Report new vulnerability

Configuration & expected functionality

• Vulnerabilities that only exist because a high-privilege user explicitly configured the component that way.
• Vulnerabilities where the plugin's own Permissions UI lets administrators grant a capability to a lower-priv role (Author/Editor/Contributor/Subscriber), exposing the issue to that role.
• Expected functionality is not a vulnerability — e.g. a contact form that allows uploads does not qualify as DoS just because someone could submit large quantities of entries.
• Authenticated shortcode issues without sensitive data disclosure.

Scoring & identifier requirements

• Any report involving Attack Complexity: High (AC:H).
• Subscriber-or-higher vulns leading to minor/insignificant data leakage, minor data modification, or minor availability impact (CVSS 5.4 with two CIA at L, 6.3 with three at L).
• Unauthenticated vulns with only one CIA at Low impact (CVSS 5.3).
• Actions that require a non-guessable or unrealistic identifier to be impactful — e.g. cancelling a subscription that requires knowing a long, randomly-generated subscription hash.
• Re-ordering data, clearing cache, or manually triggering cronjobs / scheduled tasks.

Submission requirements

• Multiple findings of the same vulnerability type must be consolidated into a single report.
• Vendor or developer self-submissions — accepted for disclosure but not eligible for bounties.
• Incomplete, inaccurate, or unverifiable information, or invalid vulnerability claims.
• Unrealistic pre-requisites or exploitation scenarios.
• Closed, inaccessible, or non-publicly-distributed components, or reports based on non-standard user roles.
• CSV injection, CAPTCHA bypasses, and IP spoofing.

Information disclosure

• Full path disclosure.
• Private or draft post, page, or content disclosure — unless the post type can leak extremely sensitive data.
• Enumeration that does not expose significant information (only confidentiality at Low impact).
• API key leakage that does not result in significant impact.

XSS, HTML & CSS injection

• Contributor-level (or higher) stored XSS.
• HTML-only injection without JavaScript execution — e.g. injection into emails or rendered output where script execution is not possible.
• CSS injection.

Authentication & access control

• 2FA bypass — typically Attack Complexity: High since you need the password to exploit.
• Lack of brute-force protection / rate-limiting (e.g. login). Excludes the login TOTP feature and sequential filenames.
• Account creation or registration with a low-privilege role (below Contributor).
• Arbitrary user registration unless it leads to a Contributor-or-higher account.

CSRF

• Multi-step CSRF exploits — e.g. CSRF to an admin action that then requires the admin to perform a second action to trigger the impact.
• CSRF must lead to one of: arbitrary file upload or deletion, privilege escalation (e.g. via an options change), RCE with a working PoC, or a settings change that leads to wider compromise.
• CSRF or access-control issues that only affect admin-notice dismissal, or IP bypass for non-critical actions.

File operations

• Non-arbitrary LFI — only accepted with full control over the path AND extension.
• Constrained-path LFI without a working directory-traversal exploit. Windows-specific bypass techniques are excluded.
• Non-arbitrary file uploads involving legacy extensions such as .phtml.

Open redirect

• Open redirect is inherently out of scope.

DoS, race conditions & SSRF

• Most race conditions (below CVSS 7.1).
• DoS, unless it has high availability impact and is demonstrable on any environment.
• Blind SSRF — must demonstrate concrete impact.
• AI feature token exhaustion.