Below are listed the vulnerabilities in WordPress plugins that Wordfence has added to the firewall rules for the Wordfence Security plugin in 2023. As can be seen through that, Wordfence isn’t adding protection for many WordPress plugin vulnerabilities being disclosed. The vulnerabilities they are adding protection for versus the ones they are not, doesn’t make much sense based on the risk of the vulnerability and they often fail to provide protection for vulnerabilities being exploited. Instead, what seems to explain what vulnerabilities get rules seems to be based on what they are going to be mentioning on their blog, as it allows them to appear to providing robust protection to those in their ecosystem, while not actually delivering that.
The dates listed are when the rules were added to their free data.
December 28
Information Disclosure Vulnerability in Backup Migration
December 16
Authenticated Option Update Vulnerability in WP Courses (Protection added two months after this was disclosed)
December 4
Privilege Escalation Vulnerability in MStore API
Authenticated Option Update Vulnerability in WooODT Lite (Protection added two months after this was disclosed)
December 3
Arbitrary Option Deletion Vulnerability in 10Web Booster
November 25
Privilege Escalation Vulnerability in WP Extra
November 6
Authenticated Arbitrary File Upload Vulnerability in Dropshipping & Affiliation with Amazon
October 30
Privilege Escalation Vulnerability in AI Chatbot (Wordfence discovered vulnerability)
October 28
Password Change Vulnerability in Simple Membership
October 26
Information Disclosure Vulnerability in Social Media Share Buttons & Social Sharing Icons (Wordfence discovered vulnerability)
Authenticated Remote Code Execution (RCE) Vulnerability in Allow PHP in Posts and Pages (Wordfence discovered vulnerability)
October 19
Arbitrary Email Sending Vulnerability in Super Store Finder
October 15
Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in PowerPress
October 13
Privilege Escalation Vulnerability in MultiVendorX
Privilege Escalation Vulnerability in WPvivid Backup Plugin
October 8
Arbitrary File Upload Vulnerability in Form-Maker
October 6
File Inclusion Vulnerability in Media Library Assistant
September 25
Privilege Escalation Vulnerability in Jupiter X Core
September 18
PHP Object Injection Vulnerability in Essential Blocks (Wordfence discovered vulnerability)
September 14
Information Disclosure Vulnerability in Post Grid Combo
September 10
Role Change Vulnerability in Charitable (Wordfence discovered vulnerability)
September 7
Privilege Escalation Vulnerability in BAN Users (Wordfence discovered vulnerability)
September 3
Authenticated Remote Code Execution (RCE) Vulnerability in JetElements
August 17
Authenticated Server-Side Request Forgery (SSRF) Vulnerability in Spectra
August 13
Authenticated Privilege Escalation Vulnerability in WP Project Manager (Wordfence discovered vulnerability)
August 7
User Deletion Vulnerability in Atarim – Client Interface (Protection added two weeks after we had disclosed it)
Privilege Escalation Vulnerability in HT Mega – Absolute Addons for Elementor
Password Change Vulnerability in Booking Package
July 30
Role Change Vulnerability in Ultimate Member
July 29
Privilege Escalation Vulnerability in WP Post Author
July 27
Authenticated Option Update Vulnerability in ProfileGrid (Wordfence discovered vulnerability)
July 22
Privilege Escalation Vulnerability in tagDiv Cloud Library
July 21
Authenticated Arbitrary File Upload Vulnerability in User Registration (Wordfence discovered vulnerability)
July 20
Privilege Escalation Vulnerability in Stripe Payment Plugin for WooCommerce
July 8
Privilege Escalation in Abandoned Cart Lite for WooCommerce (Wordfence discovered vulnerability)
July 6
Authenticated Password Change in SP Project & Document Manager (Wordfence discovered vulnerability)
Authenticated Password Change in LearnDash LMS (Wordfence discovered vulnerability)
July 3
Privilege Escalation in WordPress Social Login and Register (Wordfence discovered vulnerability)
July 2
Privilege Escalation in Jetpack
July 1
Authenticated Plugin Installation in Formidable
June 30
Privilege Escalation in Wordapp (Wordfence discovered vulnerability)
June 25
Authenticated Arbitrary Upload in Unlimited Elements For Elementor (Wordfence discovered vulnerability)
June 22
Privilege Escalation in ReviewX
Privilege Escalation in BookIt
June 19
Privilege Escalation in UserPro
Privilege Escalation in WCFM Membership (Protection added two week after this was disclosed)
June 18
Privilege Escalation in Woodmart Core
Privilege Escalation in BP Social Connect
June 17
Privilege Escalation in Mstore API (Wordfence caused the developer to not being notified responsibly)
June 11
Password Reset Vulnerability in Essential Addons for Elementor
June 2
Authenticated Option Update Vulnerability in Elementor Pro (Protection added two months after this was exploited)
Password Reset Vulnerability in Easy Digital Downloads
May 14
Privilege Escalation Vulnerability in ZM Ajax Login & Register
May 8
Privilege Escalation Vulnerability in Front End Users
PHP Object Injection Vulnerability in Formidable Forms
May 7
Authenticated Server-Side Request Forgery (SSRF) Vulnerability in Getwid
Cross-Site Request Forgery (CSRF) in WP Fastest Cache (Added seven years after the vulnerability was disclosed).
May 6
Privilege Escalation Vulnerability in WP Data Access (Wordfence discovered vulnerability)
Privilege Escalation Vulnerability in Directorist
Authenticated Post Deletion Vulnerability in Directorist
May 5
Authenticated Information Disclosure Vulnerability in ACF Quick Edit Fields (Added five months after the vulnerability was fixed).
May 4
Authenticated PHP Object Injection Vulnerability in Advanced Custom Fields
Privilege Escalation Vulnerability in Happyfiles Pro
May 1
Authenticated Option Update Vulnerability in Themeflection Numbers
April 29
Privilege Escalation Vulnerability in Filebird
April 24
Privilege Escalation Vulnerability in FULL – Customer
April 23
Privilege Escalation Vulnerability in WooCommerce Payments
April 20
Privilege Escalation Vulnerably in Squirrly SEO
April 16
Privilege Escalation Vulnerability in Updraft Plus
April 14
Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Weaver Show Posts (Wordfence discovered vulnerability)
April 9
Authenticated SQL Injection Vulnerability in Paid Memberships Pro
Authenticated SQL Injection Vulnerability in Slimstat Analytics
April 7
Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Yoast SEO
April 6
Privilege Escalation Vulnerability in Paytium (Added four months after the vulnerability was fixed).
April 3
Authenticated Arbitrary Media Deletion Vulnerability in OoohBoi Steroids for Elementor
Authenticated Media Upload Vulnerability in OoohBoi Steroids for Elementor (Wordfence discovered vulnerability)
April 2
Authenticated Information Disclosure Vulnerability in Shortcodes Ultimate
April 1
Option Update Vulnerability in Gallery Blocks with Lightbox
Option Update Vulnerability in Sitemap by click5 (Added a year after the vulnerability was disclosed).
March 31
Privilege Escalation Vulnerability in ProfileGrid
March 30
Privilege Escalation Vulnerability in WP Meta SEO
March 25
Persistent Cross-Site Scripting (XSS) Vulnerability in 10Web Booster
(We discovered this vulnerability and warned about it well before the rule was added.)
March 24
Privilege Escalation Vulnerability in Redirect Redirection
March 19
WordPress User Data Deletion Vulnerability in WordPress Social Login and Register (Wordfence appears to believe they were adding protection against a very different vulnerability.)
March 17
Authenticated Information Disclosure Vulnerability in Shortcode Ultimate
March 16
Privilege Escalation Vulnerability in Profile Builder (Wordfence caused the developer to not being notified responsibly)
March 13
Settings Reset Vulnerability in YourChannel
March 6
Persistent Cross-Site Scripting (XSS) Vulnerability in Metform Elementor Contact Form Builder (Wordfence caused the developer to not being notified responsibly)
February 26
SQL Injection Vulnerability in LearnPress
February 25
Authenticated Stored Cross-Site Scripting Vulnerability in All in One SEO Pack (Wordfence discovered vulnerability)
Local File Inclusion (LFI) Vulnerability in LearnPress
February 23
Authenticated Local File Inclusion (LFI) Vulnerability in Customer Reviews for WooCommerce
February 16
Privilege Escalation Vulnerability in Quick Restaurant Menu (Wordfence discovered vulnerabilities)
February 3
Remote Code Execution in User Post Gallery
January 23
Privilege Escalation Vulnerability in Royal Elementor (Wordfence discovered vulnerability)
January 21
Privilege Escalation Vulnerability in Jeg Elementor Kit (Wordfence discovered vulnerability)
January 16
Privilege Escalation Vulnerability in iubenda
January 14
Privilege Escalation Vulnerability in BeRocket Plugins
January 9
Settings Change Vulnerability in miniOrange 2 Factor Authentication
January 7
Privilege Escalation Vulnerability in ContentStudio (We discovered this vulnerability and warned about it well before the rule was added.)