This is a Patchstack Red Team report for September 2021.
In March 2021, Patchstack announced Patchstack Red Team - a community of independent security researchers who seek vulnerabilities within WordPress plugins, themes, and core.
We've been taking the first half of the year slowly, hand-picking the most active researchers and listening to their interests and needs.
Within the first 6 months alone, Patchstack Red Team has identified 1067 unique security vulnerabilities found across WordPress plugins, themes, and core.
The most popular vulnerabilities tend to be XSS, CSRF, Privilege escalation, Broken Authentication, and SQL Injection.
A single researcher reports an average of 24.87 new vulnerabilities per month. Some of the plugins/themes had more than 5 million active installations while several had less than 1000 active installations.
Our Red Team has an active community of security researchers that come together from 11 different countries, such as:
On average, 2 new security researchers join the community every month. It's a great way for security researchers to get CVE's and get paid for making the WordPress ecosystem more secure.
In August 2021, we also introduced Hackuu who represents helpfulness, friendliness, and skillfulness which perfectly describes the community of Patchstack Red Team.
All of the Red Team members are being rewarded for their contribution to making the web more secure.
Since the beginning, we've had a prize pool that is paid out every single month to the most active security researchers in the community.
The prize pool has currently reached $1500 USD per month. You can also become a member of the Patchstack Red Team by submitting new vulnerabilities to Patchstack.
PS! Until the end of the year, Patchstack runs WPBUGHUNT 2021 - a bug-hunting contest where researchers can win Burp Suite PRO licenses, Hak5 kits, PentestLab subscriptions, and more!
Full statistics and details will be made available in early 2022 in our annual WordPress Security 2021 Whitepaper. You can see last year's WordPress Security 2020 Whitepaper here.