📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢 🚀  Operation: Maximum Impact Challenge! Now through November 10, 2025, earn 2X bounty rewards for all in-scope submissions in software with at least 5,000 active installs and fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big! 📁 The …Read More

On June 8th, 2025, we received a submission through our Bug Bounty Program for an Authentication Bypass vulnerability in Service Finder Bookings, a WordPress plugin bundled with the Service Finder theme. This theme has been sold to approximately 6,000 customers. This vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts with the ‘administrator’ role.

Learn how to find LFI vulnerabilities in WordPress plugins and themes and earn cash bounties through the Wordfence Bug Bounty Program.

📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢 🚀  Operation: Maximum Impact Challenge! Now through November 10, 2025, earn 2X bounty rewards for all in-scope submissions in software with at least 5,000 active installs and fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big! 📁 The …Read More

📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢 🚀  Operation: Maximum Impact Challenge! Now through November 10, 2025, earn 2X bounty rewards for all in-scope submissions in software with at least 5,000 active installs and fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big! Last week, …Read More

Last month in August 2025, the Wordfence Bug Bounty Program received 438 vulnerability submissions from our growing community of security researchers working to improve the overall security posture of the WordPress ecosystem. These submissions are reviewed, triaged, and processed by the Wordfence Threat Intelligence team, with validated vulnerabilities responsibly disclosed to vendors, often through the Wordfence Vulnerability Management Portal – a free service for all WordPress vendors, and protected through the Wordfence Firewall where appropriate.

📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢 🚀  Operation: Maximum Impact Challenge! Now through November 10, 2025, earn 2X bounty rewards for all in-scope submissions in software with at least 5,000 active installs and fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big! 💉 Participate in …Read More

On May 31st, 2025, we received a submission for an Authentication Bypass via Social Login vulnerability in Case Theme User, a WordPress plugin with an estimated 12,000 active installations. The plugin is bundled in multiple premium themes. This vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts used to administer the site, if the attacker knows, or can find, the associated email address. The vendor released the patched version on August 13th, 2025, and we originally disclosed this vulnerability on August 22nd, 2025. Our records indicate that attackers started exploiting the issue the next day on August 23rd, 2025. The Wordfence Firewall has already blocked over 20,900 exploit attempts targeting this vulnerability.

📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢 🚀  Operation: Maximum Impact Challenge! Now through November 10, 2025, earn 2X bounty rewards for all in-scope submissions in software with at least 5,000 active installs and fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big! 💉 Participate in …Read More

The Wordfence Threat Intelligence Team has discovered a new malware campaign that highlights the hidden risks associated with “nulled plugins”, or premium plugins that have been tampered with by third parties. This campaign is particularly concerning because it doesn’t just infect websites: it enables attackers to bypass existing security defenses while achieving persistent access, effectively turning developers or site owners into unwitting collaborators in weakening their own site’s defences.

On August 17th, 2025, we received a submission for an authenticated PHP Object Injection vulnerability in Fluent Forms, a WordPress plugin with more than 600,000 active installations. This vulnerability can be leveraged via an existing POP chain present in the plugin to read arbitrary files on the server, which may contain sensitive information.

📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢 🌞 Spring into Summer with Wordfence! Now through September 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big! 💉 Participate in …Read More

📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢 🌞 Spring into Summer with Wordfence! Now through September 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big! 💉 Participate in …Read More

On June 5th, 2025, we received a submission for a Privilege Escalation vulnerability in Dokan Pro, a WordPress plugin with more than 15,000 sales. This vulnerability makes it possible for an authenticated attacker, with vendor-level permission, to change the password of any user, including an administrator, which allows them to take over the account and the website.

Last month in July 2025, the Wordfence Bug Bounty Program received 325 vulnerability submissions from our growing community of security researchers working to improve the overall security posture of the WordPress ecosystem. These submissions are reviewed, triaged, and processed by the Wordfence Threat Intelligence team, with validated vulnerabilities responsibly disclosed to vendors, often through the Wordfence Vulnerability Management Portal, and protected through the Wordfence Firewall where appropriate.

📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢 🌞 Spring into Summer with Wordfence! Now through September 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big! 💉 Participate in …Read More

📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢 🌞 Spring into Summer with Wordfence! Now through September 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big! 💉 Participate in …Read More

On June 13th, 2025, we received a submission for an Arbitrary File Read vulnerability in UiCore Elements, a WordPress plugin with more than 40,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to read arbitrary files on the server, which can contain sensitive information. During the disclosure process, our investigation revealed that the vulnerability leveraged an underlying issue in Elementor’s import functionality.

Claude Code stormed onto the programming scene when Anthropic launched it in February of this year. It moved, what Andrej Karpathy has called “The Autonomy Slider” from around a three to a solid eight. What this means is that you can give Claude Code direction, it will come up with a plan to accomplish the desired outcome, and it will run for an extended period, taking multiple steps, evaluating it’s own decision making, and course correcting along the way, until it has accomplished the goal.

Last week, there were 107 vulnerabilities disclosed in 91 WordPress Plugins and 8 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 43 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

SQL Injection (SQLi), a vulnerability almost as old as database-driven web applications themselves (CWE-89), persists as a classic example of failing to neutralize user-supplied input before it’s used in a SQL query. So why does this well-understood vulnerability type continue to exist?
In the WordPress space, the WordPress core development team has made a number of database functions available via its API. These functions abstract away all the common use-cases for database queries and intend to do so in a way that prevents SQL injection vulnerabilities from being introduced by the developer.

From now through September 22, 2025, we’re running our SQLsplorer Challenge, focused on SQL Injection vulnerabilities. During this challenge, we’re expanding the scope of the Wordfence Bug Bounty Program to encourage deeper research into SQL Injection vulnerabilities and broader participation from researchers looking to get started, and we’re adding a 20% bounty bonus for all …Read More

📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢 🌞 Spring into Summer with Wordfence! Now through August 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big! Last week, …Read More

On July 18th, 2025, we received a submission for an Arbitrary File Upload vulnerability in AI Engine, a WordPress plugin with more than 100,000 active installations. This vulnerability can be used by authenticated attackers, with subscriber-level access and above, to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover. Please note that this vulnerability only critically affects users who have enabled the “Public API” option in the settings, which is disabled by default, and have not configured authentication for the API.

On May 30th, 2025, we received a submission for an Arbitrary File Upload via Plugin Installation vulnerability in Alone, a WordPress theme with more than 9,000 sales. This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover. The vendor released the patched version on June 16th, 2025, and we publicly disclosed this vulnerability on July 14th, 2025. Our records indicate that attackers started exploiting the issue on July 12th, 2025, before we disclosed the vulnerability. The Wordfence Firewall has already blocked over 120,900 exploit attempts targeting this vulnerability.

On June 24th, 2025, we received a submission for an Arbitrary File Upload and an Arbitrary File Deletion vulnerability in HT Contact Form, a WordPress plugin with more than 10,000 active installations. The arbitrary file upload vulnerability can be used by unauthenticated attackers to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover. The arbitrary file deletion vulnerability can be used by unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can also make a site takeover possible.

📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢 🌞 Spring into Summer with Wordfence! Now through August 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big! Last week, …Read More

📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢 🌞 Spring into Summer with Wordfence! Now through August 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big! Last week, …Read More

📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢 🌞 Spring into Summer with Wordfence! Now through August 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big! Last week, …Read More

On June 21st, 2025, we received a submission for an Arbitrary File Deletion vulnerability in SureForms, a WordPress plugin with more than 200,000 active installations. This vulnerability makes it possible for unauthenticated threat actors to specify arbitrary file paths in a form submission, and the file will be deleted when the submission is deleted. It can be leveraged to delete critical files like wp-config.php, which can lead to remote code execution.