Wordfence Research and News

Blog icon
Category: Research

Two Vulnerabilities Patched in Facebook for WordPress Plugin

On December 22, 2020, our Threat Intelligence team responsibly disclosed a vulnerability in Facebook for WordPress, formerly known as Official Facebook Pixel, a WordPress plugin installed on over 500,000 sites.

Recently Patched Vulnerability in Thrive Themes Actively Exploited in the Wild

On March 23, 2021, the Wordfence Threat Intelligence Team discovered two recently patched vulnerabilities being actively exploited in Thrive Theme’s “Legacy” Themes and Thrive Theme plugins that were chained together to allow unauthenticated attackers to upload arbitrary files on vulnerable WordPress sites.

Cross-Site Scripting Vulnerabilities in Elementor Impact Over 7 Million Sites

On February 23, 2021, the Wordfence Threat Intelligence team responsibly disclosed a set of stored Cross-Site Scripting vulnerabilities in Elementor, a WordPress plugin which “is now actively installed and used on more than 7M websites” according to a recent announcement on the Elementor blog.

Several Vulnerabilities Patched in Tutor LMS Plugin

On December 15, 2020, our Threat Intelligence team responsibly disclosed several vulnerabilities in Tutor LMS, a WordPress plugin installed on over 20,000 sites.

Critical 0-day in The Plus Addons for Elementor Allows Site Takeover

UPDATE 2: As of late March 9th, 2021, the vulnerabilities have been fully patched in version 4.1.7.
Critical Vulnerability Patched in WooCommerce Upload Files Featured Image

Critical Vulnerability Patched in WooCommerce Upload Files

On December 29, 2020, the Wordfence Threat Intelligence team was alerted to a potential 0-day vulnerability in the WooCommerce Upload Files plugin, an add-on for WooCommerce with over 5,000 installations.

Medium Severity Vulnerability Patched in User Profile Picture Plugin

On February 15, 2021, our Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in User Profile Picture, a WordPress plugin installed on over 60,000 sites.

One Million Sites Affected: Four Severe Vulnerabilities Patched in Ninja Forms

On January 20, 2021, our Threat Intelligence team responsibly disclosed four vulnerabilities in Ninja Forms, a WordPress plugin used by over one million sites.

Multiple Vulnerabilities Patched in Responsive Menu Plugin

On December 17, 2020, our Threat Intelligence team responsibly disclosed three vulnerabilities in Responsive Menu, a WordPress plugin installed on over 100,000 sites.
Severe Vulnerabilities Patched in Nextgen Gallery Feature Image

Severe Vulnerabilities Patched in NextGen Gallery Affect over 800,000 WordPress Sites

On December 14, 2020, the Wordfence Threat Intelligence team finished researching two Cross-Site Request Forgery (CSRF) vulnerabilities in NextGen Gallery, a WordPress plugin with over 800,000 installations, including a critical severity vulnerability that could lead to Remote Code Execution(RCE) and Stored Cross-Site Scripting(XSS).
  • Ask Wordfence
  • General Security
  • Holiday
  • Learning
  • Long Read
  • Miscellaneous
  • Monthly Attack Activity Report
  • Podcasts
  • PSA
  • Research
  • SEO
  • Threat Research
  • Uncategorized
  • Videos
  • Vulnerabilities
  • Wordfence
  • Wordfence CLI
  • Wordfence Intelligence
  • WordPress Security

    • Breaking WordPress Security Research in your inbox as it happens.

    Example of a news story

    This site uses cookies in accordance with our Privacy Policy.