On April 6th, 2026, we publicly disclosed a critical Arbitrary File Upload vulnerability in Ninja Forms – File Upload, a WordPress plugin with an estimated 50,000 active installations. This vulnerability can be leveraged by unauthenticated attackers to upload arbitrary files,… Continue Reading →
Last week, there were 154 vulnerabilities disclosed in 118 WordPress Plugins and 23 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 76 Vulnerability Researchers that contributed to WordPress Security last week. Review those… Continue Reading →
On March 2nd, 2026, we received a submission through our Bug Bounty Program for a Remote Code Execution vulnerability in Kali Forms, a WordPress plugin with more than 10,000 active installations. This vulnerability makes it possible for an unauthenticated attacker… Continue Reading →
On January 8th, 2026, we received a submission for an Arbitrary File Upload vulnerability in Ninja Forms – File Upload, a WordPress plugin with an estimated 50,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to upload… Continue Reading →
On March 1st, 2026, we received a submission for an Arbitrary File Deletion vulnerability in Perfmatters, a WordPress plugin with more than 200,000 active installations. This vulnerability makes it possible for unauthenticated threat actors to delete arbitrary files, including the… Continue Reading →
Triple Threat Bug Bounty Challenge Hunt High Threat vulnerabilities and earn triple the incentives! Now through April 6, 2026, earn three stacked bonuses on all valid submissions from our ‘High Threat Vulnerabilities’ list: 2x all high threat vulnerability bounties (excluding… Continue Reading →
200,000 WordPress Sites Affected by Arbitrary File Move Vulnerability in MW WP Form WordPress Plugin
On March 16th, 2026, we received a submission for an Arbitrary File Move vulnerability in MW WP Form, a WordPress plugin with more than 200,000 active installations. This vulnerability makes it possible for unauthenticated threat actors to move arbitrary files,… Continue Reading →
Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a… Continue Reading →
On November 27th, 2025, we received a submission for a Site Reset and Privilege Escalation vulnerability in Demo Importer Plus, a WordPress plugin with more than 10,000 active installations. This vulnerability can be leveraged to trigger a full site reset… Continue Reading →
Wordfence Intelligence Weekly WordPress Vulnerability Report (December 8, 2025 to December 14, 2025)
Last week, there were 224 vulnerabilities disclosed in 205 WordPress Plugins and 9 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 74 Vulnerability Researchers that contributed to WordPress Security last week. Review those… Continue Reading →
Last week, there were 179 vulnerabilities disclosed in 163 WordPress Plugins and 2 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 57 Vulnerability Researchers that contributed to WordPress Security last week. Review those… Continue Reading →
Last week, there were 74 vulnerabilities disclosed in 67 WordPress Plugins and 2 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 41 Vulnerability Researchers that contributed to WordPress Security last week. Review those… Continue Reading →
On June 10th, 2025, we received a submission for a Remote Code Execution vulnerability in Sneeit Framework, a WordPress plugin with an estimated 1,700 active installations. The plugin is bundled in multiple premium themes. This vulnerability can be leveraged to… Continue Reading →
On November 18th, 2025, we received a submission for an unauthenticated Remote Code Execution vulnerability in Advanced Custom Fields: Extended, a WordPress plugin with more than 100,000 active installations. This vulnerability can be leveraged to execute code remotely. Props to… Continue Reading →
On July 24th, 2025, we received a submission for a Privilege Escalation vulnerability in King Addons for Elementor, a WordPress plugin with more than 10,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative… Continue Reading →
Last week, there were 140 vulnerabilities disclosed in 129 WordPress Plugins and 1 WordPress Theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 58 Vulnerability Researchers that contributed to WordPress Security last week. Review those… Continue Reading →
Last month in October 2025, the Wordfence Bug Bounty Program received 486 vulnerability submissions from our growing community of security researchers working to improve the overall security posture of the WordPress ecosystem. These submissions are reviewed, triaged, and processed by… Continue Reading →
On October 11th, 2025, we received a submission for an Account Takeover via Email Log Disclosure vulnerability in Post SMTP, a WordPress plugin with more than 400,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to view… Continue Reading →
100,000 WordPress Sites Affected by Privilege Escalation Vulnerability in AI Engine WordPress Plugin
On October 4th, 2025, we received a submission for a Sensitive Information Exposure vulnerability in AI Engine, a WordPress plugin with more than 100,000 active installations. This vulnerability can be exploited by unauthenticated attackers to extract the bearer token and… Continue Reading →
On October 11th, 2025, we received a submission for an Account Takeover via Email Log Disclosure vulnerability in Post SMTP, a WordPress plugin with more than 400,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to view… Continue Reading →
On September 25th, 2025, we received a submission for a Privilege Escalation vulnerability in WP Freeio, a WordPress plugin bundled in the Freeio premium theme with more than 1,700 sales. This vulnerability makes it possible for an unauthenticated attacker to… Continue Reading →
On October 3rd, 2025, we received a submission for an Arbitrary File Read vulnerability in Anti-Malware Security and Brute-Force Firewall, a WordPress plugin with more than 100,000 active installations. This vulnerability makes it possible for an authenticated attacker, with subscriber-level… Continue Reading →
Last month in September 2025, the Wordfence Bug Bounty Program received 374 vulnerability submissions from our growing community of security researchers working to improve the overall security posture of the WordPress ecosystem. These submissions are reviewed, triaged, and processed by… Continue Reading →
Local File Inclusion (LFI) occurs when user-controlled input is used to build a path to a file that is then included by the application. In WordPress (and PHP web applications in general), this means values from $_GET, $_POST, $_REQUEST, or… Continue Reading →
