Wordfence is the most popular WordPress security plugin, protecting over 5 million websites worldwide.
Visit wordfence.com
#WordPress #WordPressSecurtiy #Cybersecurity
| Website | https://www.wordfence.com |
| Blog | https://www.wordfence.com/blog/ |
| Newsletter | https://www.wordfence.com/subscribe-to-the-wordfence-email-list/ |
30,000+ WordPress Sites Affected By Critical Auth Bypass In Tutor LMS Pro | Wordfence Security News | Week Of March 9th, 2026
A critical authentication bypass vulnerability in Tutor LMS Pro puts over 30,000 WordPress sites at risk of account takeover — including admin accounts — if an attacker knows the target's email address. Update to version 3.9.6 immediately.
Wordfence disclosed 204 WordPress vulnerabilities for the week of February 23rd to March 1st, 2026 -- 162 remain unpatched.
The spotlight is an unauthenticated SQL injection in Tutor LMS versions 3.9.6 and prior, affecting roughly 6.9 million sites.
Full report:
WordPress Enumeration Explained: Usernames, Plugins, Themes, and API Routes
Enumeration is how attackers learn about a WordPress site before exploiting it -- identifying usernames, plugins, theme versions, exposed files, and API routes.
None of it is a vulnerability alone, but it enables targeted attacks at scale. Limiting information exposure matters.
Wordfence Bug Bounty Program Monthly Report – January 2026
In January 2026, 897 vulnerability submissions were received from 151 active researchers.
152 were validated in-scope, with $21,517 in total bounties awarded.
Highlights:
- 22 high threat vulnerabilities
- 8 new WAF rules released
- $2,145 highest single bounty
https://www.wordfence.com/blog/2026/02/wordfence-bug-bounty-program-monthly-report-january-2026/
Wordfence Intelligence Weekly WordPress Vulnerability Report (February 9, 2026 to February 15, 2026)
Last week, 174 vulnerabilities were disclosed in 139 WordPress Plugins and 28 WordPress Themes.
Severity breakdown:
- Critical: 6
- High: 60
- Medium: 108
Review the report to ensure your site is not affected:
Wordfence Intelligence Weekly WordPress Vulnerability Report (February 2, 2026 to February 8, 2026)
Last week, 121 vulnerabilities were disclosed in 100 WordPress Plugins and 10 WordPress Themes.
Severity breakdown:
- Critical: 4
- High: 31
- Medium: 86
Review the report to ensure your site is not affected:
A critical arbitrary file upload vulnerability (CVE-2026-1357, CVSS 9.8) was discovered in the WPvivid Backup & Migration plugin, which is installed on over 800,000 WordPress sites.
The flaw allows unauthenticated attackers to upload arbitrary files, potentially achieving remote code execution and full site takeover.
Update to version 0.9.124. Wordfence Premium users received firewall protection on January 22.
Wordfence Intelligence Weekly WordPress Vulnerability Report (January 26, 2026 to February 1, 2026)
Last week, there were 120 vulnerabilities disclosed in 107 WordPress Plugins and 10 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 55 Vulnerability Researchers that contributed to WordPress Security.
Our Q4 2025 WordPress Threat Intelligence Report is now available.
Key findings from the quarter:
- 9.1 billion WAF attacks blocked
- 13.8 billion brute force attacks stopped
- 2,213 new vulnerabilities discovered
Read the full report:
https://www.wordfence.com/blog/2026/02/quarterly-wordpress-threat-intelligence-report-q4-2025/
