522 matches found
Wordfence CLI 2.1.0 Adds Email Capability and Unattended Configuration
Note: This post refers to Wordfence CLI, the command line tool for operations teams to rapidly scan large numbers of WordPress websites for vulnerabilities and malware, not the Wordfence plugin which is deeply integrated into WordPress and provides additional functionality, like a firewall,...
Know Your Malware Part Two â Hacky Obfuscation Techniques
In the first post in this series, we covered common PHP encoding techniques and how theyâre used by malware to hide from security analysts and scanners. In todayâs post, weâre going to dive a little bit deeper into other obfuscation techniques that make use of other features available in PHP...
Update Now! Severe Vulnerability Impacting 600,000 Sites Patched in Limit Login Attempts
On January 26, 2023, the Wordfence team responsibly disclosed an unauthenticated stored Cross-Site Scripting vulnerability in Limit Login Attempts, a WordPress plugin installed on over 600,000 sites that provides site owners with the ability to block IP addresses that have made repeated failed...
PSA: Update Now! Critical Authentication Bypass in WooCommerce Payments Allows Site Takeover
This post has been updated with additional information that has become available since its publication The Wordfence Threat Intelligence team regularly monitors plugin updates and reviews any indicating that a potential security issue may have been addressed. Today, March 23, 2023, we noticed tha...
Cross-Site Scripting Vulnerability In Download Manager Plugin
On May 30, 2022, Security Researcher Rafie Muhammad reported a reflected Cross-Site Scripting XSS vulnerability to us that they discovered in Download Manager, a WordPress plugin installed on over 100,000 sites. On request, we assigned a vulnerability identifier of CVE-2022-1985. All Wordfence...
2021 Mid-Year WordPress Security Report: A Collaboration Between Wordfence and WPScan
Wordfence has collaborated with WPScan to conduct a 2021 mid-year review on the state of WordPress security. Using attack data from Wordfenceâs internal threat intelligence platform, and vulnerability data from WPScanâs vulnerability database, we were able to analyze the current trend of attacks ...
Unauthenticated Privilege Escalation Vulnerability Patched in Kirki WordPress Plugin
On May 4th, 2026, we received a submission for an Unauthenticated Privilege Escalation vulnerability in the Kirki WordPress plugin. Although the plugin has more than 500,000 active installations, we estimate that only around 150,000 sites are using a vulnerable version, as the issue was introduce...
Attackers Actively Exploiting Critical Vulnerability in Kali Forms Plugin
On March 2nd, 2026, we received a submission through our Bug Bounty Program for a Remote Code Execution vulnerability in Kali Forms, a WordPress plugin with more than 10,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to execute code on the server. T...
Wordfence Intelligence Weekly WordPress Vulnerability Report (March 9, 2026 to March 15, 2026)
Last week, there were 116 vulnerabilities disclosed in 78 WordPress Plugins and 19 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 66 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities...
Wordfence Intelligence Weekly WordPress Vulnerability Report (November 10, 2025 to November 16, 2025)
Calling all Vulnerability Researchers and Bug Bounty Hunters! The LFInder Challenge:Refine your LFI hunting skills with an expanded scope. Now through November 24, 2025, all LFI vulnerabilities in software with at least 25 active installs are considered in-scope for all researchers, regardless of...
Wordfence Bug Bounty Program Monthly Report â August 2025
Last month in August 2025, the Wordfence Bug Bounty Program received 438 vulnerability submissions from our growing community of security researchers working to improve the overall security posture of the WordPress ecosystem. These submissions are reviewed, triaged, and processed by the Wordfence...
Wordfence Intelligence Weekly WordPress Vulnerability Report (August 25, 2025 to August 31, 2025)
Calling all Vulnerability Researchers and Bug Bounty Hunters! Spring into Summer with Wordfence! Now through September 4, 2025, earn 2X bounty rewards forall in-scope submissions from our 'High Threat' list in software with fewer than 5 million active installs. Bounties up to $31,200 per...
Wordfence Intelligence Weekly WordPress Vulnerability Report (August 4, 2025 to August 10, 2025)
Calling all Vulnerability Researchers and Bug Bounty Hunters! Spring into Summer with Wordfence! Now through September 4, 2025, earn 2X bounty rewards forall in-scope submissions from our 'High Threat' list in software with fewer than 5 million active installs. Bounties up to $31,200 per...
Wordfence Intelligence Weekly WordPress Vulnerability Report (July 7, 2025 to July 13, 2025)
Calling all Vulnerability Researchers and Bug Bounty Hunters! Spring into Summer with Wordfence! Now through August 4, 2025, earn 2X bounty rewards forall in-scope submissions from our 'High Threat' list in software with fewer than 5 million active installs. Bounties up to $31,200 per...
22,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Motors WordPress Theme
đ˘In case you missed it, Wordfence just published itsannual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond. On May 2nd, 2025, we received a submission for a Privilege Escalation...
Wordfence Price Increases Coming December 5th, 2024
We haven't raised our prices in a relatively high inflation environment in 2 years, and in the case of Wordfence Care and Response, for 2.5 years. So that time has come, and we want to let our free and paid user community know ahead of time. Weâre giving you almost a month forewarning before we...
20,000 WordPress Sites Affected by Remote Code Execution Vulnerability in Bit File Manager WordPress Plugin
đ˘ Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Through October 14th, researchers can earn up to $31,200, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, an...
$3,094 Bounty Awarded and 150,000 WordPress Sites Protected Against Arbitrary File Upload Vulnerability Patched in Modern Events Calendar WordPress Plugin
đ˘ Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the...
Open-Source Projects Use the Wordfence Vulnerability Data Feed API and You Can Too!
Prior to joining the Wordfence Threat Intelligence team, I spent several years as a vulnerability analyst, responsible for collecting, analyzing, and curating every publicly disclosed vulnerability. This meant collecting vulnerability information from almost a hundred different, disparate sources...
StylemixThemes Addresses Authentication Bypass Vulnerability in BookIt WordPress Plugin
On May 22, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Authentication Bypass vulnerability in StylemixThemesâs BookIt plugin, which is actively installed on more than 10,000 WordPress websites. The vulnerability makes it possible for...
PSA: Intentionally Leaving Backdoors in Your Code Can Lead to Fines and Jail Time
In the cybersecurity field, we talk a lot about threat actors and vulnerable code, but what doesnât get discussed enough is intentional vulnerabilities and becoming your own threat actor. Even when making decisions with the best of intentions, it is possible to work against your own best interest...
Wordfence 7.7.0 Is Out! Here Are The Changes
Wordfence 7.7.0 has just been released and as usual, it includes several awesome enhancements and updates for our security conscious WordPress publishers and e-commerce websites. This post goes into a little more detail on each change weve included. We dont usually post additional detail like thi...
Itâs Not You. Itâs Them. On Hacking and Responsible Disclosure.
A story was recently posted to Hacker News celebrating a hack of IoT devices at a school that let a student and their friends rickroll the school via a video system. On the one hand, this guy is my personal hero and I want to be them. But Im a cybersecurity professional, I run a team that has the...
Attackers Actively Exploiting Critical Vulnerability in Ninja Forms â File Upload Plugin
On April 6th, 2026, we publicly disclosed a critical Arbitrary File Upload vulnerability in Ninja Forms â File Upload, a WordPress plugin with an estimated 50,000 active installations. This vulnerability can be leveraged by unauthenticated attackers to upload arbitrary files, including PHP...
800,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in WPvivid Backup WordPress Plugin
On January 12th, 2026, we received a submission for an Arbitrary File Upload vulnerability in WPvivid Backup, a WordPress plugin with more than 800,000 active installations. This vulnerability can be used by unauthenticated attackers to upload arbitrary files to a vulnerable site and achieve remo...
15,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in MasterStudy LMS Pro WordPress Plugin
đ˘In case you missed it, Wordfence just published itsannual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond. On May 15th, 2025, we received a submission for an Arbitrary File Upload...
8,000 WordPress Sites affected by Arbitrary File Upload Vulnerability in WP Hotel Booking WordPress Plugin
đ˘ Did you know Wordfence runs aBug Bounty Program for all WordPress plugins and themes at no cost to vendors? Through October 7th, 2024, XSS vulnerabilities in all plugins and themes with =1,000 Active Installs are in scope for all researchers. In addition, through October 14th, 2024 , r esearche...
WordPress 6.5.5 Security Release â What You Need to Know
Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest...
Wordfence Researcher Featured on Critical Thinking Podcast: Sharing Advanced WordPress Bug Bounty Tips and Tricks
Did you know were running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure! Today was another huge step forward in our continuing mission ...
Wordfence Adds Two Factor Auth for WooCommerce Customers
Wordfence 7.9.0 has been released and it includes a very exciting feature for WooCommerce sites and other WordPress sites wanting to make two factor authentication 2fa available to their site users or members. Wordfence 7.9.0 now lets you give your users the ability to configure 2fa on their...
Wordfence Launches Wordfence Intelligence for Hosts and Network Defenders
This morning the Wordfence team is launching Wordfence Intelligence live at Black Hat 2022 in Las Vegas. Our entire team is here in Las Vegas, including our international team members. Id like to tell you more about what were launching and how Wordfence Intelligence will help us go even further t...
Top Five Attacking IPs This Month: Their Locations May Not Be Where You Think
At Wordfence, we see large amounts of threat actor data, and often that data tells unexpected stories. Taking a look at just the top five attacking IP addresses over a 30 day period, you might be surprised to find out where these attacks are originating, and what they are doing. When most people...
Increase In Malware Sightings on GoDaddy Managed Hosting
Today, March 15, 2022, The Wordfence Incident Response team alerted our Threat Intelligence team to an increase in infected websites hosted on GoDaddyâs Managed WordPress service, which includes MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress sites...
Youâve Found a Vulnerability! Now What? A Guide to Responsible Disclosure.
Information security researchers make a valuable contribution to our online security by finding vulnerabilities and facilitating getting them fixed. Wordfence has been finding and disclosing vulnerabilities in WordPress core, WordPress plugins, and WordPress themes since 2011. Our research has...
Nulled WordPress Plugins â Dangers and Downsides
In our 2020 Threat Report, the Wordfence Threat Intelligence Team identified malware distributed via nulled, pirated, or counterfeit plugins and themes as one of the largest threats facing the WordPress ecosystem. Many site owners are unaware of the risks associated with using nulled plugins, and...
Wordfence Intelligence Weekly WordPress Vulnerability Report (June 8, 2026 to June 14, 2026)
Last week, there were 102 vulnerabilities disclosed in 90 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 68 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities ...
Wordfence Intelligence Weekly WordPress Vulnerability Report (February 23, 2026 to March 1, 2026)
Triple Threat Bug Bounty Challenge Hunt High Threat vulnerabilities and earn triple the incentives! Now through April 6, 2026 , earn three stacked bonuses on all valid submissions from our 'High Threat Vulnerabilities' list: 2x all high threat vulnerability bounties excluding 5,000,000+ installs...
Wordfence Intelligence Weekly WordPress Vulnerability Report (October 6, 2025 to October 12, 2025)
Calling all Vulnerability Researchers and Bug Bounty Hunters! Operation: Maximum Impact Challenge ! Now through November 10, 2025, earn 2X bounty rewards forall in-scope submissions in software with at least 5,000 active installs and fewer than 5 million active installs. Bounties up to $31,200 pe...
50,000 WordPress Sites Affected by PHP Object Injection Vulnerability in Uncanny Automator WordPress Plugin
In case you missed it, Wordfence just published itsannual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond. On April 26th, 2024, we received a submission for an authenticated PHP...
10,000 WordPress Sites Affected by Arbitrary File Read Vulnerability in Eventin WordPress Plugin
đ˘In case you missed it, Wordfence just published itsannual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond. On April 6th, 2025, we received a submission for an Arbitrary File Read...
10,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in AI Power: Complete AI Pack WordPress Plugin
𦸠đť Calling all superheroes and haunters! Introducing theCybersecurity Month Spooktacular Haunt and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through November 11th, 2024: All in-scope vulnerability types for WordPress plugins/themes with = 1,000 active installations...
7,000 WordPress Sites Affected by Unauthenticated Critical Vulnerabilities in LatePoint WordPress Plugin
𦸠đť Calling all superheroes and haunters! Introducing theCybersecurity Month Spooktacular Haunt and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through November 11th, 2024: All in-scope vulnerability types for WordPress plugins/themes with = 1,000 active installations...
20,000 WordPress Sites Affected by Privilege Escalation Vulnerability in WCFM â WooCommerce Frontend Manager WordPress Plugin
đ˘ Did you know Wordfence runs aBug Bounty Program for all WordPress plugins and themes at no cost to vendors? Through October 7th, 2024, XSS vulnerabilities in all plugins and themes with =1,000 Active Installs are in scope for all researchers. In addition, through October 14th, 2024 , r esearche...
Critical Arbitrary File Deletion Vulnerability in MP3 Audio Player WordPress Plugin Affects Over 20,000 Sites
đ˘ Did you know Wordfence runs aBug Bounty Program for all WordPress plugin and themes at no cost to vendors? Through October 7th, 2024, XSS vulnerabilities in all plugins and themes with =1,000 Active Installs are in scope for all researchers. In addition, through October 14th, 2024 , r esearcher...
The Aftermath of the WordPress.org Supply Chain Attack: New Malware and Techniques Emerge
On Monday June 24th, 2024 the Wordfence Threat Intelligence team was made aware of the presence of malware in the Social Warfare repository plugin. After adding the malicious code to our Threat Intelligence Database and examining it, we discovered additional affected plugins and continued...
Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Plugins
On Monday June 24th, 2024 the Wordfence Threat Intelligence team became aware of a plugin, Social Warfare, that was injected with malicious code on June 22, 2024 based on a forum post by the WordPress.org Plugin Review team. We immediately checked the malicious file and uploaded it to our interna...
The 2023 Wordfence Holiday Bug Extravaganza Reaches An Exciting Conclusion!
After an incredibly successful few weeks, the Wordfence Holiday Bug Extravaganza came to a close yesterday. Weâd like to sincerely thank everyone who spent time researching, finding, and submitting vulnerabilities. Your efforts have helped to make the WordPress community and the web safer. Many...
Earn up to $10,000 for Vulnerabilities in WordPress Software â 6X Rewards in the Wordfence Holiday Bug Extravaganza!
At Wordfence our mission is to Secure The Web. WordPress powers over 40% of the Web, and Wordfence secures over 4 million WordPress websites. Today we are announcing that for the next 20 days, Wordfence will be paying out some of the highest bug bounties in the history of WordPress to help find...
Introducing Free Wordfence Intelligence WordPress Vulnerability Webhook Notifications!
Weâre incredibly excited to announce that we have launched a webhook integration for vulnerabilities as part of Wordfence Intelligence, which enables users to stay on top of the latest vulnerabilities being added to the Wordfence Intelligence WordPress Vulnerability database, all completely for...
Wordfence 7.10.0 Released!
Wordfence remains the number one security plugin of choice for website owners serious about protecting their investment and their customers. Our Threat Intelligence team and engineering team stay abreast of the newest threats and ensure that Wordfence is able to protect against them. But keeping ...