With another busy month behind us, let’s see what the Patchstack Alliance members dug up in September!
Our researchers found 53 confirmed vulnerabilities. 9 of the vulnerabilities were found in plugins with 100,000+ installs across WordPress, including one with 2 million installs. Thought to be fair, that vulnerability in question was not particularly severe.
A couple of vulnerabilities picked up did, however, have a CVSS score over 9.0.
Leaderboard and winners
September bug hunt winners are below:
Congrats to Lana Codes for turning up the heat, and nabbing the top spot this month!
A shoutout to L.Ayotte & T.Jacobs, who are not part of the Alliance but who did report a vulnerability in their own product – we salute you.
How are points awarded?
The score we use to see who gets what prize is made up of several factors, including the popularity of the plugin and the severity of the vulnerability.
For example, a vulnerability with a CVSS score of 6 in a plugin with 1,000,000 installs will give more points than a very critical vulnerability in a plugin with only 1,000 installs.
All reports are important, though, and help make the web more secure! On this note, we want to say thanks to all researchers who submitted vulnerability reports last month!
If you want to compete in the bug hunt and contribute to making WordPress safer, you can join the Patchstack Alliance here.
What is Patchstack Alliance?
Patchstack Alliance is a community of ethical hackers and researchers who support the open web by finding and reporting vulnerabilities in WordPress plugins and themes.
All valid vulnerabilities are also publicly available in our vulnerability database.