In this article, we will explain how to report WordPress security vulnerabilities to both Patchstack open database and manually to the vendors or the WordPress security team.

In 2020 nearly 600 unique security vulnerabilities were found in WordPress plugins, themes, and the WordPress core combined. The majority of such vulnerabilities were found and reported by independent security researchers, developers, and WordPress security companies.

Since early 2021, Patchstack has been actively building an initiative called Patchstack Alliance – which builds a community of independent security experts who are being rewarded for identifying vulnerabilities in WordPress plugins, themes, and core.

In this article, we’ll introduce a few ways how to responsibly report WordPress security vulnerabilities.

Easiest way: Report to Patchstack (recommended)

If you’ve found a vulnerability in a WordPress plugin or a theme, the best place to report it is Patchstack. If you haven’t reported any vulnerabilities to Patchstack before, you’ll earn a $50 USD gift card for contributing to WordPress security.

Once you have reported 3 or more vulnerabilities to Patchstack, you’ll receive an invite to become a member of the Patchstack Alliance.

Patchstack Alliance is a community of security professionals who actively find security issues in WordPress and help the developers to fix them.

Read an interview with Patchstack Alliance member m0ze here. 

Why Patchstack is the best place to report WordPress security vulnerabilities?

When reporting vulnerabilities to Patchstack, the complicated reporting process is 100% managed by Patchstack. 

Reporting directly to Patchstack comes with a great list of benefits, such as:

• Patchstack will make sure your reports will get the appropriate attention from the developer.
• Patchstack will make sure you will get proper credit for your research efforts.
• Receive assistance in getting a CVE ID for your reported WordPress vulnerabilities.
• Patchstack will pay you $50 USD as a reward for the first report.
• Becoming a member of the Patchstack Alliance will get you in touch with the top WordPress security professionals.
• Becoming a member of the Patchstack Alliance will get you an opportunity to earn cash prizes every month.
• Members of the Patchstack Alliance have access to a reporting platform that will make it very easy to put together new reports and to keep track of the existing report’s progress.
• Once fixed by the developers, your vulnerability reports will eventually be added to the public Patchstack Database.

Doing it manually: Reporting issues directly to the vendor or to the WordPress security team

You can always report vulnerabilities directly to the plugin/theme developer. Sometimes, it can be hard to find the right contact or get in touch with the developer.

In that case, you have to be careful that the information won’t get into the wrong hands.

Make sure to not publish the information anywhere in the public if the developer has not yet fixed the issue and once it’s fixed give some time for the users to update.

According to WordPress.org – here are the details you should send to plugins@wordpress.org if you find a new vulnerability:

• A clear and concise description of the issue;
• A link to the specific plugin;
• Whether or not you have validated the security issue yourself;
• Optional – links to any public disclosures; on 3rd party sites.
  

Read the WordPress security processes here. 

Ready to report WordPress security vulnerabilities and get rewarded?

If you’ve just stumbled upon a vulnerability and wondering how to report WordPress vulnerabilities, or if you are an active researcher contributing to WordPress security then Patchstack is the best way to be recognized and rewarded for your efforts.

Report your vulnerability via the form here.