How I found a CVE in a 4 milion (!) active users of WordFence

Ori Gabriel

September 27, 2022

I just registered my first CVE. Here is the background story.

One of our goals at OP Innovate is to protect our clients and partners at all times. During a recent penetration testing engagement, the testing scope included a WordPress website. So I decided to channel some effort into WordPress plugins where a vulnerability could potentially affect millions of users. One of the plugins I found was Wordfence.

Wordfence is a firewall and security scanner, and it is considered to be a leader in WordPress security. It has over 4 million active installations.

After reviewing the different functionalities of the plugin, I was drawn to a certain field in the management page of the firewall.

This field acts to immediately block the IPs of users who try to sign in with their usernames. I decided to see if I could inject raw HTML code into the field to test whether it would be saved in an un-sanitized form. As I expected, the payload was successfully injected and rendered by the browser. After that I decided to give it a try to craft a new payload, this time containing JavaScript code, in order to launch a cross-site-scripting attack.

Guess what? It works!

I quickly informed the Wordfence team about my finding and they responded immediately, releasing an update within 24 hours. Their quick remediation ensured that this vulnerability no longer affects millions of their users.

Wordfence reached out to NVD who issued a new CVE – My first CVE

Under Cyber Attack?

Fill out the form and we will contact you immediately.

Under Cyber Attack?

Fill out the form and we will contact you immediately.