Open Nav
Sign Up

How I found a CVE in a 4 milion (!) active users of WordFence

Ori Gabriel

September 27, 2022

I just registered my first CVE. Here is the background story.

One of our goals at OP Innovate is to protect our clients and partners at all times. During a recent penetration testing engagement, the testing scope included a WordPress website. So I decided to channel some effort into WordPress plugins where a vulnerability could potentially affect millions of users. One of the plugins I found was Wordfence.

Wordfence is a firewall and security scanner, and it is considered to be a leader in WordPress security. It has over 4 million active installations.

After reviewing the different functionalities of the plugin, I was drawn to a certain field in the management page of the firewall.

This field acts to immediately block the IPs of users who try to sign in with their usernames. I decided to see if I could inject raw HTML code into the field to test whether it would be saved in an un-sanitized form. As I expected, the payload was successfully injected and rendered by the browser. After that I decided to give it a try to craft a new payload, this time containing JavaScript code, in order to launch a cross-site-scripting attack.

Guess what? It works!

I quickly informed the Wordfence team about my finding and they responded immediately, releasing an update within 24 hours. Their quick remediation ensured that this vulnerability no longer affects millions of their users.

Wordfence reached out to NVD who issued a new CVE – My first CVE

Resources highlights

High-Severity WordPress Vulnerability in Forminator Plugin (CVE-2025-6463)

A critical vulnerability in the Forminator plugin, one of the most popular form-building plugins in Wordpress, allows unauthenticated attackers to delete arbitrary files on the…

Read more >

CVE-2025-6463

CVE-2025-6554: Chrome V8 Zero-Day Exploited in the Wild

On June 30, 2025, Google issued an emergency patch for a critical zero-day vulnerability in its Chrome browser, tracked as CVE-2025-6554. The flaw resides in…

Read more >

CVE-2025-6554

Critical Cisco ISE Vulnerabilities Lead to Unauthenticated RCE (CVE-2025-20281 & CVE-2025-20282)

On June 25, 2025, Cisco disclosed and patched two critical remote code execution (RCE) vulnerabilities: CVE-2025-20281 and CVE-2025-20282, affecting its widely deployed Identity Services Engine…

Read more >

CVE-2025-20281 & CVE-2025-20282

Critical Vulnerability in MegaRAC BMC Added to CISA’s KEV: CVE-2024-54085

On June 25, 2025, CISA added CVE‑2024‑54085, a critical authentication bypass vulnerability in the MegaRAC SPx Baseboard Management Controller (BMC) firmware, to its Known Exploited…

Read more >

CVE-2024-54085

‘UMBRELLA STAND’ Malware Targets Fortinet FortiGate Firewalls

‘UMBRELLA STAND’ Malware Targets Fortinet FortiGate Firewalls The UK’s National Cyber Security Centre (NCSC) has issued an alert regarding a sophisticated malware campaign dubbed “UMBRELLA…

Read more >

umbrella stand fortinet

CVE-2025-49144: Privilege Escalation in Notepad++ Installer Enables Full SYSTEM Access

A critical local privilege escalation vulnerability in the Notepad++ v8.8.1 installer allows attackers to escalate to NT AUTHORITY\SYSTEM using binary planting techniques. Tracked as CVE-2025-49144,…

Read more >

CVE-2025-49144
Under Cyber Attack?

Fill out the form and we will contact you immediately.