Wordfence Security and Wordfence Premium Failed to Protect Against Widely Exploited Vulnerability

A month ago we noted an instance of us running across the Wordfence Security plugin, despite being marketed with the claim that it “stops you from getting hacked”, failing to protect against exploitation of a vulnerability in a WordPress plugin that was being widely exploited. That has happened again. In a post earlier today we mentioned a topic on the WordPress Support Forum discussing websites being exploited due an already fixed arbitrary file viewing vulnerability in the plugin Advanced Access Manager, which we had warned customers of our service about the same day it was fixed. In that topic there was a claim that the Wordfence Security plugin failed to protect against that:

It happened to me. I cleaned up but it came again one day later, even websites with last version of WP, with Wordfence, Block Bad Queries, etc.
Does somene knows where it comes from ? Is it an injection ?

Considering that our other post about the exploitation of that vulnerability was talking about confusion related to the vulnerability in question, we wanted to double check that the plugin really didn’t protect against this. A quick test confirmed that it did not, as of yesterday, provide protection. We also tested the NinjaFirewall plugin and found that plugin did provide protection. NinjaFirewall has 100 times less installs than Wordfence Security, despite it providing the same or more protection is previous testing we have done, which goes to show that the popularity of security plugins doesn’t seem to be tied to how well they work.

There also was a claim that the paid service tied to that plugin, Wordfence Premium, also failed to provide protection:

Same problem, in 2 different sites that we have.
We revert back to previous day and all OK, but problem started a few hours later.
We do have Advanced Access Manager. We are all day trying to see where it comes from. We use Wordfence Premium but it didnt help.

We don’t have access to the Wordfence Premium service, but since that service often doesn’t provide any addition protection over the Wordfence Security plugin until after widespread exploitation has occurred, so if the plugin doesn’t provide protection it would seem likely that the paid service wouldn’t make a difference (as we have said before, people paying for that service are not getting the protection they pay for).