Wordfence’s Unethical Behavior Caused Weeks Long Delay in Fix of Serious Vulnerability
Last week, once again, supposed security journalists and security provider Patchstack were spreading misinformation about a vulnerability in a WordPress plugin. They claimed a vulnerability had been exploited hours after it was disclosed. In reality, there were exploit attempts, but no evidence of any exploitation. And that actually happened a day or a week after the vulnerability was disclosed, depending on what you consider as disclosure.
That a plugin from the developer of the plugin had a vulnerability that would receive interest from hackers isn’t a surprise, as it is a developer that has a long track record of poor handling of security. We recommended not using their plugins in January 2024, unless they could show they had gotten a better handle on security. As we noted in January of this year, they clearly hadn’t gotten a better handle on things by then. With this vulnerability, they did fix it the same day they were informed of it. Unfortunately, the vulnerability was fixed weeks after it should have been, as the notification happened weeks after it should have been. That was because an unethical security provider paid the discoverer to not report it to the developer.
That unethical security provider being Wordfence. In a post, they claimed that the vulnerability had been “responsibly reported,” but then they immediately contradicted that by saying it wasn’t reported to the developer, which would be responsible disclosure. Instead, the discoverer sold the vulnerability to Wordfence. Here is their own timeline of what happened:
March 13, 2025 – We received the submission for the Administrative User Creation vulnerability in SureTriggers via the Wordfence Bug Bounty Program.
April 1, 2025 – We validated the report and confirmed the proof-of-concept exploit.
April 1, 2025 – Wordfence Premium, Care, and Response users received a firewall rule to provide protection against any exploits that may target this vulnerability.
April 3, 2025 – We sent over the full disclosure details to the vendor. The vendor acknowledged the report and began working on a fix.
April 3, 2025 – The fully patched version of the plugin, 1.0.79, was released.
Based on the same day response from the developer, if the discoverer had reported it directly to them, it would have been fixed 21 days earlier. That is only one of the problems there. Wordfence is also obliquely admitting that they sold information about the vulnerability through a firewall rule 2 days before they notified the developed. In no way is that responsible disclosure. But Wordfence has gotten away with lying for years without consequence, despite being a security provider, so they don’t appear to have an incentive to tell the truth.
Just to make it clear what Wordfence is doing here, they explicitly require not doing responsible disclosure, which would involve the discoverer reporting the vulnerability to the developer. In their FAQ, they state “[y]ou’re welcome to handle the responsible disclosure process yourself, however, the vulnerability would not be eligible for a bounty and would simply just get a CVE ID assignment.”
No, plugins and themes with existing Bug Bounty Programs are considered out-of-scope for participation in the Bug Bounty Program.