522 matches found
Wordfence Intelligence Weekly WordPress Vulnerability Report (December 15, 2025 to January 4, 2026)
Did you know Wordfence runs aBug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability , for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we...
82,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in TheGem WordPress Theme
📢In case you missed it, Wordfence just published itsannual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond. On May 4th, 2025, we received a submission for an Arbitrary File Upload...
6,000,000 WordPress Sites Protected Against Payment Refund and Subscription Cancellation Vulnerability in WPForms WordPress Plugin
💥 Time to wrap up this year and kick-off the new year with a bang! We’re wrapping up the year with ourEnd of Year Holiday Extravaganza , High-Risk Bonus Blitz Challenge , and Superhero Challenge for the Wordfence Bug Bounty Program. Through January 6th, 2025: All in-scope vulnerability types for...
30,000 WordPress Sites affected by Arbitrary SQL Execution Vulnerability Patched in Visualizer WordPress Plugin
🎉 Did you know were running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! On April 10th, 2024, during our second Bug Bounty Extravaganza, w...
$400 Bounty Awarded for SQL Injection Vulnerability Patched in WP Activity Log Premium WordPress Plugin
🎉 Did you know were running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! On February 24th, 2024, during our second Bug Bounty Extravaganza...
$1,313 Bounty Awarded for Privilege Escalation Vulnerability Patched in Academy LMS WordPress Plugin
Did you know were running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure! On February 14th, 2024, during our second Bug Bounty...
Holiday Attack Spikes Target Ancient Vulnerabilities and Hidden Webshells
Winter brings a number of holidays in a short period of time, and many organizations shut down or run a skeleton crew for a week or more at the end of the year and beginning of the new year. This makes it easier for would-be attackers to find success as systems are not as closely monitored. This...
Unauthenticated SQL Injection Vulnerability Patched in WordPress Statistics Plugin
On February 7, 2022, Security Researcher Cyku Hong from DEVCORE reported a vulnerability to us that they discovered in WP Statistics, a WordPress plugin installed on over 600,000 sites. This vulnerability made it possible for unauthenticated attackers to execute arbitrary SQL queries by appending...
XSS Vulnerability in NextScripts: Social Networks Auto-Poster Plugin Impacts 100,000 Sites
Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List. On August 19, 2021, the Wordfence Threat Intelligence team began the disclosure process for a reflected Cross-Site ScriptingXSS vulnerability we found in...
Wordfence Intelligence Weekly WordPress Vulnerability Report (July 28, 2025 to August 3, 2025)
Calling all Vulnerability Researchers and Bug Bounty Hunters! Spring into Summer with Wordfence! Now through September 4, 2025, earn 2X bounty rewards forall in-scope submissions from our 'High Threat' list in software with fewer than 5 million active installs. Bounties up to $31,200 per...
Developer Accounts Compromised Due to Credential Reuse in WordPress.org Supply Chain Attack
On June 24th, 2024, the Wordfence Threat Intelligence Team became aware of a WordPress plugin, Social Warfare, that was infected with malware through the WordPress repository. Upon further investigation, our team quickly identified 4 additional affected plugins through our internal Threat...
Local File Inclusion Vulnerability Patched in Shield Security WordPress Plugin
On December 18, 2023, right before the end of Holiday Bug Extravaganza, we received a submission for a Local File Inclusion vulnerability in Shield Security, a WordPress plugin with more than 50,000+ active installations. It’s important to note that this vulnerability is limited to just the...
PSA: Critical POP Chain Allowing Remote Code Execution Patched in WordPress 6.4.2
WordPress 6.4.2 was released today, on December 6, 2023. It includes a patch for a POP chain introduced in version 6.4 that, combined with a separate Object Injection vulnerability, could result in a Critical-Severity vulnerability allowing attackers to execute arbitrary PHP code on the site. We...
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
On May 20, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a Privilege Escalation vulnerability in WPDeveloper’s ReviewX plugin, which is actively installed on more than 10,000 WordPress websites. This vulnerability makes it possible for an...
Eleven Vulnerabilities Patched in Royal Elementor Addons
On December 23, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a set of 11 vulnerabilities in Royal Elementor Addons, a WordPress plugin with over 100,000 installations. The plugin developers responded on December 26, and we sent over the full...
Wordfence Intelligence Launching at Black Hat 2022 in Las Vegas Next Week
Wordfence protects over 4 million websites around the world on 12,000 unique networks, and we block over 1.8 billion attacks targeting those websites every month. For years we have had a relationship with our customers that is a virtuous cycle: We receive attack reports from our customers at a ra...
Cross-Site Request Forgery Vulnerability Patched in Ecwid Ecommerce Shopping Cart Plugin
On June 24, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a Cross-Site Request Forgery vulnerability we discovered in Ecwid Ecommerce Shopping Cart, a WordPress plugin installed on over 30,000 sites. This vulnerability made it possible for attackers...
PHP Object Injection Vulnerability in Booking Calendar Plugin
On April 18, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for an Object Injection vulnerability in the Booking Calendar plugin for WordPress, which has over 60,000 installations. We received a response the same day and sent over our full disclosure ear...
84,000 WordPress Sites Affected by Three Plugins With The Same Vulnerability
On November 5, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Login/Signup Popup”, a WordPress plugin that is installed on over 20,000 sites. A few days later we discovered the same vulnerability present in two...
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 25, 2026 to May 31, 2026)
Last week, there were 277 vulnerabilities disclosed in 184 WordPress Plugins and 70 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 93 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilitie...
100,000 WordPress Sites Affected by Arbitrary File Upload, Read and Deletion Vulnerability in Everest Forms WordPress Plugin
📢Did you know Wordfence runs aBug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability , for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we...
90,000 WordPress Sites Affected by Arbitrary File Upload and Authentication Bypass Vulnerabilities in Jupiter X Core WordPress Plugin
📢 Did you know Wordfence runs aBug Bounty Program for all WordPress plugins and themes at no cost to vendors? Through October 7th, 2024, XSS vulnerabilities in all plugins and themes with =1,000 Active Installs are in scope for all researchers. In addition, through October 14th, 2024 , r esearche...
Over 40,000 WordPress Sites Affected by Privilege Escalation Vulnerability Patched in Post Grid and Gutenberg Blocks Plugin
📢 Did you know Wordfence runs aBug Bounty Program for all WordPress plugins and themes at no cost to vendors? Through October 7th, 2024, XSS vulnerabilities in all plugins and themes with =1,000 Active Installs are in scope for all researchers. In addition, through October 14th, 2024 , r esearche...
$1,900 Bounty Awarded for Arbitrary Options Update Vulnerability Patched in Cookie Information | Free GDPR Consent Solution WordPress Plugin
On December 11th, 2023, during our Holiday Bug Extravaganza, we received a submission for an Arbitrary Options Update vulnerability in Cookie Information | Free GDPR Consent Solution, a WordPress plugin with more than 100,000+ active installations. This vulnerability could be used by authenticate...
Exploiting WordPress Plugin Vulnerabilities to Steal AWS Metadata
In an ideal world, vulnerabilities would not exist. A request would be sent to a server, properly validated, and only the intended information would be provided by the server. Of course, this is not a perfect world, and vulnerabilities can be introduced unintentionally, or even found due to...
PSA: Sudden Increase In Attacks On Modern WPBakery Page Builder Addons Vulnerability
The Wordfence Threat Intelligence team has been monitoring a sudden increase in attack attempts targeting Kaswara Modern WPBakery Page Builder Addons. This ongoing campaign is attempting to take advantage of an arbitrary file upload vulnerability, tracked as CVE-2021-24284, which has been...
GoDaddy Breach Widens to tsoHost, Media Temple, 123Reg, Domain Factory, Heart Internet, and Host Europe
Yesterday GoDaddy disclosed a massive data breach impacting over 1.2 Million customers. Today, we received confirmation from GoDaddy that multiple brands that resell GoDaddy Managed WordPress were impacted. The brands impacted include: tsoHost Media Temple 123Reg Domain Factory Heart Internet Hos...
Wordfence Intelligence Weekly WordPress Vulnerability Report (January 12, 2026 to January 18, 2026)
Did you know Wordfence runs aBug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability , for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we...
400,000 WordPress Sites Affected by Account Takeover Vulnerability in Post SMTP WordPress Plugin
On October 11th, 2025, we received a submission for an Account Takeover via Email Log Disclosure vulnerability in Post SMTP, a WordPress plugin with more than 400,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to view email logs, including password...
Wordfence Intelligence Weekly WordPress Vulnerability Report (September 15, 2025 to September 21, 2025)
Calling all Vulnerability Researchers and Bug Bounty Hunters! Operation: Maximum Impact Challenge ! Now through November 10, 2025, earn 2X bounty rewards forall in-scope submissions in software with at least 5,000 active installs and fewer than 5 million active installs. Bounties up to $31,200 pe...
Wordfence Intelligence Weekly WordPress Vulnerability Report (July 14, 2025 to July 20, 2025)
Calling all Vulnerability Researchers and Bug Bounty Hunters! Spring into Summer with Wordfence! Now through August 4, 2025, earn 2X bounty rewards forall in-scope submissions from our 'High Threat' list in software with fewer than 5 million active installs. Bounties up to $31,200 per...
10,000 WordPress Sites Affected by High Severity Vulnerabilities in BookingPress WordPress Plugin
On July 2nd, 2024, during the 0-day Threat Hunt Promo of our Bug Bounty Program, we received a submission for an Arbitrary File Read to Arbitrary File Creation vulnerability in BookingPress, a WordPress plugin with over 10,000 active installations. This vulnerability makes it possible for...
Record Breaking $153,000+ Already Invested into the Security of the WordPress Ecosystem by Wordfence – More to Come!
Did you know were running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! In just a few short months since our launch in November of last yea...
Announcing Vulnerability Scanning in Wordfence CLI 2.0.1 “Voodoo Child”
Note: If youre a WordPress user, we recommend the Wordfence Security Plugin which provides a robust and complete set of security controls for WordPress websites. If you host WordPress servers and need high performance malware and vulnerability scanning on the command line, read on! Our mission at...
PSA: Critical Vulnerability Patched in Ninja Forms WordPress Plugin
On June 16, 2022, the Wordfence Threat Intelligence team noticed a back-ported security update in Ninja Forms, a WordPress plugin with over one million active installations. As with all security updates in WordPress plugins and themes, our team analyzed the plugin to determine the exploitability...
Critical Authentication Bypass Vulnerability Patched in SiteGround Security Plugin
On March 10, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “SiteGround Security”, a WordPress plugin that is installed on over 400,000 sites. This flaw makes it possible for attackers to gain administrative user acces...
200,000 WordPress Sites Affected by Arbitrary File Deletion Vulnerability in Perfmatters WordPress Plugin
On March 1st, 2026, we received a submission for an Arbitrary File Deletion vulnerability in Perfmatters, a WordPress plugin with more than 200,000 active installations. This vulnerability makes it possible for unauthenticated threat actors to delete arbitrary files, including the wp-config.php...
Wordfence Intelligence Weekly WordPress Vulnerability Report (October 27, 2025 to November 2, 2025)
Calling all Vulnerability Researchers and Bug Bounty Hunters! Operation: Maximum Impact Challenge ! Now through November 10, 2025, earn 2X bounty rewards forall in-scope submissions in software with at least 5,000 active installs and fewer than 5 million active installs. Bounties up to $31,200 pe...
Creative SVG File Upload to Local File Inclusion Vulnerability Affecting 90,000 Sites Patched in Jupiter X Core WordPress Plugin
📢Did you know Wordfence runs aBug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability , for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we...
40,000 WordPress Sites affected by Vulnerability That Leads to Privilege Escalation in Login/Signup Popup WordPress Plugin
📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the...
$197 Bounty Awarded for Unauthenticated Arbitrary Post Deletion Vulnerability Patched in LeadConnector WordPress Plugin
🎉 Did you know were running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! On February 8th, 2024, during our Bug Bounty Extravaganza, we...
Unauthenticated Stored Cross-Site Scripting Vulnerability Patched in WP-Members Membership Plugin – $500 Bounty Awarded
Did you know were running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! On February 21st, 2024, during our second Bug Bounty Extravaganza, ...
W3 Eden Addresses Authenticated Stored XSS Vulnerability in Download Manager WordPress Plugin
On April 25, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting XSS vulnerability in W3 Eden’s Download Manager plugin, which is actively installed on more than 100,000 WordPress websites, making it one of the mos...
WordPress Core 6.0.2 Security & Maintenance Release – What You Need to Know
On August 30, 2022, the WordPress core team released WordPress version 6.0.2, which contains patches for 3 vulnerabilities, including a High Severity SQLi vulnerability in the Links functionality as well as two Medium Severity Cross-Site Scripting vulnerabilities. These patches have been backport...
Entering a Higher State of Vigilance – Ukraine Under Attack
It appears that Russia has just commenced the invasion of Ukraine. Check your preferred international news outlet, but according to the Ukrainian foreign minister "Putin has just launched a full-scale invasion of Ukraine." Ukrainian airspace is closed with flights diverting. The Twitter Safety...
PHP_SELFish Part 2 – Reflected XSS in Easy Social Icons
Today’s post is part two of a two part blog post. It describes a cross site scripting vulnerability in the Easy Social Icons plugin that exploits the PHPSELF variable. In yesterday’s post, we described another plugin, underConstruction, suffering from a similar vulnerability related to the use of...
XSS Vulnerability Patched in SEOPress Affects 100,000 sites
On July 29, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in SEOPress, a WordPress plugin installed on over 100,000 sites. This flaw made it possible for an attacker to inject arbitrary web scripts on a vulnerable...
Wordfence Intelligence Weekly WordPress Vulnerability Report (December 1, 2025 to December 7, 2025)
Last week, there were 190 vulnerabilities disclosed in 173 WordPress Plugins and 2 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 59 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities...
28,000 WordPress Sites Affected by Arbitrary File Read and Deletion Vulnerability in WPLMS WordPress Theme
🦸 👻 Calling all superheroes and haunters! Introducing theCybersecurity Month Spooktacular Haunt and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through November 11th, 2024: All in-scope vulnerability types for WordPress plugins/themes with = 1,000 active installations...
Announcing The Wordfence Audit Log: Off-Site Real-Time Security Event Logging for WordPress
Today the Wordfence team is proud to announce an exciting new feature: The Wordfence Audit Log, included in the Wordfence 8.0 release. The audit log captures and stores security-related events on your website as they happen, and sends them securely to an off-site location to protect them from...