Open Nav
Sign Up

How I found a CVE in a 4 milion (!) active users of WordFence

Ori Gabriel

September 27, 2022

I just registered my first CVE. Here is the background story.

One of our goals at OP Innovate is to protect our clients and partners at all times. During a recent penetration testing engagement, the testing scope included a WordPress website. So I decided to channel some effort into WordPress plugins where a vulnerability could potentially affect millions of users. One of the plugins I found was Wordfence.

Wordfence is a firewall and security scanner, and it is considered to be a leader in WordPress security. It has over 4 million active installations.

After reviewing the different functionalities of the plugin, I was drawn to a certain field in the management page of the firewall.

This field acts to immediately block the IPs of users who try to sign in with their usernames. I decided to see if I could inject raw HTML code into the field to test whether it would be saved in an un-sanitized form. As I expected, the payload was successfully injected and rendered by the browser. After that I decided to give it a try to craft a new payload, this time containing JavaScript code, in order to launch a cross-site-scripting attack.

Guess what? It works!

I quickly informed the Wordfence team about my finding and they responded immediately, releasing an update within 24 hours. Their quick remediation ensured that this vulnerability no longer affects millions of their users.

Wordfence reached out to NVD who issued a new CVE – My first CVE

Resources highlights

New Linux Vulnerabilities (CVE-2025-6018 & CVE-2025-6019) Enable Full Root Access in Seconds

Security researchers have uncovered a critical privilege escalation chain in major Linux distributions that allows any local user with a session (SSH or GUI) to…

Read more >

CVE-2025-6018, CVE-2025-6019

Zero to Hero: How Our Red Team Turned a Sticky Note Into Full Cloud Compromise

“The weakest link in your security chain might be sitting right on your desk.” At OP Innovate, our CREST-certified red team is trained to think…

Read more >

OP Innovate Red Team

One-Third of All Grafana Instances Vulnerable to XSS (CVE-2025-4123)

Over 46,000 internet-facing Grafana servers (≈36 % of those online) are still running versions susceptible to CVE-2025-4123, a high-severity open-redirect that chains into stored cross-site…

Read more >

CVE-2025-4123

New Microsoft Outlook Vulnerability Enables Local Code Execution (CVE-2025-47176)

Published: June 11, 2025 Threat Level: High Affected Product: Microsoft Outlook (Microsoft 365 Apps for Enterprise, Office LTSC 2024) CVSS Score: 7.8 (High) A newly…

Read more >

CVE-2025-47176

How MSSPs Are Turning Penetration Testing Into Recurring Revenue with WASP

When OP Innovate first launched WASP in 2022, we weren’t chasing unicorn status or massive VC rounds. We were focused on fixing a real problem:…

Read more >

CVE-2025-49113: Actively Exploited Critical Vulnerability in Roundcube Webmail

Severity: Critical (CVSS 9.9) Status: Active Exploitation Confirmed On June 1, 2025, Roundcube developers issued critical security updates to patch a newly discovered vulnerability in…

Read more >

CVE-2025-49113.
Under Cyber Attack?

Fill out the form and we will contact you immediately.