Wordfence Research and News

Blog icon
Category: Vulnerabilities

Cross-Site Scripting Vulnerabilities in Elementor Impact Over 7 Million Sites

On February 23, 2021, the Wordfence Threat Intelligence team responsibly disclosed a set of stored Cross-Site Scripting vulnerabilities in Elementor, a WordPress plugin which “is now actively installed and used on more than 7M websites” according to a recent announcement on the Elementor blog.

Several Vulnerabilities Patched in Tutor LMS Plugin

On December 15, 2020, our Threat Intelligence team responsibly disclosed several vulnerabilities in Tutor LMS, a WordPress plugin installed on over 20,000 sites.

Critical 0-day in The Plus Addons for Elementor Allows Site Takeover

UPDATE 2: As of late March 9th, 2021, the vulnerabilities have been fully patched in version 4.1.7.
Critical Vulnerability Patched in WooCommerce Upload Files Featured Image

Critical Vulnerability Patched in WooCommerce Upload Files

On December 29, 2020, the Wordfence Threat Intelligence team was alerted to a potential 0-day vulnerability in the WooCommerce Upload Files plugin, an add-on for WooCommerce with over 5,000 installations.

Medium Severity Vulnerability Patched in User Profile Picture Plugin

On February 15, 2021, our Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in User Profile Picture, a WordPress plugin installed on over 60,000 sites.

One Million Sites Affected: Four Severe Vulnerabilities Patched in Ninja Forms

On January 20, 2021, our Threat Intelligence team responsibly disclosed four vulnerabilities in Ninja Forms, a WordPress plugin used by over one million sites.

Multiple Vulnerabilities Patched in Responsive Menu Plugin

On December 17, 2020, our Threat Intelligence team responsibly disclosed three vulnerabilities in Responsive Menu, a WordPress plugin installed on over 100,000 sites.
Severe Vulnerabilities Patched in Nextgen Gallery Feature Image

Severe Vulnerabilities Patched in NextGen Gallery Affect over 800,000 WordPress Sites

On December 14, 2020, the Wordfence Threat Intelligence team finished researching two Cross-Site Request Forgery (CSRF) vulnerabilities in NextGen Gallery, a WordPress plugin with over 800,000 installations, including a critical severity vulnerability that could lead to Remote Code Execution(RCE) and Stored Cross-Site Scripting(XSS).
Uncovering Potential Issues with the Contact Form 7 Vulnerability: More Data Needed Feature Image

Uncovering Potential Issues with the Contact Form 7 Vulnerability: More Data Needed

Update: The Proof of Concept posted on exploit-db has been removed since the publication of this article.

Multiple Vulnerabilities Patched in Orbit Fox by ThemeIsle Plugin

On November 19, 2020, our Threat Intelligence team responsibly disclosed two vulnerabilities in Orbit Fox by ThemeIsle, a WordPress plugin used by over 400,000 sites.
  • Ask Wordfence
  • General Security
  • Holiday
  • Learning
  • Long Read
  • Miscellaneous
  • Monthly Attack Activity Report
  • Podcasts
  • PSA
  • Research
  • SEO
  • Threat Research
  • Uncategorized
  • Videos
  • Vulnerabilities
  • Wordfence
  • Wordfence CLI
  • Wordfence Intelligence
  • WordPress Security

    • Breaking WordPress Security Research in your inbox as it happens.

    Example of a news story

    This site uses cookies in accordance with our Privacy Policy.