Login

Wordfence News

14 Apr 2025

Wordfence’s Unethical Behavior Caused Weeks Long Delay in Fix of Serious Vulnerability

Last week, once again, supposed security journalists and security provider Patchstack were spreading misinformation about a vulnerability in a WordPress plugin. They claimed a vulnerability had been exploited hours after it was disclosed. In reality, there were exploit attempts, but no evidence of any exploitation. And that actually happened a day or a week after the vulnerability was disclosed, depending on what you consider as disclosure.

That a plugin from the developer of the plugin had a vulnerability that would receive interest from hackers isn’t a surprise, as it is a developer that has a long track record of poor handling of security. We recommended not using their plugins in January 2024, unless they could show they had gotten a better handle on security. As we noted in January of this year, they clearly hadn’t gotten a better handle on things by then. With this vulnerability, they did fix it the same day they were informed of it. Unfortunately, the vulnerability was fixed weeks after it should have been, as the notification happened weeks after it should have been. That was because an unethical security provider paid the discoverer to not report it to the developer. [Read more]

8 Apr 2025

WordPress Security Providers Failing to Warn About Vulnerability in Plugin Hacker Likely Targetting

Across various data we monitor we have been seeing what looks to be a hacker or hackers trying to find websites using the plugin Kubio Pro, by requesting this url: /wp-content/plugins/kubio-pro/readme.txt. At first we were puzzled as to what might explain that. There isn’t a plugin on the WordPress Plugin Directory with the slug kubio-pro, so that would mean either it likely was a plugin made available somewhere else or a backdoor disguised as a plugin. We looked for any information on the web about a vulnerability in a plugin with that slug or the name Kubio Pro and came up with nothing. The same is true for competing data sources for information on vulnerabilities in WordPress plugins.

WPScan, owned by Automattic, serves a not found page for the URL that would contain data on vulnerabilities for a plugin with that slug: [Read more]

7 Apr 2025

Actual Accident Leads to Unfixed Vulnerability Hacker is Likely Trying to Exploit in WordPress Plugin

On Friday we looked at a vulnerability likely being exploited in a WordPress plugin, where there is a fix, but WordPress hasn’t made it available. Like that situation, we had what appears to be a hacker probing for usage of the plugin Front End Users over the weekend by requesting the readme.txt file for the plugin. Like that previous situation, the plugin is closed on the WordPress plugin directory:

[Read more]

4 Apr 2025

Hacker Probing for WordPress Plugin That Wordfence Exposed Critical Vulnerability in Without Making Sure Fix Is Available

Yesterday, we had what would appear to be a hacker probing for usage of the WordPress plugin Checkout Mestres WP on our website by requesting the readme.txt file for it like this:

/wp-content/plugins/checkout-mestres-wp/readme.txt [Read more]

14 Feb 2025

Hacker Probing For WordPress Plugin With Many Vulnerabilities That Wordfence and Other Providers Incorrectly Claimed Were Fixed Last Year

Today we saw what appeared to be a hacker probing for usage of the WordPress plugin WP Compress on our websites. The probing was done by requesting a file from the plugin if the plugin had existed on our website, /wp-content/plugins/wp-compress-image-optimizer/readme.txt. We don’t use that plugin on that website or any of them. So what might explain a hacker’s interest in the plugin? Last year the WordPress security provider Wordfence claimed that a vulnerability had been fixed in the plugin, of a type that sounds like it could explain a hacker’s interest. Here is part of their description:

This makes it possible for authenticated attackers, with subscriber-level permissions and above, to edit plugin settings, including storing cross-site scripting, in multisite environments. [Read more]

31 Jan 2025

WordPress (and Open Source In General) Have a Big Problem With a Lack of Vulnerability Transparency

Looking back at some things while preparing a post about a WordPress security provider misleading people about the European Union’s Cyber Resilience Act, we ran across a letter that was put out by WordPress and several other open source CMS. In that they made this claim about fixing potential vulnerabilities in open source code:

Tens of thousands of developers are empowered to identify and fix potential vulnerabilities, because all FOSS code is made publicly available — unlike proprietary software code that is kept secret. [Read more]

16 Dec 2024

Wordfence and WPScan Falsely Claim Closed WordPress Plugin Contains Serious Vulnerability

We are currently looking in to yet another problem with handling of security by Awesome Motive and the Security Reviewer from the WordPress Plugin Review Team. In doing that, we ran across another example of the incredible sloppy work done by prominent providers of data on vulnerabilities in WordPress plugins.

In January, the WordPress plugin SimpleMap Store Locator was closed on the WordPress Plugin Directory for an unspecified “security issue.” [Read more]

9 Dec 2024

Wordfence and “News” Outlets Recommend Updating WordPress Plugin to Version Still Known to be Vulnerable

What we see over and over is that WordPress security providers and supposed journalists are focused on getting themselves attention while failing to provide useful information that would make WordPress websites more secure. A recent example involved (once again) Wordfence. As usual, they were using a vulnerability in a plugin to promote themselves:

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as these vulnerabilities pose a significant risk. [Read more]

21 Nov 2024

WordPress All-In-One Security and 2FA Plugins Can Get Your Website Hacked

A major source of security vulnerabilities in WordPress websites is insecure WordPress plugins. In response to that, far too many WordPress security providers push installing more plugins instead of taking steps to actually fix the insecurity of plugins. You will often see them pushing all-in-one security plugins and plugins to add two-factor authentication (2FA) despite the lack of protection they often offer and the security issues they can introduce. A prime offender in doing that is Wordfence. In the face of that leading to a serious problem recently, they didn’t change course. Instead, they used it to market themselves. Before we get in to that, we will take a step back to our warnings last year about a popular security plugin.

Back in 2017, we did a security review of a plugin named Really Simple SSL and found no issues with what checking on at that time. Last year the plugin was radically changed to move away from a focus on providing really simple SSL, to being an all-in one security plugin. Alongside that, the developer showed a clear lack of concern for security. As we wrote about in July of last year, they were falsely claiming that plugins contained vulnerabilities because they were using a known unreliable source for vulnerability data. They didn’t address that by moving to a reliable source and in January we noted a much more concerning situation, where they were falsely claiming unfixed vulnerabilities had been fixed. [Read more]

13 Nov 2024

WP Engine Failed to Vet Security of Plugin Acquired This Year or Fix Vulnerability in It Once It Was Reported to Them

When it comes to whether Matt Mullenweg or WP Engine are the bad guys in the recent, the reality is that they both have played a decidedly harmful role in the security of WordPress plugins. Sometimes that comes from them working together. Last year, we noted that WP Engine was falsely claiming that a popular WordPress plugin contained a security vulnerabilities. That was caused by them using a known unreliable source of vulnerabilities, WPScan. Incredibly, WP Engine’s VP of security admitted earlier in the year they haven’t done due diligence with WPScan’s data:

We know that there are other options out there, but given the sense of completeness and alerts for ALL relevant plugins, we never had a need to go crosscheck WPScan against anyone else. [Read more]