Updated: August 30, 2021

How To Report WordPress Security Vulnerabilities?

Oliver Sild
from patchstack

In this article, we will explain how to report WordPress security vulnerabilities to both Patchstack open database and manually to the vendors or the WordPress security team.

In 2020 nearly 600 unique security vulnerabilities were found in WordPress plugins, themes, and in the WordPress core combined. The majority of such vulnerabilities were found and reported by independent security researchers, developers, and WordPress security companies.

Since early 2021, Patchstack has been actively building an initiative called Patchstack Red Team – which builds a community of independent security experts who are being rewarded for identifying vulnerabilities in WordPress plugins, themes, and core.

report wordpress security vulnerabilities

In this article, we’ll introduce a few ways how to responsibly report WordPress security vulnerabilities.

Easiest way: Report to Patchstack (recommended)


If you’ve found a vulnerability in a WordPress plugin or a theme, the best place to report it is Patchstack. If you haven’t reported any vulnerabilities to Patchstack before, you’ll earn a $50 USD gift card for contributing to WordPress security.

Once you have reported 3 or more vulnerabilities to Patchstack, you’ll receive an invite to become a member of the Patchstack Red Team.

Patchstack Red Team is a community of security professionals who actively find security issues in WordPress and help the developers to fix them.

Read an interview with Patchstack Red Team member m0ze here. 

Why Patchstack is the best place to report WordPress security vulnerabilities?


When reporting vulnerabilities to Patchstack, the complicated reporting process is 100% managed by Patchstack. 

Reporting directly to Patchstack comes with a great list of benefits, such as:

  • Patchstack will make sure your reports will get the appropriate attention from the developer.
  • Patchstack will make sure you will get proper credit for your research efforts.
  • Receive assistance in getting a CVE ID for your reported WordPress vulnerabilities.
  • Patchstack will pay you $50 USD as a reward for the first report.
  • Becoming a member of the Patchstack Red Team will get you in touch with the top WordPress security professionals.
  • Becoming a member of the Patchstack Red Team will get you an opportunity to earn cash prizes every month.
  • Members of the Patchstack Red Team have access to a reporting platform which will make it very easy to put together new reports and to keep track of the existing report’s progress.
  • Once fixed by the developers, your vulnerability reports will eventually be added to the public Patchstack Database.

Doing it manually: Reporting issues directly to the vendor or to the WordPress security team


You can always report vulnerabilities directly to the plugin/theme developer. Sometimes, it can be hard to find the right contact or get in touch with the developer.

In that case, you have to be careful that the information won’t get into the wrong hands.

Make sure to not publish the information anywhere in the public if the developer has not yet fixed the issue and once it’s fixed give some time for the users to update.

According to WordPress.org – here are the details you should send to plugins@wordpress.org if you find a new vulnerability:

  • A clear and concise description of the issue;
  • A link to the specific plugin;
  • Whether or not you have validated the security issue yourself;
  • Optional – links to any public disclosures; on 3rd party sites.

Read the WordPress security processes here. 

Ready to report WordPress security vulnerabilities and get rewarded?


If you’ve just stumbled upon a vulnerability and wondering how to report WordPress vulnerabilities, or if you are an active researcher contributing to WordPress security then Patchstack is the best way to be recognized and rewarded for your efforts.

Report your vulnerability via the form here: https://patchstack.com/red-team/

How to report WordPress vulnerabilities?

Reporting to Patchstack is easy. If you’ve found a vulnerability in WordPress core, plugin, or a theme, the best place to report it is Patchstack. If you haven’t reported any vulnerabilities to Patchstack before, you’ll earn a $50 USD gift card for contributing your first vulnerability to WordPress security.

Once you have reported 3 or more vulnerabilities to Patchstack, you’ll receive an invite to become a member of the Patchstack Red Team.

To report your first vulnerability you should:

1. Go to: https://patchstack.com/red-team/
2. Add information about the vulnerability (your name, your email, homepage, vulnerability title, and type).
3. After we have received your submission we will contact you.

What is Patchstack Red Team?

Patchstack Red Team is a community of security professionals who actively find security issues in WordPress and help the developers to fix them.

Do I get rewarded for my finds?

If you’ve just stumbled upon a vulnerability and wondering how to report WordPress vulnerabilities, or if you are an active researcher contributing to WordPress security then Patchstack is the best way to be recognized and rewarded for your efforts.

Do I get CVE ID for my reported WordPress vulnerabilities?

Yes, Patchstack has been named by the Common Vulnerabilities and Exposures (CVE®) Program as a CNA (CVE Numbering Authority).

As a CVE Numbering Authority, Patchstack is authorized to assign CVE IDs for new vulnerabilities submitted by Patchstack Red Team for WordPress Core, WordPress Plugins, WordPress Themes, and other PHP components.

Will I get proper credit for my research?

  • Patchstack will make sure your reports will get the appropriate attention from the developer.
  • Patchstack will make sure you will get proper credit for your research efforts.
  • Receive assistance in getting a CVE ID for your reported WordPress vulnerabilities.
  • Patchstack will pay you $50 USD as a reward for the first report.
  • Becoming a member of the Patchstack Red Team will get you in touch with the top WordPress security professionals.
  • Becoming a member of the Patchstack Red Team will get you an opportunity to earn cash prizes every month.
  • Members of the Patchstack Red Team have access to a reporting platform which will make it very easy to put together new reports and to keep track of the existing report’s progress.
  • Once fixed by the developers, your vulnerability reports will eventually be added to the public Patchstack Database.

Can I get some other publicity when I join your Red Team?

We are interviewing Red Team members to tell their stories and how they have found their way to security research. We are also open to new cool ideas on how to give more publicity to our researchers, so if you have any ideas, let us know. 😉

Start your 7-day free trial and join 50,000+ other developers
Get Patchstack
Share This Article
30-DAY MONEY BACK GUARANTEE

Start your free 7-day trial and join 50,000+ other businesses

Get started now
crossmenu