It's September, which means it's time to look back at what our security researchers got up to in the last month of summer - and what a hot time it was!
The Patchstack Alliance reported 105 new validated vulnerabilities last month. This doesn't mean that WordPress plugin developers have gotten lazy or careless over the summer - we've just had new people join in on the bug hunt and thus we're casting a wider net.
Oh, and a big "Welcome!" to our new researchers - and a big "thank you" for helping make WordPress safer. Happy to have you aboard!
As for stats, the most popular plugin with a reported vulnerability had more than a million installs. The highest CVSS score reported by our researchers was 9.9 out of 10, indicating critical severity.
We'll add that we also picked up a lot of less critical vulnerabilities in smaller plugins that didn't have many installs. A lot of these were abandoned plugins though, so helping the community find and get rid of those plugins is very important. If you want to know why it's important not to use abandoned plugins, then Robert has a great article about it on our blog.
August bug hunt winners are below:
Eagle-eyed readers may notice that the number of vulnerabilities reported by an individual doesn't seem to have an impact on the total score. That's because the score we use to see who gets what prize is made up of several factors, including the popularity of the plugin and the severity of the vulnerability.
So for example, a vulnerability with a CVSS score of 6 in a plugin with 1,000,000 installs will give more points than a very critical vulnerability in a plugin with only 1,000 installs.
But in any case, we want to say thanks to all researchers who submitted vulnerability reports last month, we were excited to see such active contributions last month!
If you want to compete in the bug hunt and contribute to making WordPress safer, you can join the Patchstack Alliance here.
Patchstack Alliance is a community of ethical hackers and researchers who support the open web by finding and reporting vulnerabilities in WordPress plugins and themes.
All valid vulnerabilities are also publicly available in our vulnerability database.