Wordfence Research and News

Blog icon

Easily Exploitable Critical Vulnerabilities Patched in ProfilePress Plugin

On May 27, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities that were discovered in ProfilePress, formerly WP User Avatar, a WordPress plugin installed on over 400,000 sites.

High Severity Vulnerability Patched in WooCommerce Stock Manager Plugin

On May 21, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in WooCommerce Stock Manager, a WordPress plugin installed on over 30,000 sites.

Wordfence is now a CVE Numbering Authority (CNA)

Today, we are excited to announce that Wordfence is authorized by the Common Vulnerabilities and Exposures (CVE®) Program as a CNA, or CVE Numbering Authority.

Severe Vulnerabilities Patched in Simple 301 Redirects by BetterLinks Plugin

On April 8, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities discovered in Simple 301 Redirects by BetterLinks, a WordPress plugin installed on over 300,000 sites.

Critical Vulnerability Patched in External Media Plugin

On February 2, 2021, our Threat Intelligence team responsibly disclosed the details of a vulnerability in External Media, a WordPress plugin used by over 8,000 sites.

Severe Unpatched Vulnerabilities Leads to Closure of Store Locator Plus Plugin

On March 5, 2021, the Wordfence Threat Intelligence team wrapped up an investigation that led to the discovery of a privilege escalation vulnerability along with several additional vulnerabilities in Store Locator Plus, a WordPress plugin installed on over 9,000 sites.

PSA: Remove Kaswara Modern WPBakery Page Builder Addons Plugin Immediately

Today, April 21, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day vulnerability that is being actively exploited in Kaswara Modern WPBakery Page Builder Addons, a premium plugin that we estimate has over 10,000 installations.

Severe Vulnerabilities Patched in Redirection for Contact Form 7 Plugin

On February 11, 2021, our Threat Intelligence team responsibly disclosed several vulnerabilities in Redirection for Contact Form 7, a WordPress plugin used by over 200,000 sites.

Ten Password Mistakes That Could Get Your WordPress Site Hacked

A few months ago on Wordfence Live, we reviewed some of the worst website hacks we’ve ever seen.

PHP Compromised: What WordPress Users Need to Know

Late Sunday night, on March 28, 2021, Nikita Popov, a core PHP committer, released a statement indicating that two malicious commits had been pushed to the php-src git repository.