Attackers Actively Exploiting Critical Vulnerability in Everest Forms Pro Plugin

On March 30th, 2026, we publicly disclosed a critical Remote Code Execution vulnerability in Everest Forms Pro, a WordPress plugin with an estimated 4,000 active installations. This vulnerability can be leveraged by unauthenticated attackers to execute arbitrary PHP code on the server, leading to...

Wordfence Bug Bounty Program Monthly Report – March 2026

In March 2026, the Wordfence Bug Bounty Program received 1718 vulnerability submissions from our growing community of security researchers working to improve the overall security posture of the WordPress ecosystem. These submissions are reviewed, triaged, and processed by the Wordfence Threat...

1,000,000 WordPress Sites Affected by Arbitrary File Read and SQL Injection Vulnerabilities in Avada Builder WordPress Plugin

On March 21st, 2026, we received a submission for an Arbitrary File Read and an SQL Injection vulnerability in Avada Builder, a WordPress plugin with an estimated 1,000,000 active installations. The arbitrary file read vulnerability can be used by authenticated attackers, with subscriber-level...

Attackers Actively Exploiting Critical Vulnerability in Ninja Forms – File Upload Plugin

On April 6th, 2026, we publicly disclosed a critical Arbitrary File Upload vulnerability in Ninja Forms – File Upload, a WordPress plugin with an estimated 50,000 active installations. This vulnerability can be leveraged by unauthenticated attackers to upload arbitrary files, including PHP...

Wordfence Intelligence Weekly WordPress Vulnerability Report (April 6, 2026 to April 12, 2026)

Last week, there were 157 vulnerabilities disclosed in 141 WordPress Plugins and 23 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 79 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilitie...

WordPress Optimole plugin <= 4.2.3 - Reflected Cross-Site Scripting via Page Profiler URL vulnerability

Reflected Cross-Site Scripting via Page Profiler URL vulnerability discovered by WordFence in WordPress Plugin Optimole versions = 4.2.3...

WordPress Quick Playground plugin <= 1.3.1 - Missing Authorization to Unauthenticated Arbitrary File Upload vulnerability

Missing Authorization to Unauthenticated Arbitrary File Upload vulnerability discovered by WordFence in WordPress Plugin Quick Playground versions = 1.3.1...

WordPress Ultimate FAQ Accordion Plugin plugin <= 2.4.7 - Authenticated (Author+) Stored Cross-Site Scripting via FAQ Content vulnerability

Authenticated Author+ Stored Cross-Site Scripting via FAQ Content vulnerability discovered by WordFence in WordPress Plugin Ultimate FAQ versions = 2.4.7...

WordPress WPFunnels plugin <= 3.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpf_optin_form' Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'wpfoptinform' Shortcode vulnerability discovered by Paolo Tresso - Wordfence in WordPress Plugin WPFunnels versions = 3.7.9...

Wordfence Bug Bounty Program Monthly Report – February 2026

Last month in February 2026, the Wordfence Bug Bounty Program received 1078 vulnerability submissions from our growing community of security researchers working to improve the overall security posture of the WordPress ecosystem. These submissions are reviewed, triaged, and processed by the...

Wordfence Intelligence Weekly WordPress Vulnerability Report (March 2, 2026 to March 8, 2026)

Last week, there were 199 vulnerabilities disclosed in 84 WordPress Plugins and 107 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 59 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilitie...

400,000 WordPress Sites Affected by Unauthenticated SQL Injection Vulnerability in Ally WordPress Plugin

On February 4th, 2026, we received a submission for an SQL Injection vulnerability in Ally, a WordPress plugin estimated to have more than 400,000 active installations. This vulnerability can be leveraged to extract sensitive data from the database, such as password hashes. Props to Drew Webber...

PT-2026-24548

Name of the Vulnerable Software and Affected Versions The Ally – Web Accessibility & Usability plugin for WordPress versions prior to 4.1.0 Description The Ally – Web Accessibility & Usability plugin for WordPress is susceptible to SQL Injection through the URL path. This occurs because of...

WordPress ProfileGrid plugin <= 5.9.8.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Message Deletion vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Message Deletion vulnerability discovered by WordFence in WordPress Plugin ProfileGrid versions = 5.9.8.1...

WordPress Stock Ticker plugin <= 3.26.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Template vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Template vulnerability discovered by WordFence in WordPress Plugin Stock Ticker versions = 3.26.1...

WordPress Greenshift - animation and page builder blocks plugin <= 12.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

WordPress Greenshift - animation and page builder blocks plugin = 12.8.5 - Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by WordFence in WordPress Plugin Greenshift versions = 12.8.5...

Wordfence Intelligence Weekly WordPress Vulnerability Report (February 23, 2026 to March 1, 2026)

Triple Threat Bug Bounty Challenge Hunt High Threat vulnerabilities and earn triple the incentives! Now through April 6, 2026 , earn three stacked bonuses on all valid submissions from our 'High Threat Vulnerabilities' list: 2x all high threat vulnerability bounties excluding 5,000,000+ installs...

WordPress PostX plugin <= 5.0.8 - Authenticated (Administrator+) Server-Side Request Forgery via REST API Endpoints vulnerability

Authenticated Administrator+ Server-Side Request Forgery via REST API Endpoints vulnerability discovered by WordFence in WordPress Plugin PostX versions = 5.0.8...

Wordfence Intelligence Weekly WordPress Vulnerability Report (February 16, 2026 to February 22, 2026)

Triple Threat Bug Bounty Challenge Hunt High Threat vulnerabilities and earn triple the incentives! Now through April 6, 2026 , earn three stacked bonuses on all valid submissions from our 'High Threat Vulnerabilities' list: 2x all high threat vulnerability bounties excluding 5,000,000+ installs...

WordPress OVRI Payment plugin 1.7.0 - Malicious .htaccess directive vulnerability

Malicious .htaccess directive vulnerability discovered by Marco Wotschka - Wordfence in WordPress Plugin OVRI Payment versions 1.7.0...