Wordfence Research and News

Blog icon
Newest

How To Find XSS (Cross-Site Scripting) Vulnerabilities in WordPress Plugins and Themes

Yesterday, we announced the WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program. The objective of this promotion is to help beginners get started in WordPress bug bounty hunting by opening up the scope of our Bug Bounty Program. Cross-Site Scripting vulnerabilities reported in plugins and themes with over 1,000 active installations are in-scope for …
Read More

WordPress Security Research: A Beginner’s Series

Learn How To Find WordPress Vulnerabilities Step-by-Step Welcome to the inaugural post of our WordPress Security Research Beginner’s Series!

WordPress Security Research Series: WordPress Request Architecture and Hooks

Welcome to Part 1 of the WordPress Security Research Beginner Series!

WordPress 6.5.5 Security Release – What You Need to Know

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors?

Critical Unauthenticated Remote Code Execution Found in Backup Migration Plugin

🎁 Wordfence just launched its bug bounty program. Through December 20th 2023, all researchers will earn 6.25x our normal bounty rates when Wordfence handles responsible disclosure for our Holiday Bug Extravaganza!

“Never Assume Anything” – Unauthenticated Stored Cross-Site Scripting Vulnerability Exposed in 14 Email Logging Plugins

“Never Assume Anything” – that is the 4th Guiding Principle written in the Security section of the WordPress Common APIs Handbook for developers.

Open-Source Projects Use the Wordfence Vulnerability Data Feed API and You Can Too!

Prior to joining the Wordfence Threat Intelligence team, I spent several years as a vulnerability analyst, responsible for collecting, analyzing, and curating every publicly disclosed vulnerability.

Critical Security Update: Directorist WordPress Plugin Patches Two High-risk Vulnerabilities

Alongside our usual work to discover, report, and remediate vulnerabilities in the WordPress ecosystem, the WordPress Threat Intelligence team has been conducting a deep-dive into WordPress plugin code with the objective of finding methods to bypass authentication and gain elevated privileges in WordPress plugins so we can help developers patch these vulnerabilities before threat actors ...

Blubrry Addresses Authenticated Stored XSS Vulnerability in PowerPress WordPress Plugin

On April 5, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in Blubrry’s PowerPress plugin, which is actively installed on more than 50,000 WordPress websites.
Leading Image - Vulnerability Patched in Cozmolabs Profile Builder Plugin - Information Disclosure Leads to Account Takevoer

Vulnerability Patched in Cozmolabs Profile Builder Plugin – Information Disclosure Leads to Account Takeover

Hundreds, if not thousands of WordPress plugins are conceived with the idea of making site building and maintenance easier for site owners.