Erik Kraijenoord

PSA: Supply Chain Compromise Targets ShapedPlugin, Backdoored Pro Plugins Distributed via Official Channels

by

The Wordfence Threat Intelligence Team was notified on June 11th, 2026 of a potential supply chain compromise affecting ShapedPlugin, a WordPress plugin vendor with over 400,000 active free plugin installations. Fortunately, Wordfence customers have already had malware signature detection for the particular backdoor used in this attack. During our investigation, we discovered that attackers compromised … Read more

Wordfence Intelligence Weekly WordPress Vulnerability Report (June 1, 2026 to June 7, 2026)

by

Last week, there were 159 vulnerabilities disclosed in 140 WordPress Plugins and 2 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 96 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with … Read more

Critical Unauthenticated Authentication Bypass Vulnerability Patched in UpdraftPlus WordPress Plugin

by

On June 2nd, 2026, we received a submission for a critical Unauthenticated Authentication Bypass vulnerability in UpdraftPlus, a WordPress plugin with more than 3 million active installations. Although the plugin has such a large install base, the vulnerability is only exploitable on sites that have previously been connected to UpdraftCentral, the plugin’s remote site management … Read more

Protect The Shire

by

tl;dr: Temporary 24-hour cooldown period for plugin/theme releases before auto-updates. AI can give defenders an edge. We want to secure all 78K plugins and themes on WordPress.org.  One of the things we’ve always striven to do as the developers of WordPress is to work harder so you don’t have to; we take technology that’s complex … Read more