Wordfence Research and News

Blog icon
Category: WordPress Security

Entering a Higher State of Vigilance – Ukraine Under Attack

It appears that Russia has just commenced the invasion of Ukraine.

Reflected XSS in Header Footer Code Manager

On February 15, 2022, the Wordfence Threat Intelligence team responsibly disclosed a reflected Cross-Site Scripting (XSS) vulnerability in Header Footer Code Manager, a WordPress plugin with over 300,000 installations.
Post title on red background

Vulnerability in UpdraftPlus Allowed Subscribers to Download Sensitive Backups

Update: a previous version of this article indicated that an attacker would need to begin their attack when a backup was in progress, and would need to guess the appropriate timestamp to download a backup.

Reflected Cross-Site Scripting Vulnerability Patched in WordPress Profile Builder Plugin

On January 4, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Profile Builder – User Profile & User Registration Forms”, a WordPress plugin that is installed on over 50,000 WordPress websites.

Unauthenticated SQL Injection Vulnerability Patched in WordPress Statistics Plugin

On February 7, 2022, Security Researcher Cyku Hong from DEVCORE reported a vulnerability to us that they discovered in WP Statistics, a WordPress plugin installed on over 600,000 sites.

Critical Vulnerabilities in PHP Everywhere Allow Remote Code Execution

On January 4, 2022, the Wordfence Threat Intelligence team began the responsible disclosure process for several Remote Code Execution vulnerabilities in PHP Everywhere, a WordPress plugin installed on over 30,000 websites.

Announcing Wordfence Care and Wordfence Response

Today I’m incredibly excited to announce that we are launching two new products: Wordfence Care and Wordfence Response.

Unauthenticated XSS Vulnerability Patched in HTML Email Template Designer Plugin

On December 23, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “WordPress Email Template Designer – WP HTML Mail”, a WordPress plugin that is installed on over 20,000 sites.

84,000 WordPress Sites Affected by Three Plugins With The Same Vulnerability

On November 5, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Login/Signup Popup”, a WordPress plugin that is installed on over 20,000 sites.
title text on emoji wearing mask

WordPress 5.8.3 Security Release

On January 6, 2022, the WordPress core team released WordPress version 5.8.3, which contains security patches for 4 high-severity vulnerabilities.
  • Ask Wordfence
  • General Security
  • Holiday
  • Learning
  • Long Read
  • Miscellaneous
  • Monthly Attack Activity Report
  • Podcasts
  • PSA
  • Research
  • SEO
  • Threat Research
  • Uncategorized
  • Videos
  • Vulnerabilities
  • Wordfence
  • Wordfence CLI
  • Wordfence Intelligence
  • WordPress Security

    • Breaking WordPress Security Research in your inbox as it happens.

    Example of a news story

    This site uses cookies in accordance with our Privacy Policy.