wordfence.com

50,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Uncanny Automator WordPress Plugin

On March 5th, 2025, we received a submission for an Arbitrary File Upload vulnerability in Uncanny Automator, a WordPress plugin with more than 50,000 active installations. This vulnerability can be used by authenticated attackers, with subscriber-level access and above, to grant themselves administrative privileges by updating the user role.

wordfence.com

20,000 WordPress Sites Affected by Arbitrary File Upload and Deletion Vulnerabilities in WP Ultimate CSV Importer WordPress Plugin

On March 5th, 2025, we received a submission for an Arbitrary File Upload and an Arbitrary File Deletion vulnerability in WP Ultimate CSV Importer, a WordPress plugin with more than 20,000 active installations. The arbitrary file upload vulnerability can be used by authenticated attackers, with subscriber-level access and above, to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover. The arbitrary file deletion vulnerability can be used by authenticated attackers to delete arbitrary files, including the wp-config.php file, which can also make a site takeover possible.

wordfence.com

Wordfence Intelligence Weekly WordPress Vulnerability Report (March 10, 2025 to March 16, 2025)

Last week, there were 147 vulnerabilities disclosed in 125 WordPress Plugins and 7 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 47 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

wordfence.com

Use Genuine Wordfence and Stay Secure, Stay Supported, and Avoid Malware, Vulnerabilities and Backdoors

Use Genuine Wordfence and Stay Secure, Stay Supported, and Avoid Malware, Vulnerabilities and Backdoors – Genuine Wordfence is only available on Wordfence.com or from the WordPress Plugin Repository. Given our popularity and excellent reputation, there are unfortunately quite a few nulled or counterfeit versions of Wordfence, and plugins that modify Wordfence in the wild.

wordfence.com

Creative SVG File Upload to Local File Inclusion Vulnerability Affecting 90,000 Sites Patched in Jupiter X Core WordPress Plugin

On January 6th, 2025, we received a submission for an SVG Upload to Local File Inclusion vulnerability in Jupiter X Core, a WordPress plugin with more than 90,000 active installations. This vulnerability makes it possible for an authenticated attacker, with contributor privileges or higher, to upload SVG files to a vulnerable site with malicious content and then include it, and achieve remote code execution.

wordfence.com

30,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in Security & Malware scan by CleanTalk WordPress Plugin

On December 7th, 2024, we received a submission for an Arbitrary File Upload vulnerability in Security & Malware scan by CleanTalk, a WordPress plugin with more than 30,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files to a vulnerable site and achieve remote code execution.

wordfence.com

Wordfence Intelligence Weekly WordPress Vulnerability Report (December 16, 2024 to January 5, 2025)

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. Special …Read More

wordfence.com

Wordfence Intelligence Weekly WordPress Vulnerability Report (December 9, 2024 to December 15, 2024)

💥 Time to wrap up this year and kick-off the new year with a bang! We’re wrapping up the year with our End of Year Holiday Extravaganza, High-Risk Bonus Blitz Challenge, and Superhero Challenge for the Wordfence Bug Bounty Program. Through January 6th, 2025: All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL …Read More

wordfence.com

Wordfence Intelligence Weekly WordPress Vulnerability Report (December 2, 2024 to December 8, 2024)

💥 Time to wrap up this year and kick-off the new year with a bang! We’re wrapping up the year with our End of Year Holiday Extravaganza, High-Risk Bonus Blitz Challenge, and Superhero Challenge for the Wordfence Bug Bounty Program. Through January 6th, 2025: All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL …Read More

wordfence.com

6,000,000 WordPress Sites Protected Against Payment Refund and Subscription Cancellation Vulnerability in WPForms WordPress Plugin

On October 23th, 2024, we received a submission for a Missing Authorization to Payment Refund and Subscription Cancellation vulnerability in WPForms, a WordPress plugin with more than 6,000,000 active installations. This vulnerability makes it possible for an authenticated attacker, with subscriber-level access and above, to refund Stripe payments and cancel Stripe subscriptions.

wordfence.com

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 25, 2024 to December 1, 2024)

💥 Time to wrap up this year and kick-off the new year with a bang! We’re wrapping up the year with our End of Year Holiday Extravaganza, High-Risk Bonus Blitz Challenge, and Superhero Challenge for the Wordfence Bug Bounty Program. Through January 6th, 2025: All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL …Read More

wordfence.com

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 18, 2024 to November 24, 2024)

🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through December 9th, 2024: All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers All plugins and themes with 50-999 active installs hosted in …Read More

wordfence.com

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 11, 2024 to November 17, 2024)

🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through December 9th, 2024: All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers All plugins and themes with 50-999 active installs hosted in …Read More

wordfence.com

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 4, 2024 to November 10, 2024)

🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through December 9th, 2024: All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers All plugins and themes with 50-999 active installs hosted in …Read More