Submission Terms

Last updated: July 25th, 2022.

How to report security issues in WordPress and its extensions to WPScan

If you have identified a security issue on WordPress or any of its extensions (plugins and themes), either premium, private or publicly available, you must fill out the Vulnerability Submission Form and follow its instructions. As a Certified Numbering Authority (CNA) for the Common Vulnerabilities and Exposures (CVE) program, we are authorized to assign IDs to vulnerabilities affecting software under our scope. It is also our responsibility to determine, at our own discretion, if a reported security issue is a vulnerability or not. In order to keep our services compliant to CVE’s CNA rules we will evaluate the submitted security issues and coordinate the vulnerability disclosure process with the extension’s authors and marketplaces. We recommend that reporters provide as much detailed information on the Vulnerability Submission Form to speed up this process. All submissions will go through a triaging process as determined by WPScan, where the submission form completeness will be reviewed (and further information may be required), and prioritized depending on threat level, risk and installation base. Please check the expected response time for different priorities:

  • High priority: processed within the first 24h after submission triaging
  • Normal priority: will be processed within the first 72h after submission triaging
  • Low priority: no defined SLA.

WPScan will only reach out to the software developer if the vulnerability can be verified. Providing a Proof‑of‑Concept in the moment of the submission, although not mandatory will speed up the verification process. It is worth mentioning that incomplete or non‑replicable Proof‑of‑Concept will be sent back to the reporter for clarification. We reinforce our recommendation that researchers to add detailed information, such as HTTP requests, and expected responses, as well as screen captures to depict the exploitation to facilitate the replication. In case of dispute, when more than one researcher reports the same vulnerability, we’ll benefit the first submission we are able to verify with the information provided. It is up to WPScan discretion to increase or decrease priority based on unlisted factors, that may be communicated to the reporter upon request. The following examples may illustrate the decision making process:

  • High priority:
    • Installation base 200,000+ and
    • at least medium value on Common Vulnerability Scoring System (CVSS)
  • Normal priority:
    • Installation base 10,001‑199,999+ and
    • at least CVSS medium
  • Low priority:
    • Abandoned extensions (more than 2 years without update and no test on newer versions of WordPress), or
    • CVSS low on extensions with less than 1,000 installations

Blog at WordPress.com.