Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

XSS Vulnerability in Wordfence 6.1.1 to 6.1.6. Severity: 6.1 (Medium)

This entry was posted in Vulnerabilities, Wordfence, WordPress Security on May 10, 2016 by Mark Maunder   5 Replies

An hour ago a security researcher, Kacper Szurek, reported a reflected XSS vulnerability in the current version of Wordfence. Wordfence is now using CVSS as our standard vulnerability scoring mechanism. The severity of this vulnerability is 6.1 (Medium).


This only affects Wordfence users who have the Wordfence firewall disabled. Wordfence has built in protection against XSS vulnerabilities and has had since version 6.1.1, so if your firewall is enabled you are not affected. If you have the firewall in learning mode or disabled, you are not protected against this vulnerability.

What to do

We have already released a fix. If you have Wordfence set to auto-update then it will automatically update to Wordfence 6.1.7 within the next 24 hours and you don’t have to take any action. If you have the Wordfence firewall enabled, you are already protected and were never affected by this issue.

If you have Wordfence auto-update disabled and you have the firewall in learning mode or disabled, we recommend you sign into your website and manually upgrade Wordfence to version 6.1.7 now. We also suggest that you consider enabling your Wordfence firewall if that is feasible for you.

Vulnerability Info

CVSS Severity: 6.1


Vulnerability Type: Reflected XSS (Cross Site Scripting)

Kacper has shared a proof of concept for this vulnerability with us which we have verified. We will not be sharing it at this time but may share it at a future date.

Further notes on vulnerability disclosure by Wordfence

At Wordfence we practice responsible disclosure both on products belonging to other vendors and on our own product. Even though this is our own product, you will see a style of disclosure here that uses the same standards that we use when we disclose vulnerabilities relating to other vendor’s products.

Wordfence has now standardized on using the CVSS 3.0 vulnerability scoring system which we have included in this post. Going forward we will include the CVSS score of every vulnerability in the subject of our blog posts and in an email alert we send to our community. This gives our community an immediate indication at a glance of the severity of a vulnerability. It also provides an objective methodology of scoring vulnerabilities that is not subject to opinion or bias.


Did you enjoy this post? Share it!

5 Comments on "XSS Vulnerability in Wordfence 6.1.1 to 6.1.6. Severity: 6.1 (Medium)"

Simon May 10, 2016 at 10:04 pm

Did you offer a bug bounty?

mark May 11, 2016 at 10:05 am

No we did not Simon. We used to have a program but stopped doing that because some of the reports were a bit lame and in a grey area.

Simon May 12, 2016 at 3:06 am

Well, you can reward people for reporting bugs like this one without having an official program, just saying.

Dan May 11, 2016 at 8:03 am

Thank you for your valuable information! I have Firewall installed but am confused as to who to set it up. Do you have a link for instructions? Thank you!

mark May 11, 2016 at 10:06 am

Hi Dan. Please see: https://docs.wordfence.com/en/Web_Application_Firewall_Setup

Follow Us


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 200 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates