A critical authentication bypass vulnerability in Tutor LMS Pro puts over 30,000 WordPress sites at risk of account takeover — including admin accounts — if an attacker knows the target's email address. Update to version 3.9.6 immediately.

Read more: https://www.wordfence.com/blog/2026/03/30000-wordpress-sites-affected-by-authentication-bypass-vulnerability-in-tutor-lms-pro-wordpress-plugin

#WordPress #WordPressSecurity #Wordfence

Wordfence disclosed 204 WordPress vulnerabilities for the week of February 23rd to March 1st, 2026 -- 162 remain unpatched.

The spotlight is an unauthenticated SQL injection in Tutor LMS versions 3.9.6 and prior, affecting roughly 6.9 million sites.

Full report:

https://www.wordfence.com/blog/2026/03/wordfence-intelligence-weekly-wordpress-vulnerability-report-february-23-2026-to-march-1-2026

#WordPress #WordPressSecurity #Wordfence

Wordfence Bug Bounty Program Monthly Report – January 2026

In January 2026, 897 vulnerability submissions were received from 151 active researchers.

152 were validated in-scope, with $21,517 in total bounties awarded.

Highlights:

- 22 high threat vulnerabilities
- 8 new WAF rules released
- $2,145 highest single bounty

https://www.wordfence.com/blog/2026/02/wordfence-bug-bounty-program-monthly-report-january-2026/

#WordPress #WebSecurity #Wordfence

Wordfence Intelligence Weekly WordPress Vulnerability Report (February 9, 2026 to February 15, 2026)

Last week, 174 vulnerabilities were disclosed in 139 WordPress Plugins and 28 WordPress Themes.

Severity breakdown:

- Critical: 6
- High: 60
- Medium: 108

Review the report to ensure your site is not affected:

https://www.wordfence.com/blog/2026/02/wordfence-intelligence-weekly-wordpress-vulnerability-report-february-9-2026-to-february-15-2026/

#WordPress #WebSecurity #Wordfence

Wordfence Intelligence Weekly WordPress Vulnerability Report (February 2, 2026 to February 8, 2026)

Last week, 121 vulnerabilities were disclosed in 100 WordPress Plugins and 10 WordPress Themes.

Severity breakdown:
- Critical: 4
- High: 31
- Medium: 86

Review the report to ensure your site is not affected:

https://www.wordfence.com/blog/2026/02/wordfence-intelligence-weekly-wordpress-vulnerability-report-february-2-2026-to-february-8-2026/

#WordPress #WebSecurity #Wordfence

A critical arbitrary file upload vulnerability (CVE-2026-1357, CVSS 9.8) was discovered in the WPvivid Backup & Migration plugin, which is installed on over 800,000 WordPress sites.

The flaw allows unauthenticated attackers to upload arbitrary files, potentially achieving remote code execution and full site takeover.

Update to version 0.9.124. Wordfence Premium users received firewall protection on January 22.

https://www.wordfence.com/blog/2026/02/800000-wordpress-sites-affected-by-arbitrary-file-upload-vulnerability-in-wpvivid-backup-wordpress-plugin/

#WordPress #WebSecurity #Wordfence

Wordfence führt API-Authentifizierung für Schwachstellendatenbank ein

Da keine direkte Kontaktaufnahme mit bestehenden API-Nutzern möglich ist, appelliert Wordfence an die Community, die Information über die anstehende Änderung zu verbreiten.

https://www.all-about-security.de/wordfence-fuehrt-api-authentifizierung-fuer-schwachstellendatenbank-ein/

#wordpress #wordfence #api

Ich habe mir vorgenommen, wieder häufiger zu bloggen und bin dabei direkt in ein Problem gelaufen:
Stolperstein 2FA bei WordPress-Zugriff per XML-RPC (Wordfence)
https://schacknetz.de/stolperstein-2fa-bei-wordpress-zugriff-per-xml-rpc-wordfence/

#Wordpress #Wordfence #2FA #XMLRPC #MarsEdit