TLDR: Wordfence reports a critical privilege escalation vulnerability in the Motors WordPress theme (versions ≤ 5.6.67) allowing unauthenticated attackers to reset passwords. Detected by researcher Foxyyy, the issue has been patched in version 5.6.68. Users are urged to update their sites. Wordfence provided firewall rules for protection, with free users receiving it on June 5, 2025.
TL;DR: Wordfence released its 2024 WordPress security report highlighting 222 new vulnerabilities in plugins/themes last week, with 66 researchers contributing. Key offerings include free vulnerability data access and CLI scanner for regular checks. 132 vulnerabilities were patched, while 90 remained unpatched. Major vulnerabilities include cross-site scripting and CSRF. The report recognizes top researchers and lists plugins with vulnerabilities.
📢 Wordfence's 2024 WordPress security report highlights evolving risks. A Remote Code Execution vulnerability in UiPress Lite (up to version 3.5.07) can allow attackers to execute arbitrary code, affecting over 10,000 sites. Discovered by researchers, it led to a patch (3.5.08) on May 13, 2025. Users are urged to update promptly. Wordfence Premium users received protection on March 31, with free users getting it on April 30. The vulnerability poses a significant risk; ensure your site is secure.
Wordfence released its 2024 WordPress security report and highlighted a PHP Object Injection vulnerability in Uncanny Automator (versions ≤ 6.4.0.1), allowing authenticated users to delete arbitrary files, including wp-config.php. Discovered by researcher mikemyers, it earned a $1,021 bounty. A patch (version 6.4.0.2) was released on April 18, 2025, impacting over 50,000 installations. Wordfence Premium users received protection on April 22, 2025, with free users getting it 30 days later. Users are urged to update to the latest version due to this critical vulnerability.
Wordfence's 2024 security report highlights a critical Arbitrary File Upload vulnerability in TheGem WordPress theme (v5.10.3 and below), allowing authenticated attackers to upload malicious files for remote code execution. Discovered by researcher Foxyyy through the Bug Bounty Program, it earned a $1,405 reward. A patch was released on May 7, 2025. Wordfence offers immediate firewall protection for premium users, with a rollout for free users on June 4, 2025. Wordfence urges users to update to version 5.10.3.1 to mitigate this risk.
Wordfence released its 2024 WordPress security report, highlighting 75 vulnerabilities found in 63 plugins and 5 themes last week. Users are encouraged to review these vulnerabilities to protect their sites. Wordfence Intelligence aims to provide accessible security data, offering tools like a free vulnerability database, API, and scanner for proactive protection. Last week, 38 vulnerabilities were patched while 37 remained unpatched. Most vulnerabilities were of medium severity; the report also credited various researchers for their contributions to WordPress security.
TLDR: Wordfence's 2024 security report highlights an Arbitrary File Read vulnerability in the Eventin WordPress plugin (versions ≤4.0.26) allowing unauthenticated access to sensitive files. Discovered by researcher mikemyers, a patch (version 4.0.27) was released on April 30, 2025, after reports were validated. Users are urged to update immediately; Wordfence firewall protects against this vulnerability.
On May 2, 2025, a critical vulnerability in the OttoKit: All-in-One Automation Platform (formerly SureTriggers) plugin was added to the Wordfence vulnerability database, allowing unauthenticated attackers and those with a valid application password to gain admin access. Exploitation began the same day, with mass attacks starting May 4, resulting in over 2,400 blocked attempts. Users are advised to update to the patched version 1.0.83 if not already applied. Indicators of compromised sites include suspicious admin account creation patterns. Wordfence customers received protection immediately, while free users will get it by June 1, 2025.
Part 3 of the WordPress Security Research Beginner Series outlines setting up an effective research lab for WordPress vulnerability testing. It emphasizes the importance of a flexible, low-maintenance environment and reviews setup options like Docker, WP Engine’s Local, and Devbox. Each platform has pros and cons regarding isolation, resource consumption, and configuration flexibility. Configuration advice for wp-config.php, PHP settings, and nuances in PHP and MySQL versions is provided to ensure accurate testing of vulnerabilities. Researchers are encouraged to participate in the Wordfence Bug Bounty Program, which offers significant rewards for reported vulnerabilities.
TLDR: Wordfence released its 2024 WordPress security report, detailing 230 vulnerabilities in plugins/themes and highlighting tools for vulnerable site management. Last week, 146 unpatched and 84 patched vulnerabilities were reported. Severe vulnerabilities include 25 critical, 35 high, and 170 medium. The report lists contributions of individual security researchers to WordPress security. Free tools and APIs are available for vulnerability scanning and updates.
