wordfence.com

50,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in Greenshift WordPress Plugin

On April 14th, 2025, we received a submission for an Arbitrary File Upload vulnerability in Greenshift, a WordPress plugin with more than 50,000 active installations. This vulnerability can be used by authenticated attackers, with subscriber-level access and above, to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover.

wordfence.com

6,000 WordPress Sites Affected by Arbitrary File Move Vulnerability in Drag and Drop Multiple File Upload for WooCommerce WordPress Plugin

On March 28th, 2025, we received a submission for an Arbitrary File Move vulnerability in Drag and Drop Multiple File Upload for WooCommerce, a WordPress plugin with more than 6,000 active installations. This vulnerability makes it possible for unauthenticated threat actors to move arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible.

wordfence.com

100,000 WordPress Sites Affected by Administrative User Creation Vulnerability in SureTriggers WordPress Plugin

On March 13th, 2025, we received a submission for an Unauthenticated Administrative User Creation vulnerability in SureTriggers, a WordPress plugin with more than 100,000 active installations. This vulnerability can be leveraged by attackers to create malicious administrator users when the plugin is not configured with an API key.

wordfence.com

2024 Annual WordPress Security Report by Wordfence

Read the 2024 WordPress Security Report by Wordfence: Despite another record year for disclosed vulnerabilities in 2025, the rising number doesn’t necessarily translate to increased risk for the vast majority of site owners. This article delves into the specifics of the 2024 vulnerabilities published, demonstrating why the heightened disclosure rate shouldn’t be a cause for alarm in the WordPress community.

wordfence.com

50,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Uncanny Automator WordPress Plugin

On March 5th, 2025, we received a submission for an Arbitrary File Upload vulnerability in Uncanny Automator, a WordPress plugin with more than 50,000 active installations. This vulnerability can be used by authenticated attackers, with subscriber-level access and above, to grant themselves administrative privileges by updating the user role.

wordfence.com

20,000 WordPress Sites Affected by Arbitrary File Upload and Deletion Vulnerabilities in WP Ultimate CSV Importer WordPress Plugin

On March 5th, 2025, we received a submission for an Arbitrary File Upload and an Arbitrary File Deletion vulnerability in WP Ultimate CSV Importer, a WordPress plugin with more than 20,000 active installations. The arbitrary file upload vulnerability can be used by authenticated attackers, with subscriber-level access and above, to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover. The arbitrary file deletion vulnerability can be used by authenticated attackers to delete arbitrary files, including the wp-config.php file, which can also make a site takeover possible.

wordfence.com

Wordfence Intelligence Weekly WordPress Vulnerability Report (March 10, 2025 to March 16, 2025)

Last week, there were 147 vulnerabilities disclosed in 125 WordPress Plugins and 7 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 47 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

wordfence.com

Use Genuine Wordfence and Stay Secure, Stay Supported, and Avoid Malware, Vulnerabilities and Backdoors

Use Genuine Wordfence and Stay Secure, Stay Supported, and Avoid Malware, Vulnerabilities and Backdoors – Genuine Wordfence is only available on Wordfence.com or from the WordPress Plugin Repository. Given our popularity and excellent reputation, there are unfortunately quite a few nulled or counterfeit versions of Wordfence, and plugins that modify Wordfence in the wild.

wordfence.com

Wordfence Intelligence Weekly WordPress Vulnerability Report (February 24, 2025 to March 2, 2025)

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. Last …Read More

wordfence.com

Wordfence Intelligence Weekly WordPress Vulnerability Report (February 17, 2025 to February 23, 2025)

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. Last …Read More

wordfence.com

Wordfence Intelligence Weekly WordPress Vulnerability Report (February 10, 2025 to February 16 2025)

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. Last …Read More

wordfence.com

Creative SVG File Upload to Local File Inclusion Vulnerability Affecting 90,000 Sites Patched in Jupiter X Core WordPress Plugin

On January 6th, 2025, we received a submission for an SVG Upload to Local File Inclusion vulnerability in Jupiter X Core, a WordPress plugin with more than 90,000 active installations. This vulnerability makes it possible for an authenticated attacker, with contributor privileges or higher, to upload SVG files to a vulnerable site with malicious content and then include it, and achieve remote code execution.

wordfence.com

Wordfence Intelligence Weekly WordPress Vulnerability Report (February 3, 2025 to February 9, 2025)

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. Last …Read More

wordfence.com

30,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in Security & Malware scan by CleanTalk WordPress Plugin

On December 7th, 2024, we received a submission for an Arbitrary File Upload vulnerability in Security & Malware scan by CleanTalk, a WordPress plugin with more than 30,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files to a vulnerable site and achieve remote code execution.

wordfence.com

Wordfence Intelligence Weekly WordPress Vulnerability Report (January 27, 2025 to February 2, 2025)

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. Last …Read More

wordfence.com

Wordfence Intelligence Weekly WordPress Vulnerability Report (January 20, 2025 to January 26, 2025)

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. Last …Read More

wordfence.com

Wordfence Intelligence Weekly WordPress Vulnerability Report (January 13, 2025 to January 19, 2025)

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. Last …Read More

wordfence.com

Wordfence Intelligence Weekly WordPress Vulnerability Report (January 6, 2025 to January 12, 2025)

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. Last …Read More

wordfence.com

Wordfence Intelligence Weekly WordPress Vulnerability Report (December 16, 2024 to January 5, 2025)

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. Special …Read More

wordfence.com

Wordfence Intelligence Weekly WordPress Vulnerability Report (December 9, 2024 to December 15, 2024)

đź’Ą Time to wrap up this year and kick-off the new year with a bang! We’re wrapping up the year with our End of Year Holiday Extravaganza, High-Risk Bonus Blitz Challenge, and Superhero Challenge for the Wordfence Bug Bounty Program. Through January 6th, 2025: All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL …Read More