Wordfence is the most popular WordPress security plugin, protecting over 5 million websites worldwide.
Visit wordfence.com
#WordPress #WordPressSecurtiy #Cybersecurity
| Website | https://www.wordfence.com |
| Blog | https://www.wordfence.com/blog/ |
| Newsletter | https://www.wordfence.com/subscribe-to-the-wordfence-email-list/ |
200,000 WordPress Sites Affected by Arbitrary File Deletion Vulnerability in Perfmatters WordPress Plugin
CVE-2026-4350 (CVSS 8.1, High) allows unauthenticated attackers to delete arbitrary files, including wp-config.php, potentially leading to site takeover.
- Affected versions: <= 2.5.9.1
- Patched version: 2.6.0
- Researcher: hoshino
Review the report to ensure your site is not affected.
Wordfence Bug Bounty Program Monthly Report - February 2026
- 257 in-scope submissions. $24,651 in bounties awarded
- $2,208 top bounty for an arbitrary file read vulnerability
- $95.92 average payout.
Wordfence Security News - Week of March 23, 2026:
- Kali Forms critical RCE (versions through 2.4.9) exploited same-day, 438 attempts from 59 IPs
- S2 Member account takeover exploitation continues, 92 unpatched sites targeted
- Interlock ransomware exploited Cisco FMC max-severity zero-day starting January 26
- Iran-linked Handala claims breach of FBI Director Kash Patel's personal email
30,000+ WordPress Sites Affected By Critical Auth Bypass In Tutor LMS Pro | Wordfence Security News | Week Of March 9th, 2026
A critical authentication bypass vulnerability in Tutor LMS Pro puts over 30,000 WordPress sites at risk of account takeover — including admin accounts — if an attacker knows the target's email address. Update to version 3.9.6 immediately.
Wordfence disclosed 204 WordPress vulnerabilities for the week of February 23rd to March 1st, 2026 -- 162 remain unpatched.
The spotlight is an unauthenticated SQL injection in Tutor LMS versions 3.9.6 and prior, affecting roughly 6.9 million sites.
Full report:
WordPress Enumeration Explained: Usernames, Plugins, Themes, and API Routes
Enumeration is how attackers learn about a WordPress site before exploiting it -- identifying usernames, plugins, theme versions, exposed files, and API routes.
None of it is a vulnerability alone, but it enables targeted attacks at scale. Limiting information exposure matters.
Wordfence Bug Bounty Program Monthly Report – January 2026
In January 2026, 897 vulnerability submissions were received from 151 active researchers.
152 were validated in-scope, with $21,517 in total bounties awarded.
Highlights:
- 22 high threat vulnerabilities
- 8 new WAF rules released
- $2,145 highest single bounty
https://www.wordfence.com/blog/2026/02/wordfence-bug-bounty-program-monthly-report-january-2026/
Wordfence Intelligence Weekly WordPress Vulnerability Report (February 9, 2026 to February 15, 2026)
Last week, 174 vulnerabilities were disclosed in 139 WordPress Plugins and 28 WordPress Themes.
Severity breakdown:
- Critical: 6
- High: 60
- Medium: 108
Review the report to ensure your site is not affected:
Wordfence Intelligence Weekly WordPress Vulnerability Report (February 2, 2026 to February 8, 2026)
Last week, 121 vulnerabilities were disclosed in 100 WordPress Plugins and 10 WordPress Themes.
Severity breakdown:
- Critical: 4
- High: 31
- Medium: 86
Review the report to ensure your site is not affected:
