Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.
All Wordfence users, including Wordfence Premium customers as well as those still using the free version of Wordfence, are protected against this vulnerability by our firewall’s built-in cross-site scripting protection. For added protection, we released an additional firewall rule to protect Wordfence Premium customers on November 11, 2021, and this rule will become available to free Wordfence users 30 days later, on December 11, 2021.
We sent the full disclosure details on November 12, 2021, after the developer confirmed the appropriate channel to handle communications. The developer quickly acknowledged the report and released a patch on November 23, 2021.