Open Nav
Sign Up

How I found a CVE in a 4 milion (!) active users of WordFence

Ori Gabriel

September 27, 2022

I just registered my first CVE. Here is the background story.

One of our goals at OP Innovate is to protect our clients and partners at all times. During a recent penetration testing engagement, the testing scope included a WordPress website. So I decided to channel some effort into WordPress plugins where a vulnerability could potentially affect millions of users. One of the plugins I found was Wordfence.

Wordfence is a firewall and security scanner, and it is considered to be a leader in WordPress security. It has over 4 million active installations.

After reviewing the different functionalities of the plugin, I was drawn to a certain field in the management page of the firewall.

This field acts to immediately block the IPs of users who try to sign in with their usernames. I decided to see if I could inject raw HTML code into the field to test whether it would be saved in an un-sanitized form. As I expected, the payload was successfully injected and rendered by the browser. After that I decided to give it a try to craft a new payload, this time containing JavaScript code, in order to launch a cross-site-scripting attack.

Guess what? It works!

I quickly informed the Wordfence team about my finding and they responded immediately, releasing an update within 24 hours. Their quick remediation ensured that this vulnerability no longer affects millions of their users.

Wordfence reached out to NVD who issued a new CVE – My first CVE

Resources highlights

AsyncAPI npm Supply-Chain Attack Delivers Cross-Platform Miasma RAT

A software supply-chain attack compromised four packages in the official AsyncAPI npm namespace, resulting in five malicious package versions being distributed through the project’s legitimate…

Read more >

AsyncAPI supply chain attack

Zoom Windows Vulnerability Enables Account Takeover (CVE-2026-53412)

Zoom has released security updates for a critical vulnerability affecting Zoom Workplace and Zoom Workplace VDI clients for Windows. Tracked as CVE-2026-53412, the vulnerability could…

Read more >

cve-2026-53412

Actively Exploited SonicWall SMA1000 Vulnerabilities (CVE-2026-15409 and CVE-2026-15410)

SonicWall has released emergency hotfixes for two vulnerabilities affecting SMA1000 Series secure access appliances. Both vulnerabilities have been exploited in active attacks, and one carries…

Read more >

sonicwall_cve-2026-15409_cve-2026-15410_op

Critical Gitea Docker Authentication Bypass Under Active Probing: CVE-2026-20896

A critical authentication bypass vulnerability, tracked as CVE-2026-20896, has been disclosed in the official Gitea Docker image. Gitea is a self-hosted software development platform used…

Read more >

gitea_docker_cve-2026-20896

Adobe Patches Multiple Critical ColdFusion and Campaign Classic Vulnerabilities: CVE-2026-48282 Exploitation Observed

Adobe has released security updates for multiple critical vulnerabilities affecting Adobe ColdFusion and Adobe Campaign Classic, including several flaws rated CVSS 10.0.CVE-2026-48282, a critical ColdFusion…

Read more >

adobe_coldfusion_campaign classic_cve-2026-48282

CVE-2026-46817: Critical Oracle E-Business Suite Vulnerability

A critical vulnerability in Oracle E-Business Suite is now being actively exploited in the wild. Tracked as CVE-2026-46817, the flaw affects the File Transmission component…

Read more >

cve-2026-46817-oracle-e-business
Under Cyber Attack?

Fill out the form and we will contact you immediately.