Wordfence Research and News

Blog icon
Category: Research

WordPress Security Research Series: WordPress Request Architecture and Hooks

Welcome to Part 1 of the WordPress Security Research Beginner Series!

3 More Plugins Infected in WordPress.org Supply Chain Attack Due to Compromised Developer Passwords

Update #1: As of 12:36PM EST, another plugin has been infected.

An Inside Look at The Malware and Techniques Used in the WordPress.org Supply Chain Attack

On Monday June 24th, 2024 the Wordfence Threat Intelligence team was made aware of the presence of malware in the Social Warfare repository plugin (see post Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Plugins).

Developer Accounts Compromised Due to Credential Reuse in WordPress.org Supply Chain Attack

On June 24th, 2024, the Wordfence Threat Intelligence Team became aware of a WordPress plugin, Social Warfare, that was infected with malware through the WordPress repository.

Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Plugins

On Monday June 24th, 2024 the Wordfence Threat Intelligence team became aware of a plugin, Social Warfare, that was injected with malicious code on June 22, 2024 based on a forum post by the WordPress.org Plugin Review team.

40,000 WordPress Sites affected by Vulnerability That Leads to Privilege Escalation in Login/Signup Popup WordPress Plugin

On May 17th, 2024 we received a submission for an Arbitrary Options Update vulnerability in Login/Signup Popup, a WordPress plugin with more than 40,000 active installations.

30,000 WordPress Sites affected by Arbitrary SQL Execution Vulnerability Patched in Visualizer WordPress Plugin

30,000 WordPress Sites affected by Arbitrary SQL Execution Vulnerability Patched in Visualizer WordPress Plugin

$563 Bounty Awarded for Reflected Cross-Site Scripting Vulnerability Patched in Yoast SEO WordPress Plugin

🎉 Did you know we’re running a Bug Bounty Extravaganza again?

$197 Bounty Awarded for Unauthenticated Arbitrary Post Deletion Vulnerability Patched in LeadConnector WordPress Plugin

🎉 Did you know we’re running a Bug Bounty Extravaganza again?

$493 Bounty Awarded for Arbitrary Options Update Vulnerability Patched in WP Datepicker WordPress Plugin

🎉 Did you know we’re running a Bug Bounty Extravaganza again?