WordPress is one of the platforms that often fall victims to malicious attacks. Fortunately, the company has decided to join the bug bounty initiative, now embraced by multiple organizations in their attempt to confront cybercrime. Security researchers who come across particular vulnerabilities in WordPress will be awarded.
WordPress Bug Bounty Program in Details
Bugs should be flagged in the following categories:
- WordPress (content management system)
- BuddyPress (social networking plugin suite)
- bbPress (forum software)
- GlotPress (collaborative translation tool)
- WP-CLI (command line interface for WordPress)
WordPress.org, bbPress.org, WordCamp.org, BuddyPress.org, GlotPress.org, and api.wordpress.org. In a nutshell, all *.WordPress.org are included in the bug bounty program as well.
The security team behind the WordPress bug bounty program is interested in:
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Server Side Request Forgery (SSRF)
- Remote Code Execution (RCE)
- SQL Injection (SQLi)
Researchers who plan to participate in the program should stick to some simple rules such as:
- Providing details of the vulnerability, such as information needed to reproduce and validate the vulnerability and a Proof of Concept;
- Avoid privacy violations, destruction and modification of data on live sites;
- Give WordPress a reasonable amount of time to correct the flaw before going public.
On the other hand, flaws found in WordPress plugins won’t be tolerated, as well as reports on hacked WordPress blogs, disclosure of users IDs, open API endpoints serving public data, WordPress version number disclosure, brute force, DDoS, phishing, text injection, and a number of other similar issues. Vulnerabilities with a CVSS 3 score lower than 4.0 won’t be tolerated too, unless they can be combined with other flaws to achieve a higher score, the WordPress bug bounty team explains.
Earlier this year, WordPress patched three major security vulnerabilities. The flaws could allow for cross-site scripting and SQL injections, and a range of other subsequent issues. The fixes affected WordPress versions 4.7.1 and earlier.
Later it became known that apart from the security issues just mentioned the platform fixed a dangerous and then-secret zero-day vulnerability that could lead to remote access and to the deletion of WordPress pages. The reason they didn’t publicly announce the zero-day is that they didn’t want to lure hackers into exploiting it.
The bug allowed all pages on vulnerable websites to be modified. Also, visitors could have been redirected to malicious sites leading to more security-related complications. WordPress postponed the public announcement for a week and is now urging everyone involved to update.