal Elementor Addons Plugin](https://hurayraiit.com/blog/cve-2026-5428-stored-xss-in-royal-elementor-addons/) — CVE-2026-5428 (CVSS 6.4): Stored XSS in Royal Elementor Addons ≤1.7.1056 allows Authors to inject scripts via image captions to steal admin cookies. Update to 1.7.1057.
- [CVE-2026-3844: Unauthenticated Arbitrary File Upload To RCE in Breeze Cache Plugin (CVSS 9.8)](https://hurayraiit.com/blog/cve-2026-3844-arbitrary-file-upload-breeze-cache/) — CVE-2026-3844 is a CVSS 9.8 unauthenticated arbitrary file upload flaw in Breeze Cache <= 2.4.4, enabling remote code execution via PHP webshell upload.
- [CVE-2026-4388: Unauthenticated Stored XSS in Form Maker by 10Web Plugin](https://hurayraiit.com/blog/cve-2026-4388-unauthenticated-stored-xss-form-maker-by-10web/) — CVE-2026-4388: CVSS 7.2 Stored XSS in Form Maker by 10Web (<=1.15.40) lets unauthenticated attackers steal admin sessions via Matrix Text Box submissions.
- [CVE-2026-5718: Unauthenticated File Upload To RCE in DnD Upload CF7 Plugin](https://hurayraiit.com/blog/cve-2026-5718-unauthenticated-file-upload-dnd-upload-cf7/) — CVE-2026-5718 (CVSS 8.1 High): Arbitrary PHP upload in CF7 DnD Upload plugin ≤1.3.9.6 via non-ASCII bypass — unauthenticated RCE possible.
- [CVE-2026-2262: Easy Appointments Data Exposure via REST API](https://hurayraiit.com/blog/cve-2026-2262-easy-appointments-data-exposure-via-rest-api/) — CVE-2026-2262 (CVSS 7.5 High): Easy Appointments <= 3.12.21 exposes all customer PII via an unauthenticated REST API endpoint.
- [CVE-2026-5478: Path Traversal File Read in Everest Forms](https://hurayraiit.com/blog/cve-2026-5478-path-traversal-file-read-in-everest-forms/) — CVE-2026-5478: CVSS 8.1 path traversal in Everest Forms lets unauthenticated attackers read and delete arbitrary files, including wp-config.php.
- [CVE-2025-14868: CSRF File Deletion in Career Section Plugin](https://hurayraiit.com/blog/cve-2025-14868-csrf-file-deletion-career-section/) — CVE-2025-14868 (CVSS 8.8): CSRF in Career Section ≤1.6 lets unauthenticated attackers delete arbitrary server files via a forged admin request.
- [CVE-2026-2834: Unauthenticated Stored XSS in Token of Trust Plugin](https://hurayraiit.com/blog/cve-2026-2834-unauthenticated-stored-xss-in-token-of-trust/) — CVE-2026-2834: CVSS 7.2 stored XSS in Token of Trust (<=3.32.3). Unauthenticated attackers can store JavaScript that fires when an admin views Debug Logs.
- [CVE-2026-4365: Arbitrary Quiz Answer Deletion in LearnPress (CVSS 9.1)](https://hurayraiit.com/blog/cve-2026-4365-arbitrary-quiz-answer-deletion-in-learnpress/) — CVE-2026-4365 (CVSS 9.1 Critical): LearnPress LMS plugin allows unauthenticated attackers to permanently delete any quiz answer via a publicly exposed nonce.
- [CVE-2026-5231: Stored XSS via utm_source in WP Statistics](https://hurayraiit.com/blog/cve-2026-5231-stored-xss-via-utm-source-in-wp-statistics/) — CVE-2026-5231: CVSS 7.2 Unauthenticated Stored XSS in WP Statistics ≤14.16.4 lets attackers inject scripts into admin pages via the utm_source parameter.
- [CVE-2026-4880: Barcode Scanner Plugin Privilege Escalation](https://hurayraiit.com/blog/cve-2026-4880-barcode-scanner-privilege-escalation/) — CVE-2026-4880 (CVSS 9.8) allows unauthenticated attackers to escalate privileges to administrator in Barcode Scanner (+Mobile App) WordPress plugin <= 1.11.0.
- [CVE-2026-3017: PHP Object Injection in Smart Post Show](https://hurayraiit.com/blog/cve-2026-3017-php-object-injection-smart-post-show/) — CVE-2026-3017 is a CVSS 7.2 PHP Object Injection in Smart Post Show (<=3.0.12), letting authenticated admins inject PHP objects and chain a POP for RCE.
- [CVE-2025-15027: Privilege Escalation in JAY Login & Register (CVSS 9.8)](https://hurayraiit.com/blog/cve-2025-15027-privilege-escalation-jay-login-register/) — CVE-2025-15027 (CVSS 9.8) is a critical unauthenticated privilege escalation in JAY Login & Register ≤ 2.6.03, enabling full admin account creation with no credentials required.
- [CVE-2025-68043: Missing Authorization in LottieFiles Plugin (CVSS 9.8)](https://hurayraiit.com/blog/cve-2025-68043-missing-authorization-in-lottiefiles-plugin/) — CVE-2025-68043 (CVSS 9.8 Critical): Missing Authorization in LottieFiles ≤3.0.0 exposes admin OAuth access tokens to unauthenticated attackers.
- [CVE-2026-3124: Download Monitor Unauthenticated IDOR To Order Theft](https://hurayraiit.com/blog/cve-2026-3124-download-monitor-unauthenticated-order-theft/) — CVE-2026-3124 (CVSS 7.5 High) — IDOR in Download Monitor ≤ 5.1.7 lets unauthenticated attackers steal paid downloads by completing orders with a $0.01 PayPal token.
- [CVE-2026-3360: Tutor LMS Unauthenticated Billing Overwrite (CVSS 7.5)](https://hurayraiit.com/blog/cve-2026-3360-tutor-lms-unauthenticated-billing-overwrite/) — CVE-2026-3360 is a CVSS 7.5 High missing authorization vulnerability in Tutor LMS <= 3.9.7 — unauthenticated attackers can overwrite any user's billing profile via a crafted POST request.
- [CVE-2026-3296: PHP Object Injection in Everest Forms (CVSS 9.8)](https://hurayraiit.com/blog/cve-2026-3296-everest-forms-unauthenticated-php-object-injection/) — CVE-2026-3296 is a CVSS 9.8 critical unauthenticated PHP Object Injection in the Everest Forms WordPress plugin — full technical breakdown, PoC, patch analysis, and remediation.
- [CVE-2026-2942: Arbitrary File Upload in ProSolution WP Client](https://hurayraiit.com/blog/cve-2026-2942-prosolution-wp-client-arbitrary-file-upload/) — CVE-2026-2942 is a CVSS 9.8 critical unauthenticated arbitrary file upload in the WordPress ProSolution WP Client plugin — full technical breakdown, PoC, and remediation.
- [CVE-2026-4003: CVSS 9.8 Privilege Escalation in Users Manager PN](https://hurayraiit.com/blog/cve-2026-4003-wordpress-users-manager-pn-privilege-escalation/) — CVE-2026-4003 is a CVSS 9.8 critical unauthenticated privilege escalation in the WordPress Users Manager PN plugin — full technical breakdown, PoC, and remediation.
- [CVE-2025-15488: Unauthenticated Code Injection in Responsive Plus](https://hurayraiit.com/blog/cve-2025-15488-unauthenticated-code-injection-responsive-plus/) — CVE-2025-15488 (CVSS 9.8): Unauthenticated arbitrary shortcode execution in Responsive Plus – attackers can run any shortcode on vulnerable WooCommerce sites.
- [CVE-2026-1233: Hardcoded MySQL Credentials in TTS Plugin](https://hurayraiit.com/blog/cve-2026-1233-text-to-speech-tts-hardcoded-credentials/) — CVE-2026-1233 is a CVSS 7.5 (High) vulnerability in the Text to Speech – TTSWP WordPress plugin where double Base64-encoded MySQL credentials were hardcoded in the plugin source, granting any unauthenticated attacker direct access to the vendor's telemetry database.
- [axios Supply Chain Attack: Malicious Versions Deploy a RAT](https://hurayraiit.com/blog/npm-supply-chain-attack-axios-malicious-versions-1-14-1-and-0-30-4/) — On March 31, 2026, two malicious axios versions were published to npm via a hijacked maintainer account. Here's what happened, how the malware works, and what to do now.
- [CVE-2026-5130: Debugger & Troubleshooter Unauthenticated Account Takeover](https://hurayraiit.com/blog/cve-2026-5130-debugger-troubleshooter-account-takeover/) — CVE-2026-5130 (CVSS 8.8): unauthenticated privilege escalation in Debugger & Troubleshooter WordPress plugin via cookie manipulation. Full site takeover.
- [CVE-2026-4267: Unauthenticated Reflected XSS in Query Monitor Plugin](https://hurayraiit.com/blog/cve-2026-4267-reflected-xss-in-query-monitor/) — CVE-2026-4267: CVSS 7.2 Reflected XSS in Query Monitor (≤ 3.20.3) allows unauthenticated attackers to execute scripts in privileged WordPress sessions.
- [CVE-2026-4257: SSTI to RCE in Contact Form by Supsystic](https://hurayraiit.com/blog/cve-2026-4257-contact-form-by-supsystic-ssti-rce/) — CVE-2026-4257 is a CVSS 9.8 critical unauthenticated Server-Side Template Injection vulnerability in the Contact Form by Supsystic WordPress plugin — full technical breakdown, PoC, and remediation.
- [CVE-2026-4987: Unauthenticated Payment Bypass in SureForms](https://hurayraiit.com/blog/cve-2026-4987-unauthenticated-payment-bypass-in-sureforms/) — CVE-2026-4987 is a CVSS 7.5 (High) unauthenticated payment amount validation bypass in SureForms (<=2.5.2). Attackers can create Stripe payment intents at any arbitrary price by setting form_id to 0, bypassing all configured amount validation.
- [CVE-2026-3584: Kali Forms Unauthenticated RCE & Admin Takeover](https://hurayraiit.com/blog/cve-2026-3584-kali-forms-unauthenticated-rce-admin-takeover/) — CVE-2026-3584 (CVSS 9.8 Critical) lets any unauthenticated attacker call wp_set_auth_cookie(1) via Kali Forms <= 2.4.9 and take over the WordPress admin account in a single HTTP request.
- [CVE-2026-1357: Unauthenticated RCE in WPvivid Backup Plugin (CVSS 9.8)](https://hurayraiit.com/blog/cve-2026-1357-unauthenticated-rce-wpvivid-backup/) — CVE-2026-1357 (CVSS 9.8): Unauthenticated file upload in WPvivid Backup <=0.9.123 enables Remote Code Execution via RSA decryption failure and path traversal.
- [CVE-2026-27384: Unauthenticated RCE in W3 Total Cache](https://hurayraiit.com/blog/cve-2026-27384-w3-total-cache-unauthenticated-rce/) — CVE-2026-27384 is a CVSS 9.8 unauthenticated RCE in W3 Total Cache (<=2.9.1). No account needed — attackers execute PHP via mfunc eval() injection.
- [CVE-2026-23550: CVSS 10 Privilege Escalation in Modular DS](https://hurayraiit.com/blog/cve-2026-23550-critical-privilege-escalation-in-wordpress-modular-ds-plugin-cvss-10/) — CVE-2026-23550: CVSS 10.0 unauthenticated privilege escalation in WordPress Modular DS plugin — zero-day analysis, impact assessment, and response steps.
- [CVE-2025-12352: Arbitrary File Upload in Gravity Forms](https://hurayraiit.com/blog/cve-2025-12352-arbitrary-file-upload-in-gravity-forms/) — CVE-2025-12352 is a CVSS 9.8 Critical unauthenticated arbitrary file upload vulnerability in Gravity Forms (≤ 2.9.20) enabling remote code execution.
- [CVE-2025-12493: Local PHP File Inclusion in ShopLentor](https://hurayraiit.com/blog/cve-2025-12493-local-php-file-inclusion-in-shoplentor/) — CVE-2025-12493: CVSS 9.8 unauthenticated local PHP file inclusion in ShopLentor <=3.2.5 lets attackers execute arbitrary PHP code on the server.
- [CVE-2025-11749: Privilege Escalation in AI Engine Plugin](https://hurayraiit.com/blog/cve-2025-11749-privilege-escalation-ai-engine/) — CVE-2025-11749 (CVSS 9.8): AI Engine <= 3.1.3 exposes MCP bearer token via REST API discovery, allowing unauthenticated privilege escalation to administrator.
- [CVE-2025-13597: Arbitrary File Upload in AI Feeds Plugin](https://hurayraiit.com/blog/cve-2025-13597-arbitrary-file-upload-in-ai-feeds/) — CVE-2025-13597 is a CVSS 9.8 Critical unauthenticated arbitrary file upload vulnerability in the AI Feeds WordPress plugin <= 1.0.11 that allows attackers to overwrite plugin files and achieve remote code execution.
- [CVE-2025-11457: Privilege Escalation in EasyCommerce Plugin](https://hurayraiit.com/blog/cve-2025-11457-privilege-escalation-in-easycommerce-plugin/) — CVE-2025-11457: CVSS 9.8 privilege escalation in EasyCommerce (≤1.8.2) lets unauthenticated attackers create WordPress administrator accounts.
- [WordPress Bug Bounty: Best Resources for Security Researchers](https://hurayraiit.com/blog/wordpress-bug-bounty-resources/) — Essential WordPress bug bounty resources for beginners and researchers — Patchstack, Wordfence, VDP programs, leaderboards, and guidelines all in one place.
- [CVE-2025-49844: RediShell Redis Lua Sandbox Escape Explained](https://hurayraiit.com/blog/redishell-cve-2025-49844-the-redis-lua-sandbox-escape-vulnerability/) — RediShell (CVE-2025-49844) explained — how a 13-year-old use-after-free bug in Redis's Lua scripting enables full remote code execution by escaping the sandbox.
- [CVE-2025-58246: My Contribution to WordPress 6.8.3 Security](https://hurayraiit.com/blog/my-contribution-to-wordpress-6-8-3-security-release-cve-2025-58246/) — CVE-2025-58246: How I discovered and responsibly disclosed a sensitive data exposure vulnerability that was patched in the WordPress 6.8.3 security release.
- [Cloudflare Outage: How a React Bug Caused a Thundering Herd](https://hurayraiit.com/blog/how-a-tiny-react-bug-triggered-a-thundering-herd-lessons-from-cloudflares-sept-12-outage/) — How a React useEffect bug in Cloudflare's dashboard triggered a thundering herd on September 12, 2025 — a detailed case study on cascading API failures.
- [বাংলাদেশের মেডিক্যাল ও সরকারি সেবায় ডেটা সিকিউরিটির ভয়াবহ চিত্র](https://hurayraiit.com/blog/medical-data-security-bangladesh/) — বাংলাদেশের মেডিক্যাল ও সরকারি পোর্টালে ডেটা নিরাপত্তার ভয়াবহ চিত্র — ডিরেক্টরি লিস্টিং ও API এক্সপোজারের বাস্তব উদাহরণ ও বিশ্লেষণ।

## sqa
- [Cloudinary AI Skill for SQA: Auto-Upload Screenshots Explained](https://hurayraiit.com/blog/cloudinary-ai-skill-for-sqa-engineers/) — AI skills are reusable, portable instruction sets that extend what an AI agent can do. I built a Cloudinary uploader skill that's changed how I attach visual evidence to bug reports and GitHub issues.
- [What Is WCAG? Web Accessibility Guidelines Explained](https://hurayraiit.com/blog/what-is-wcag/) — What is WCAG? A plain-language guide to Web Content Accessibility Guidelines — who created them, why they matter, and how they make the web usable for everyone.
- [A Tester's Guide to Letter Cases](https://hurayraiit.com/blog/a-testers-guide-to-letter-cases/) — A practical guide to letter cases for testers and developers — camelCase, PascalCase, snake_case, kebab-case, and more, explained with clear examples.
- [What Is Stochasticity? A Plain-English Explanation](https://hurayraiit.com/blog/what-is-stochasticity/) — What is stochasticity? Understand controlled randomness in software, how it differs from pure randomness, and why it matters for test automation and security.
- [7 Software Testing Principles Every SQA Engineer Should Know](https://hurayraiit.com/blog/7-software-testing-principles-for-sqa/) — Learn the 7 core software testing principles every SQA engineer must know, with practical examples and insights aligned with the ISTQB CTFL 4.0 syllabus.
- [SQA Career in WordPress: A Complete Ecosystem Guide](https://hurayraiit.com/blog/sqa-career-wordpress/) — Discover why WordPress product companies are a hidden blue ocean for SQA engineers in Bangladesh and globally, with curated company lists to apply to.
- [SQA & DevOps Job Circulars: Updated Collection [2026]](https://hurayraiit.com/blog/sqa-job-circular-collection/) — A growing collection of SQA and DevOps job circulars from Bangladesh and global companies — archived with requirements to help testers prepare and apply.
- [ISTQB Certification Journey: Tech X Webinar Full Recap](https://hurayraiit.com/blog/tech-x-webinar-istqb-the-full-journey/) — Summary and key takeaways from the Tech X Webinar on ISTQB certification — covering the full journey from Foundation Level to Expert, held December 13, 2025.
- [Essential RSS Feeds for QA &amp; DevOps Engineers [2026]](https://hurayraiit.com/blog/essential-rss-feeds-qa-devops-testing-trends/) — Hand-picked RSS feeds for QA engineers and DevOps professionals — stay current on Playwright, Cypress, security testing, CI/CD, and automation trends.
- [Free SMTP Options for SQA &amp; Automation Engineers [2026]](https://hurayraiit.com/blog/free-smtp-guide-for-sqa-and-automation/) — The best free SMTP options for SQA and automation engineers — no credit card required, reliable for testing email flows in WordPress, Laravel, and API projects.
- [FileMock for SQA Engineers: File Upload Testing Made Easy](https://hurayraiit.com/blog/filemock-for-sqa-engineers/) — FileMock is a free browser-based tool for generating test files of any format and size — the perfect time-saver for QA engineers who need mock files instantly.
- [Smart Job Application Strategies for SQA Engineers](https://hurayraiit.com/blog/smart-job-application-strategies-for-sqa-engineers/) — Practical job application tips for SQA engineers — from applying early and tailoring your CV to avoiding common mistakes that cost you interview calls.
- [BAQC Volunteer Formation Meeting: Notes & Key Decisions](https://hurayraiit.com/blog/baqc-volunteer-formation-meeting-notes/) — Notes from BAQC's volunteer formation meeting — goals, structure, and responsibilities for building Bangladesh's first dedicated SQA community.
- [What Is Sanity Testing? A Beginner’s Friendly Guide](https://hurayraiit.com/blog/what-is-sanity-testing-a-beginners-friendly-guide/) — What is sanity testing? A beginner-friendly guide — when to run it, what to check, how it differs from regression testing, and why it speeds up QA cycles.
- [BAQC SQA Community Meetup: Key Highlights & Takeaways](https://hurayraiit.com/blog/baqc-sqa-community-meetup-summary/) — Summary of the BAQC SQA community meetup in Dhaka — insights on building a lasting QA community, hiring practices, and volunteer responsibilities shared.
- [WPDeveloper SQA Job Circulars: Previous Openings Archive](https://hurayraiit.com/blog/previous-sqa-job-circulars-wpdeveloper/) — Real SQA job circulars from WPDeveloper — review actual requirements for Junior Test Engineer and xCloud SQA roles to sharpen your skills and CV for the market.
- [3 Powerful AI Prompts for WordPress SQA Engineers](https://hurayraiit.com/blog/3-ai-prompts-for-sqa-engineers-wordpress/) — Three ready-to-use AI prompts for WordPress SQA engineers covering security review, manual test case generation, and end-to-end automation strategy.
- [Binary Search in Practice: Finding Hikmah's User Count](https://hurayraiit.com/blog/using-binary-search-to-find-hikmah-user-count/) — An interesting real-world application of binary search — using it to uncover the hidden user count of the Hikmah social media platform through smart probing.
- [Vibium - টেস্ট অটোমেশনের নতুন টুল?](https://hurayraiit.com/blog/vibium-new-test-automation-tool/) — Vibium হলো Selenium-এর প্রতিষ্ঠাতার নতুন AI-নেটিভ টেস্ট অটোমেশন ফ্রেমওয়ার্ক — প্লেইন ইংলিশে টেস্ট লেখার সুবিধা ও সেলফ-হিলিং ফিচার নিয়ে বিস্তারিত।
- [Playwright for Beginners: Setting Up Your First Project](https://hurayraiit.com/blog/playwright-for-beginners-setting-up-your-first-project/) — Set up your first Playwright project from scratch — a beginner-friendly guide covering installation, project structure, and connecting to GitHub for CI.
- [A/B Testing for Beginners: What It Is & How It Works](https://hurayraiit.com/blog/beginners-guide-to-ab-testing/) — A beginner’s guide to A/B testing — learn how to compare two versions of a webpage or UI element using real user data to make better, evidence-based decisions.
- [White Box vs Black Box Testing: A Complete Tester's Guide](https://hurayraiit.com/blog/white-box-vs-black-box-testing/) — White box vs black box testing explained — key differences, when to use each approach, who performs them, and how they complement each other in SQA practice.

## technology
- [AI Writes the Code Now. What Happens To QA?](https://hurayraiit.com/blog/ai-writes-the-code-what-happens-to-qa/) — AI tools can build working software in hours. That makes coding faster — but it makes testing more critical than ever. Here is what that means for QA engineers.

## wordpress
- [WordPress Action and Filter Hooks: A Developer's Guide](https://hurayraiit.com/blog/understanding-wordpress-action-and-filter-hooks/) — A clear, practical guide to WordPress action and filter hooks — understand how add_action() and add_filter() work with PHP examples for plugin and theme dev.
- [What Is WordPress? A Complete Beginner's Guide [2026]](https://hurayraiit.com/blog/so-what-is-wordpress/) — A plain-English introduction to WordPress — what it is, the difference between WordPress.com and WordPress.org, and how to get started building your first site.
- [CSS Combinators Explained: Types, Syntax & Use Cases](https://hurayraiit.com/blog/css-combinators/) — Learn all four CSS combinators — descendant, child, adjacent sibling, and general sibling — with clear examples to style elements based on their relationships.
- [tag_escape() in WordPress: Secure HTML Escaping Guide](https://hurayraiit.com/blog/tag-escape-wordpress-function/) — Learn how WordPress's tag_escape() function works, when to use it over esc_html(), and how it keeps HTML tag names secure from injection in themes and plugins.
- [CVE-2025-58196: XSS in WordPress UiCore Elements Plugin](https://hurayraiit.com/blog/cve-2025-58196-wordpress-uicore-elements-xss-vulnerability/) — CVE-2025-58196: Stored XSS in WordPress UiCore Elements via the Accordion widget, affecting 40,000+ sites — full vulnerability disclosure and patch information.
- [CVE-2025-55715: Sensitive Info Exposure Affecting 300K+ Sites](https://hurayraiit.com/blog/cve-2025-55715-high-risk-sensitive-information-exposure-affecting-300000-websites/) — CVE-2025-55715: Unauthenticated sensitive data exposure in WordPress Otter Blocks plugin affecting 300,000+ websites — full disclosure and remediation guide.
- [CVE-2025-54708: Stored XSS in WordPress B-Blocks Plugin](https://hurayraiit.com/blog/cve-2025-54708-xss-vulnerability-in-wordpress-b-blocks-plugin/) — CVE-2025-54708: Stored XSS in the WordPress B-Blocks plugin (up to v2.0.5) — discovery, impact analysis, responsible disclosure, and the security patch summary.
- [Escaping vs. Sanitization in WordPress: A Developer’s Guide](https://hurayraiit.com/blog/escaping-vs-sanitization-in-wordpress-a-developers-guide/) — “Understand the difference between escaping and sanitization in WordPress — when to use each, practical PHP examples, and how both prevent XSS vulnerabilities.”
- [WordPress Security: My July 2025 CVE Contribution Recap](https://hurayraiit.com/blog/my-july-2025-contribution-to-wordpress-security/) — In July 2025, I reported 22 vulnerabilities across 21 WordPress plugins via Patchstack bug bounty, ranking 7th globally. Here is the full monthly summary.
- [Check WordPress Plugin Compatibility with wp-since on xCloud](https://hurayraiit.com/blog/how-to-check-wordpress-plugin-compatibility-with-wp-since-on-xcloud/) — Step-by-step guide to using wp-since on xCloud to check WordPress plugin compatibility — scan plugins for outdated functions, classes, and hooks via SSH.
- [10 Common WordPress Mistakes to Avoid (Beginner’s FAQ Guide)](https://hurayraiit.com/blog/10-common-wordpress-mistakes-to-avoid-beginners-faq-guide/) — Avoid the 10 most common WordPress mistakes beginners make — from weak passwords and skipping updates to plugin overload and poor backups. FAQ-style guide.

## xcloud
- [Custom Winter Theme for Disabled Sites on xCloud [Tutorial]](https://hurayraiit.com/blog/adding-a-custom-winter-vibe-to-my-disabled-sites-on-xcloud/) — How I used Gemini AI to generate a custom winter-themed HTML template for disabled xCloud sites, replacing the dull default maintenance page.