How a Webmail Log File Became a Root-Level Backdoor
A forensic breakdown of how an attacker turned CyberPanel's SnappyMail logging into a persistent webshell that survived every WordPress cleanup attempt. The ...
WordPress
17 articles
WordPress Funnel Builder vulnerability exploited to steal payment data
The vulnerability in the Funnel Builder plugin, used by over 40,000 websites, allows unauthenticated attackers to modify global settings via an unprotected c...
Critical vulnerability in Burst Statistics plugin allows admin takeover
The flaw, identified as CVE-2026-8181, was introduced in version 3.4.
Two vulnerabilities found in popular WordPress plugin Avada Builder
The vulnerabilities, disclosed by Wordfence, include an arbitrary file read flaw (CVE-2026-4782) requiring subscriber-level access and a high-severity SQL in...
Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin
Hackers are leveraging a critical authentication bypass vulnerability in the WordPress plugin Burst Statistics to obtain admin-level access to websites. [.
Critical WordPress Plugin Flaw Allows Unauthorized Access to Websites
A critical vulnerability in a widely used WordPress plugin has exposed more than 200,000 websites to potential takeover, raising urgent concerns across the s...
[webapps] WordPress Plugin Supsystic Contact Form 1.7.36 - SSTI
WordPress Plugin Supsystic Contact Form 1.7.
1,000,000 WordPress Sites Affected by Arbitrary File Read and SQL Injection Vulnerabilities in Avada Builder WordPress Plugin
On March 21st, 2026, we received a submission for an Arbitrary File Read and an SQL Injection vulnerability in Avada Builder, a WordPress plugin with an esti...
Authenticated Arbitrary File Upload Vulnerability Patched in Slider Revolution 7 WordPress Plugin
On April 18th, 2026, we received a submission for an Authenticated Arbitrary File Upload vulnerability in Slider Revolution, a WordPress plugin. Although the...
Attackers Actively Exploiting Critical Vulnerability in Breeze Cache Plugin
On April 22nd, 2026, we publicly disclosed a critical Arbitrary File Upload vulnerability in Breeze Cache, a WordPress plugin with an estimated 400,000 activ...
CISA Adds One Known Exploited Vulnerability to Catalog
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-41940 WebPros c...
[webapps] WordPress Plugin 5.2.0 - Broken Access Control
WordPress Plugin 5.2.
Attackers Actively Exploiting Critical Vulnerability in Ninja Forms – File Upload Plugin
On April 6th, 2026, we publicly disclosed a critical Arbitrary File Upload vulnerability in Ninja Forms – File Upload, a WordPress plugin with an estimated 5...
The Increasing Role of AI in Vulnerability Research
At Wordfence, we run a bug bounty program that pays out mid-six figures per year to researchers in bug bounties for WordPress related vulnerabilities. Fundin...
Critical Vulnerability in Ninja Forms Exposes WordPress Sites
Ninja Forms File Upload RCE via unauthenticated arbitrary file upload; update to 3.3.
50,000 WordPress Sites affected by Arbitrary File Upload Vulnerability in Ninja Forms – File Upload WordPress Plugin
On January 8th, 2026, we received a submission for an Arbitrary File Upload vulnerability in Ninja Forms - File Upload, a WordPress plugin with an estimated ...
GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack
GrayCharlie turns compromised WordPress sites into malware delivery machines. Discover how this threat actor chains fake browser updates and ClickFix lures t...