Erik Kraijenoord On May 13th, 2026, we received a submission for a critical Unauthenticated Arbitrary File Deletion vulnerability in Avada Builder, a premium WordPress plugin with an estimated 1,000,000 active installations. This vulnerability makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right … Read more
Last week, there were 102 vulnerabilities disclosed in 90 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 68 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with … Read more
This post recaps how the WordPress project’s five Global Partners — Jetpack, WordPress.com, WooCommerce, Bluehost, and Hostinger — supported community events during the first half of 2026. Across more than a dozen regional the first WordPress Developers Day, and a growing network of WordPress Campus Connect events, Global Partners staffed booths, sponsored sessions, and connected … Read more
On March 30th, 2026, we publicly disclosed a Sensitive Information Exposure vulnerability in Gravity SMTP, a WordPress plugin with an estimated 100,000 active installations. This vulnerability can be leveraged by unauthenticated attackers to retrieve detailed system configuration data and, critically, any API keys, secrets, and OAuth tokens configured for the plugin’s email integrations. The vendor … Read more
The Wordfence Threat Intelligence Team was notified on June 11th, 2026 of a potential supply chain compromise affecting ShapedPlugin, a WordPress plugin vendor with over 400,000 active free plugin installations. Fortunately, Wordfence customers have already had malware signature detection for the particular backdoor used in this attack. During our investigation, we discovered that attackers compromised … Read more
