Wordfence

Kirki Password Reset Exploit Explained Wordfence Security News Clip | June 8, 2026 Kirki's password reset endpoint sends the reset link to whatever email the attacker supplies, not the account owner's. An unauthenticated attacker specifies an admin username and their own email, receives the reset link, and sets a new admin password. Update Kirki to version 6.0.7 or later immediately. Watch The Clip: https://t.co/cO6LiYC7Lm Read our full report: https://t.co/1Qfr5jm9PV

Wordfence Intelligence Weekly WordPress Vulnerability Report (June 1, 2026 to June 7, 2026) Last week, there were 159 vulnerabilities disclosed in 140 WordPress Plugins and 2 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database. https://t.co/G38RP7rn1m

Checkpoint VPN Auth Bypass Exploited as Zero-Day Wordfence Security News Clip | June 8, 2026 Checkpoint Remote Access VPN has a critical authentication bypass exploited as a zero-day since May 7th, linked to a Qilin ransomware affiliate. A flaw in IKEv1 certificate validation lets a remote attacker establish a valid VPN session without presenting any credentials. Apply the Checkpoint hotfix immediately, or disable IKEv1 and enforce machine certificate authentication.

Checkpoint VPN Auth Bypass Exploited as Zero-Day Wordfence Security News Clip | June 8, 2026 Checkpoint Remote Access VPN has an authentication bypass that lets attackers connect without valid credentials. The flaw is in IKEv1 certificate validation, allowing a remote attacker to establish a VPN session and enter the corporate network unauthenticated. Apply Checkpoint's hotfix immediately, or disable IKEv1 and enforce machine certificate authentication on the gateway. Watch The Clip: https://t.co/p8pblIk344

LLM Agent Drives Post-Compromise Attack Wordfence Security News Clip | June 1, 2026 An LLM agent drove post-compromise activity in a May 10 attack on an unpatched Marimo server, exfiltrating a full internal database in under two minutes. The agent found cloud credentials, pulled a private SSH key from a secrets vault, and copied the database across four pivots in roughly one hour. If you run Marimo, update to the latest version and rotate any credentials the server could reach. Watch The Clip: https://t.co/OEWUJhglL6

AI-Driven Post-Compromise Attack on Marimo Wordfence Security News Clip | June 1, 2026 An LLM agent drove post-compromise activity in a real Marimo attack, exfiltrating an internal database in under two minutes. The agent found cloud credentials, pulled a private SSH key from a vault, and copied the database - all in roughly one hour. If you run Marimo, update to the latest version and rotate any credentials the server could reach. Watch The Clip: https://t.co/rGpbMsM8kc

Critical RCE in Flowise AI Platform Wordfence Security News Clip | June 1, 2026 A critical flaw in self-hosted Flowise lets attackers take over the server by importing a malicious chatflow. Code executes the moment the workflow loads, potentially granting root-level access to all credentials and connected services. Update self-hosted Flowise to the latest version, avoid importing untrusted chatflows, and consider disabling STDIO-MCP. Watch The Clip: https://t.co/8WiDDvGIqL

Flowise Flaw Gives Attackers Root Access Wordfence Security News Clip | June 1, 2026 A critical flaw in self-hosted Flowise lets attackers take over the server by importing a malicious chatflow file. Code executes on import before the user saves or runs it, often gaining root access in containerized setups via STDIO MCP. Update self-hosted Flowise to the latest version and avoid importing chatflows you did not build yourself. Watch The Clip: https://t.co/tyxoUKPuxH

Attackers Abuse FortiClient EMS to Push Malware Wordfence Security News Clip | June 1, 2026 Attackers are exploiting a critical FortiClient EMS flaw to deliver the EKZ credential stealer across managed endpoints. The attack abuses the EMS software deployment channel to push a malicious file disguised as a Fortinet patch named fortiendpoint_patch.exe. Confirm FortiClient EMS is on the patched version and audit endpoint policies and managed machines for the fake patch file. Watch The Clip: https://t.co/rppa4OXhug

PAN-OS Global Protect VPN Under Attack Wordfence Security News Clip | June 1, 2026 A Pan-OS authentication bypass in Palo Alto Networks Global Protect VPN is under active exploitation in corporate networks. Attackers forge session cookies using the firewall's own public certificate to gain trusted VPN access without credentials. Patch Pan-OS now, or disable authentication override and use a dedicated certificate for that feature. Watch The Clip: https://t.co/kyB8LP4hoo

Active Exploitation of WPMaps Pro Wordfence Security News Clip | June 1, 2026 WPMaps Pro versions up to 6.1.0 are actively exploited via an unauthenticated privilege escalation flaw. The plugin's temporary access feature was reachable without login, and its token was exposed on every map page, letting anyone create an admin account. Update to WPMaps Pro 6.1.2, which removes the temporary access feature entirely. Watch The Clip: https://t.co/BV4Q602AV3

AI Coding Assistants Targeted by Trapdoor Wordfence Security News Clip | May 25, 2026 The Trapdoor supply chain campaign spread 34+ malicious packages across NPM, PyPI, and https://t.co/egrUWxAmTM targeting crypto, DeFi, and AI developers. Packages steal SSH keys, AWS credentials, GitHub tokens, and wallet data, and also plant hidden Unicode instructions in claude.md and .cursorrules files to hijack AI coding assistants. Audit recent package installs, inspect claude.md and .cursorrules for hidden Unicode characters, and rotate any exposed credentials. Watch The Clip: https://t.co/eJxXk8PItA

Iranian Threat Actor Deploys Minifast Backdoor Wordfence Security News Clip | May 25, 2026 Nimbus Manticore, an Iranian state-aligned threat actor, ran three campaign waves since late February targeting aviation, software, and defense sectors. The group deployed a new backdoor called MiniFast - a 64-bit Windows DLL impersonating Chrome - giving attackers persistent remote access, shell execution, and file control. Watch The Clip: https://t.co/MWNW4VUJQa

Two Microsoft Defender Zero Days Exploited Wordfence Security News Clip | May 25, 2026 Microsoft rushed out-of-band Defender updates for two zero-days, CVE-2026-41091 and CVE-2026-45498, both confirmed exploited in the wild. Attackers chain BlueHammer or Red Sun for system-level access, then deploy Undefend to block Defender signature updates and degrade endpoint protection. Watch The Clip: https://t.co/jVNIZgmJy0

700+ Ghost CMS Sites Hit By Click Fix Attack Wordfence Security News Clip | May 25, 2026 Over 700 Ghost CMS sites are compromised via a critical SQL injection flaw (CVE-2026-26980) in the content API. Attackers extract admin API keys, inject JavaScript loaders into articles, and redirect visitors to a fake Cloudflare click-fix page that installs malware. Update Ghost to 6.19.1 or later, rotate admin API keys, and audit article content for injected JavaScript. Watch The Clip: https://t.co/UXkkHnPQrZ

Attacks Target WooCommerce Custom Product Add-ons Pro Wordfence Security News Clip | May 25, 2026 Attackers are actively exploiting a critical unauthenticated RCE flaw in WooCommerce Custom Product Add-ons Pro, which has an estimated 21,000 active installations. The plugin passes user-controlled field values directly into PHP's eval function, allowing arbitrary code execution via a crafted add-to-cart request. Update WooCommerce Custom Product Add-ons Pro to version 5.4.2 immediately. Watch The Clip: https://t.co/EJSJCVbLR4

Critical Drupal Flaw Exploited Within 48 Hours of Patch Wordfence Security News Clip | May 25 Drupal Core CVE-2026-9082, a critical SQLi flaw rated 23/25, is under active exploitation within 48 hours of its May 20th patch. Imperva tracked over 15,000 exploitation attempts targeting nearly 6,000 sites across 65 countries. CISA added it to the KEV catalog on May 22nd. Drupal sites using PostgreSQL as the database backend should patch immediately to the latest fixed release for their branch. Watch The Clip: https://t.co/WSLmpyPlhA

FortiClient EMS Used To Push Malware Wordfence Security News Clip | June 1, 2026 Attackers are exploiting a critical FortiClient EMS flaw to push a credential stealer named EKZ to managed endpoints. The EMS software distribution channel delivers a malicious file disguised as a Fortinet patch to silently steal browser-saved passwords. Confirm FortiClient EMS is on the patched version and audit endpoint policies and deployment settings for unauthorized changes. Watch The Clip: https://t.co/IEUxVdLn79

PAN-OS Global Protect VPN Under Attack Wordfence Security News Clip | June 1, 2026 Authentication bypass in Palo Alto Pan-OS is being actively exploited via Global Protect VPN to reach internal networks. Attackers forge session cookies using a public key pulled from the firewall's own connection, requiring no credentials. Patch Pan-OS now, or disable authentication override and use a dedicated certificate for that feature. Watch The Clip: https://t.co/ymm9uhKe6l