This site uses cookies in accordance with our Privacy Policy.
Wordfence Research and News
Category: Research
Wordfence Firewall Blocks Bizarre Large-Scale XSS Campaign
The Wordfence Threat Intelligence team has been monitoring an increase in attacks targeting a Cross-Site Scripting vulnerability in Beautiful Cookie Consent Banner, a WordPress plugin installed on over 40,000 sites.
W3 Eden Addresses Authenticated Stored XSS Vulnerability in Download Manager WordPress Plugin
On April 25, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in W3 Eden’s Download Manager plugin, which is actively installed on more than 100,000 WordPress websites, making it one of the most popular download management plugins.
PSA: Attackers Actively Exploiting Critical Vulnerability in Essential Addons for Elementor
On May 11 2023, Essential Addons for Elementor, a WordPress plugin with over one million active installations, released a patch for a critical vulnerability that made it possible for any unauthenticated user to reset arbitrary user passwords, including user accounts with administrative-level access.
Multiple Vulnerabilities Patched in Shield Security
On March 20, 2023, the Wordfence Threat Intelligence team began the responsible disclosure process for two vulnerabilities in Shield Security, a security plugin with over 50,000 installations.
Hiding in Plain Sight: Cross-Site Scripting Vulnerabilities Patched in Weaver Products
On March 14, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for 2 nearly identical Cross-Site Scripting vulnerabilities in the Weaver Xtreme theme and the Weaver Show Posts plugin, which each have over 10,000 installations.
Privilege Escalation Vulnerability Patched Promptly in WP Data Access WordPress Plugin
On April 5, 2023 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in WP Data Access, a WordPress plugin that is installed on over 10,000 sites.
Update Now! Severe Vulnerability Impacting 600,000 Sites Patched in Limit Login Attempts
On January 26, 2023, the Wordfence team responsibly disclosed an unauthenticated stored Cross-Site Scripting vulnerability in Limit Login Attempts, a WordPress plugin installed on over 600,000 sites that provides site owners with the ability to block IP addresses that have made repeated failed login attempts.
Multiple Reflected Cross-Site Scripting Vulnerabilities in Three WordPress Plugins Patched
The Wordfence Threat Intelligence Team recently disclosed several Reflected Cross-Site Scripting vulnerabilities that we discovered in three different plugins – Watu Quiz (installed on 5,000 sites), GN-Publisher (installed on 40,000 sites), and Japanized For WooCommerce (installed on 10,000 sites).
Vulnerability Patched in Cozmolabs Profile Builder Plugin – Information Disclosure Leads to Account Takeover
Hundreds, if not thousands of WordPress plugins are conceived with the idea of making site building and maintenance easier for site owners.
All In One SEO Pack Vulnerabilities Impacting 3 Million Sites Patched
On January 26, 2023, the Wordfence Team responsibly disclosed two vulnerabilities in All In One SEO Pack, a WordPress plugin installed on over 3 Million sites which provides search engine optimization tools designed to help content creators optimize their sites and reach more users.
Breaking WordPress Security Research in your inbox as it happens.
