Spring into action and kick-start your spring cleaning with a tech twist! We’re excited to announce the extension of our Bug Bounty Extravaganza through Memorial Day, May 27th, 2024. Now, you have a golden opportunity to earn up to $10,000 Continue reading Spring into Action! Earn up to $10,000 with our Extended Bug Bounty Program Extravaganza through Memorial Day!
Did you know we’re running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there Continue reading Wordfence Intelligence Weekly WordPress Vulnerability Report (January 29, 2024 to February 4, 2024)
As we warned our customers on Friday, the latest version of the WordPress plugin Easy Digital Downloads incompletely fixed a vulnerability. That is something we ran across while preparing to see if another security fix made in it fixed a Continue reading Wordfence Claims It Is a Vulnerability For Users With the unfiltered_html Capability to Use Unfiltered HTML
It would be rather notable if the 200,000+ install WordPress plugin from the security provider Cloudflare contained a vulnerability. And that was just the claim made recently by a couple of WordPress security providers. Here was one of them, Patchstack, Continue reading WordPress Security Providers Falsely Claimed Cloudflare’s Plugin Contained Vulnerability
The latest version of WordPress, 6.4.3, has created a lot of headaches for the WordPress community, as installing plugins by uploading most zipped copies of plugins that have been compressed on Macs are not working (and possibly zipped in some Continue reading Bug Introduced in WordPress 6.4.3 Highlights a Problem With Fixing Vulnerabilities That Are Not Really Vulnerabilities
Having accurate data on vulnerabilities in WordPress plugins is important. Lots of people trust one provider of WordPress plugin vulnerability data, Wordfence. It seems like their data should be trusted considering the CEO of Wordfence, Mark Maunder, has claimed their Continue reading Wordfence Claims Unfixed WordPress Plugin Vulnerability Has Been Fixed in Version That Doesn’t Even Exist
Recently someone left a message on the support forum of the WordPress plugin WP Child Theme Generator writing about their concern about continuing to use the plugin based on Wordfence claiming it contains a “critical vulnerability:” This critical vulnerability has Continue reading Wordfence is Claiming It Is a Critical Vulnerability for WordPress Administrators to Upload Arbitrary Files
At Wordfence our mission is to Secure The Web. WordPress powers over 40% of the Web, and Wordfence secures over 4 million WordPress websites. Our last extravaganza, the Holiday Bug Extravaganza, was so successful we decided to do it again Continue reading Our Bug Bounty Program Extravaganza is Back and it’s Longer This Time – Earn up to $10,000 for Vulnerabilities in WordPress Software!
A couple of weeks ago, the Bleeping Computer ran a story claiming that over 150,000 websites were vulnerable due to a vulnerability that had been in a WordPress plugin. That count was based in part in believing that all previous Continue reading Many CVE Records Are Listing the Wrong Versions of Software as Being Affected
In May of last year, the 5+ million install WordPress plugin Really Simple SSL added a feature for detection of known vulnerabilities in WordPress plugins. That seems to be unrelated to what is supposed to be the focus on the Continue reading Eight Months In, Really Simple SSL’s Plugin Vulnerability Data is Claiming That Unfixed Vulnerabilities Have Been Fixed
Whether intentionally or not, part of the business model of the developer of the Wordfence Security plugin involves scaring people in to buying their services by overstating the risk posed by security issues. The overstated risk was on display in Continue reading Wordfence Is Warning That Vulnerabilities Are Critical When They Are Not
Late last week, Wordfence created a mess by claiming there was an unfixed vulnerability in WooCommerce. What that situation showed is they are not doing the work that people clearly believe they are doing. That includes not checking if vulnerabilities Continue reading Wordfence Didn’t Make Sure Vulnerability in WooCommerce Had Been Fixed (Or That It Even Existed)
It’s common for critics of the Wordfence Security plugin to claim it isn’t useful unless you are using the companion Wordfence Premium service because new rules for the firewall are only provided to paying customers for the first 30 days Continue reading Wordfence Premium Adding Firewall Rules for Vulnerabilities in Under 10 Plugins a Month
One method we have for monitoring what vulnerabilities in WordPress plugins hackers are trying to exploit, is allowing users of our firewall plugin to report hacking attempts blocked by our firewall that we haven’t already logged as being known about. Continue reading Hacker Tries to Exploit Fake Vulnerability 11 Years After It Was Falsely Claimed to Exist
Recently, the CEO of the WordPress security provider Wordfence, Mark Maunder, was criticizing a competitor over a bug bounty program that caused cross-site request forgery (CSRF) vulnerabilities to be found, while he was promoting Wordfence’s own bug bounty program. He Continue reading Wordfence Call CSRF Vulnerabilities “Low Risk” While Criticizing Competitor After Previously Calling Them “High Severity”
In October 2021, we found that the Wordfence Security plugin for WordPress more than double the peak memory usage over WordPress by itself. That compared to a minimal memory increase by the two WordPress firewall plugins that provided more protection Continue reading Wordfence Security Still More Than Doubles Peak Memory Usage Over WordPress By Itself
On December 6, 2023, the Wordfence team noticed a changelog entry for version 3.18.1 of Elementor, a WordPress plugin installed on nearly 9 million sites. We did not discover the original vulnerability and only became aware of it after reviewing Continue reading PSA: High Severity File Upload Vulnerability in Elementor Patched
Recently there have been conversations popping up over a claim made by the WordPress security provider Wordfence that claims the Gutenberg plugin contains an authenticated persistent cross-site scripting (XSS) vulnerability. On Reddit there were a couple of recent conversations, where Continue reading Contrary to Claims by Patchstack and Wordfence the Gutenberg Plugin Doesn’t Contain an Authenticated XSS Vulnerability
Last week we noted how the WordPress security provider Wordfence was criticizing another provider of WordPress plugin vulnerability data for doing something they also do. That situation involved them mislabeling a security issue as a vulnerability in the very popular Continue reading Wordfence’s “Highly Credentialed and Industry-Leading Vulnerability Researchers and Analysts” Don’t Understand Local File Inclusion
In the middle of August, we publicly warned that the WordPress plugin WooODT Lite contained an authenticated option update vulnerability, which would allow logged-in attackers to change arbitrary WordPress options (settings). The possibility of the vulnerability was flagged by proactive Continue reading Wordfence Premium Added “Real-Time Firewall Protection” for Plugin Vulnerability Over Two Months After It Was Disclosed