Last month in August 2025, the Wordfence Bug Bounty Program received 438 vulnerability submissions from our growing community of security researchers working to improve the overall security posture of the WordPress ecosystem. These submissions are reviewed, triaged, and processed by…
Category: Blog – Wordfence
Wordfence Intelligence Weekly WordPress Vulnerability Report (September 8, 2025 to September 14, 2025)
π’ Calling all Vulnerability Researchers and Bug Bounty Hunters! π’ πΒ Operation: Maximum Impact Challenge! Now through November 10, 2025, earn 2X bounty rewards for all in-scope submissions in software with at least 5,000 active installs and fewer than 5…
Attackers Actively Exploiting Critical Vulnerability in Case Theme User Plugin
On May 31st, 2025, we received a submission for an Authentication Bypass via Social Login vulnerability in Case Theme User, a WordPress plugin with an estimated 12,000 active installations. The plugin is bundled in multiple premium themes. This vulnerability makes…
Wordfence Intelligence Weekly WordPress Vulnerability Report (September 1, 2025 to September 7, 2025)
π’ Calling all Vulnerability Researchers and Bug Bounty Hunters! π’ πΒ Operation: Maximum Impact Challenge! Now through November 10, 2025, earn 2X bounty rewards for all in-scope submissions in software with at least 5,000 active installs and fewer than 5…
The Price of βFreeβ: How Nulled Plugins Are Used to Weaken Your Defense
The Wordfence Threat Intelligence Team has discovered a new malware campaign that highlights the hidden risks associated with βnulled pluginsβ, or premium plugins that have been tampered with by third parties. This campaign is particularly concerning because it doesnβt just…
600,000 WordPress Sites Affected by PHP Object Injection Vulnerability in Fluent Forms WordPress Plugin
On August 17th, 2025, we received a submission for an authenticated PHP Object Injection vulnerability in Fluent Forms, a WordPress plugin with more than 600,000 active installations. This vulnerability can be leveraged via an existing POP chain present in the…
Wordfence Intelligence Weekly WordPress Vulnerability Report (August 25, 2025 to August 31, 2025)
π’ Calling all Vulnerability Researchers and Bug Bounty Hunters! π’ π Spring into Summer with Wordfence! Now through September 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5…
Wordfence Intelligence Weekly WordPress Vulnerability Report (August 18, 2025 to August 24, 2025)
π’ Calling all Vulnerability Researchers and Bug Bounty Hunters! π’ π Spring into Summer with Wordfence! Now through September 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5…
15,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Dokan Pro WordPress Plugin
On June 5th, 2025, we received a submission for a Privilege Escalation vulnerability in Dokan Pro, a WordPress plugin with more than 15,000 sales. This vulnerability makes it possible for an authenticated attacker, with vendor-level permission, to change the password…
Wordfence Bug Bounty Program Monthly Report β July 2025
Last month in July 2025, the Wordfence Bug Bounty Program received 325 vulnerability submissions from our growing community of security researchers working to improve the overall security posture of the WordPress ecosystem. These submissions are reviewed, triaged, and processed by…
Wordfence Intelligence Weekly WordPress Vulnerability Report (August 11, 2025 to August 17, 2025)
π’ Calling all Vulnerability Researchers and Bug Bounty Hunters! π’ π Spring into Summer with Wordfence! Now through September 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5…
Wordfence Intelligence Weekly WordPress Vulnerability Report (August 4, 2025 to August 10, 2025)
π’ Calling all Vulnerability Researchers and Bug Bounty Hunters! π’ π Spring into Summer with Wordfence! Now through September 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5…
40,000 WordPress Sites Affected by Arbitrary File Read Vulnerability in UiCore Elements WordPress Plugin
On June 13th, 2025, we received a submission for an Arbitrary File Read vulnerability in UiCore Elements, a WordPress plugin with more than 40,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to read arbitrary files on…
Pushing Boundaries With Claude Code
Claude Code stormed onto the programming scene when Anthropic launched it in February of this year. It moved, what Andrej Karpathy has called βThe Autonomy Sliderβ from around a three to a solid eight. What this means is that you…
Wordfence Intelligence Weekly WordPress Vulnerability Report (July 28, 2025 to August 3, 2025)
Last week, there were 107 vulnerabilities disclosed in 91 WordPress Plugins and 8 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 43 Vulnerability Researchers that contributed to WordPress Security last week. Review those…
How To Find SQL Injection Vulnerabilities in WordPress Plugins and Themes
SQL Injection (SQLi), a vulnerability almost as old as database-driven web applications themselves (CWE-89), persists as a classic example of failing to neutralize user-supplied input before it’s used in a SQL query. So why does this well-understood vulnerability type continue…
Pushing Boundaries With Claude Code
Claude Code stormed onto the programming scene when Anthropic launched it in February of this year. It moved, what Andrej Karpathy has called “The Autonomy Slider” from around a three to a solid eight. What this means is that you…
WordPress SQLsplorer Challenge: Bigger Scope and Bounties for All Researchers in the Wordfence Bug Bounty Program
From now through September 22, 2025, weβre running our SQLsplorer Challenge, focused on SQL Injection vulnerabilities. During this challenge, weβre expanding the scope of the Wordfence Bug Bounty Program to encourage deeper research into SQL Injection vulnerabilities and broader participation…
Wordfence Intelligence Weekly WordPress Vulnerability Report (July 21, 2025 to July 27, 2025)
π’ Calling all Vulnerability Researchers and Bug Bounty Hunters! π’ π Spring into Summer with Wordfence! Now through August 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5…
100,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in AI Engine WordPress Plugin
On July 18th, 2025, we received a submission for an Arbitrary File Upload vulnerability in AI Engine, a WordPress plugin with more than 100,000 active installations. This vulnerability can be used by authenticated attackers, with subscriber-level access and above, to…