WoW Hotfix: Addon Changes & Exploit Fixes – Update Guide for Authors

March 21, 2026 Rachel Kim – Technology Editor Technology

Blizzard Entertainment announced late Friday it will implement a hotfix to World of Warcraft to address exploits discovered ahead of the opening of Mythic raids and Mythic+ dungeons this week. The changes, communicated through the official WoWUI Discord server, are expected to disrupt some player-created addons and may require immediate updates from addon authors.

The company acknowledged the timing of the hotfix is disruptive, stating, “We recognize that some of these changes are going to be disruptive and require last-second changes to your addons, and we sincerely apologize for them coming in so late.” Blizzard is closely monitoring reports of functionality impacted by the changes, particularly concerning action bar and cooldown tracking addons.

The core of the update targets security vulnerabilities related to how addons interact with game data. Specifically, Blizzard is removing the “secure delegate” portion of the ActionButton_ApplyCooldown function. New Application Programming Interfaces (APIs) are being introduced to replace the functionality, though the transition may necessitate revisions to existing addons.

According to Blizzard’s technical notes, the hotfix also restricts the ability of addons to configure cooldown frames using secret values through several functions, including SetCooldown, SetCooldownFromExpirationTime, SetCooldownDuration, and SetCooldownUNIX. The only remaining method for configuring cooldowns with secret values will be SetCooldownFromDurationObject.

Further changes include modifications to how action and spell cooldowns are reported. Previously secret information, such as whether a cooldown is enabled and its maximum charges, will now be accessible without security restrictions. A new isActive boolean field has been added to indicate when the user interface should display a cooldown, and duration objects will be returned even when a cooldown is not active. The company is also updating Loss of Control (LoC) cooldown APIs, renaming functions with an “Info” suffix and introducing a structured table format for returned data.

Beyond cooldowns, Blizzard is tightening restrictions on string formatting to prevent the circumvention of security measures. The UnitCreatureID API will now return nil when unit identity is secret, and certain script object methods will also return nil if secret aspects are assigned. The use of whisper macros has been limited to three per second, and they are now prohibited during encounters. Several C_UnitAuras APIs will be unavailable although in combat.

The changes come as players prepare for the start of the new season in World of Warcraft: Midnight. Addon developers are now racing to update their creations to comply with the new restrictions, and Blizzard has requested players be understanding during the process. CurseForge and WoWInterface, popular repositories for World of Warcraft addons, are likely to see a surge in update activity in the coming days, according to information available on those sites.