ps. I should add two things, possibly:
* I had NOT modified two of the sites when these supposed vulnerabilities showed up.
* AFTER the 'fix', I have enabled Wordfence's Country blocking of the login, so only logins from the UK (where I'm based) are valid. Just an extra measure, but seems like a necessary one!
Steve