Before you submit — review the Bug Bounty scope
Reports that fall outside the Bug Bounty Program scope will be rejected. Please read the Bug Bounty guidelines & rules before submitting.
In scope
- WordPress core, plugins, and themes that are publicly distributed through WordPress.org, Envato, GitHub, or a similarly recognised repository.
- Vulnerabilities with a clear, measurable security impact and a CVSS v3.1 base score of 6.5 or higher.
- Components with at least 1,000 active installs or 100+ installs with CVSS 8.5+ and exploitable as Unauthenticated, Subscriber, or Customer.
- Vulnerabilities requiring Contributor-level only qualify with CVSS 7.5+.
- The component must have had a release within the last 3 years and the report must target the latest version.
- For premium components, attach the original, unmodified archive so we can validate.
- Custom roles must have capabilities equivalent to a Subscriber or Customer. Roles that exceed those capabilities are out of scope.
Typical rejection reasons
- Incomplete, inaccurate, or unverifiable information, or invalid vulnerability claims.
- Unrealistic pre-requisites or exploitation scenarios.
- Closed, inaccessible, or non-publicly distributed components, or reports based on non-standard user roles.
- CSV injection, CAPTCHA bypasses, and IP spoofing.
- Race conditions below CVSS 7.1.
- Arbitrary user registration unless it leads to Contributor role or higher privilege account creation.
- Authenticated shortcode issues without sensitive data disclosure.
- CSRF or access control issues that only affect admin notice dismissal, or IP bypasses for non-critical actions.
- Constrained-path LFI without a working directory traversal exploit.
- Vendor or developer self-submissions — accepted for disclosure, but not eligible for bounties.
- Reports requiring an administrator to grant a lower-privileged user a role or permission that then exposes the vulnerability to that user.