🎉 Welcome to the Wordfence Intelligence Bug Bounty Program 🎉

Unleash Your Potential, Secure WordPress, and Reap the Rewards!

Are you a security researcher dedicated to uncovering vulnerabilities in WordPress plugins and themes, or are you a seasoned Bug Bounty Hunter uncovering the worst of the worst? Whether you're an aspiring WordPress vulnerability researcher, an experienced bug bounty hunter, or simply passionate about contributing to the WordPress ecosystem, you've come to the right place!

Join the Wordfence WordPress Bug Bounty Program and become a part of a thriving community of talented individuals committed to making the internet a safer place. Our program celebrates and rewards your invaluable contributions to WordPress security, recognizing the hard work and expertise of researchers like you.

Wordfence provides the most competitive rewards for Bug Bounty hunting in WordPress plugins and themes with per vulnerability bounties up to $31,200 in addition to a monthly bonus reward based on the number of vulnerabilities submitted every month.

Wordfence is also the only open source vulnerability database provider for WordPress. While other WordPress focused vulnerability data providers charge for access to their data, Wordfence provides that information back to the community completely for free with our API access and webhook integrations. Participating in Wordfence's Bug Bounty Program for WordPress doesn't just reward you, it also rewards the WordPress community.

Why Participate?

By joining our mission, you'll enjoy a range of benefits that include:

Earning Rewards

Get paid rewards for your efforts in uncovering vulnerabilities in WordPress plugins and themes and strengthening the platform millions rely on. Bounty rewards all the way up to $31,200 for vulnerabilities reported to our program, in addition to a monthly streak bonus reward.

Simplifying the Disclosure Process

We handle every step of the disclosure process, ensuring that vulnerabilities in WordPress plugins and themes are disclosed professionally and you have more time to focus on research.

Empowering the WordPress Community

We'll share your research with the wider WordPress community for free, enabling others to benefit from your insights while you continue to reap the rewards.

Showcasing Your Achievements

Highlight your accomplishments in a dedicated researcher profile, demonstrating your expertise and attracting new opportunities. You can sign up as a researcher today to modify the details of your personal profile, or log in to an already existing Wordfence account and register your researcher profile.

Obtaining CVE IDs

Receive a CVE ID for each vulnerability you report, gaining industry-recognized credibility and boosting your reputation as a security expert.

Collecting Exclusive Badges

Earn unique badges that mark your achievements and stay tuned for new awards and badges, coming soon!

Competing with the Best

Track your progress against other WordPress security researchers and engage in friendly competition, with more ranking metrics coming soon!

Massive Whitebox Scope

An open source ecosystem with thousands of in-scope plugins and themes means plenty of opportunities and a lower barrier to entry.

In Scope Assets

🚨 High Threat Vulnerabilities 🚨

All WordPress plugins and themes, free and premium (excluding those listed in Out of Scope Assets) with

>= 25  Active Installations

for selected High Threat Vulnerabilities exploitable by unauthenticated or low-level authenticated attackers:

  • Arbitrary PHP File Upload or Read
  • Arbitrary PHP File Deletion
  • Arbitrary Options Update
  • Remote Code Execution
  • Authentication Bypass to Admin
  • Privilege Escalation to Admin

Note: High Threat Vulnerabilities in plugins and themes with between 25 and 999 Active Installations must be listed in the WordPress.org Plugin Repository to be in-scope.

⚠ Common and Dangerous Vulnerabilities ⚠

All WordPress plugins and themes, free and premium (excluding those listed in Out of Scope Assets) with

>= 500  Active Installations

for selected Common and Dangerous Vulnerabilities exploitable by unauthenticated or low-level authenticated attackers:

  • Stored Cross-Site Scripting
  • SQL Injection

Note: Common and Dangerous Vulnerabilities in plugins and themes with between 500 and 999 Active Installations must be listed in the WordPress.org Plugin Repository to be in-scope. Premium plugins and themes are excluded from the scope below 1,000 active installations.

All Other Vulnerabilities

For other vulnerabilities, all WordPress plugins and themes, free and premium (excluding those listed in Out of Scope Assets) are in scope with active installation thresholds that vary with your Researcher tier:

Standard Researchers

>= 50,000 Active Installations

Resourceful Researchers

>= 10,000 Active Installations

1337 Researchers

>= 500 Active Installations

If in doubt on what's in scope for your tier, use our bounty estimator to check if your discovery is in scope, or out of scope.

Out of Scope Assets

There are some assets explicitly out of scope of our bug bounty program which are listed below. Please note this list is non-exhaustive and there may be other products not currently listed in our Out-Of-Scope Asset List that are considered out of scope. If you would like to confirm whether a specific product is in-scope prior to submission, please contact us at wfi-support@wordfence.com. We will still assign CVE IDs to any vulnerabilities listed in the products below.

WordPress Core

Bug Bounty Program
Software

All Automattic Products

Bug Bounty Program
Software

All Brainstorm Force Products

Bug Bounty Program
Software

All Facebook Products

Bug Bounty Program
Software

All Google Products

Bug Bounty Program
Software

All Siteground Products

Bug Bounty Program
Software

All Yoast Products

Bug Bounty Program
Software

Additionally, Plugins or Themes Closed to Downloads or Sales at the time of submission, or any web service associated with a WordPress plugin or theme that is not run locally (such as an API running on a plugin vendor’s website) is considered out of scope.

We may still assign CVEs to any vulnerabilities discovered in the products outlined above, however, they will not be eligible for a bounty through our bug bounty program.

Explicitly In-Scope Vulnerabilities

All issues in WordPress Plugins and Themes with a considerable impact to the confidentiality, integrity, and availability of a WordPress site are considered in scope of this program as long as they do not require high level permissions, such as administrator or editor (i.e. CVSSv3.1 PR:H) to exploit. The following is a list of some common vulnerabilities that will be accepted.

  • Stored Cross-Site Scripting
  • Reflected Cross-Site Scripting
  • Cross-Site Request Forgery, that has a considerable impact on a site's security
  • Missing Authorization, that leads to a considerable impact on a site's security
  • Arbitrary Content Deletion
  • SQL Injection
  • Insecure Direct Object Reference
  • Arbitrary File Upload
  • Arbitrary File Download/Read
  • Arbitrary File Deletion
  • Local File Include/Remote File Include
  • Directory Traversal
  • Privilege Escalation to Admin
  • Privilege Escalation to Non-Admin
  • Authentication Bypass to Admin
  • Authentication Bypass to Non-Admin
  • Remote Code Execution/Code Injection
  • Information Disclosure
  • Server-Side Request Forgery
  • PHP Object Injection
  • Intentional Backdoors Added by Developers that are Accessible by Threat Actors

Explicitly Out of Scope Vulnerabilities

Vulnerabilities that have a minimal impact on the security of WordPress sites, or are unlikely to be successfully exploited in the wild will likely be considered out of scope for the program.

  • CSV Injection
  • IP Spoofing, where the only impact is integrity
  • Secrets (such as 2FA secrets) that are stored in plaintext in a database that can’t be exploited through another Vulnerability in the plugin
  • Web Application Firewall (WAF) Rule Bypasses
  • CSS Injection, where this is not a considerable and demonstrable impact to site’s security
  • HTML Injection, where this is not a considerable and demonstrable impact to site’s security
  • DoS Vulnerabilities, where this is not a considerable and demonstrable impact to site’s security
  • CAPTCHA Bypasses
  • CORS Issues
  • Software containing vulnerable packages or dependencies that are not verifiably exploitable in that plugin or theme
  • Any Vulnerability requiring PR:H to Exploit. Administrator, Editor, and Shop Manager roles, along with any other role that has the 'unfiltered_html' capability fall into this category.
  • Open Redirect
  • TabNabbing
  • Vulnerabilities dependent on successfully exploiting a race condition that is not easily replicable in a common configuration.
  • Cache Poisoning, where this is not a considerable and demonstrable impact to site’s security
  • TOCTOU, where this is not a considerable and demonstrable impact to site’s security
  • Self Cross-Site Scripting
  • Issues that lead to Username Enumeration
  • Theoretical Vulnerabilities
  • Lack of HTTP Headers
  • Clickjacking
  • Server-Side Request Forgery via DNS Rebinding
  • API Key Updates/Overwrites/Reads
  • Full Path Disclosure
  • Cross-Site Request Forgery on unauthenticated forms or on forms with no sensitive actions (examples include disabling a non-critical admin notice)
  • Vulnerabilities that only affect users of outdated or unpatched browsers (An outdated or unpatched browser is considered 2 stable versions behind the latest released version).
  • Any Vulnerability with a CVSS 3.1 score that is lower than 4.0 and can’t be leveraged to achieve a higher score.
  • Vulnerabilities only exploitable on configurations running EOL versions of software, such as PHP, mysql, apache, nginx, openssl
  • Any SQL Injection that requires wp_magic_quotes to be disabled in order to exploit
  • Security issues or vulnerabilities that require local access to the server to exploit
  • Vulnerabilities that can only be exploited by an administrator explicitly granting access to a lower-privileged user where the likelihood of an administrator granting access is minimal or the administrator is granting access to functionality and features that can be abused
  • Vulnerabilities that require excessive brute force to exploit. Please note we may accept vulnerabilities as in scope where brute force is required and the likelihood of success is relatively high. Scope eligibility will be determined on a case-by-case basis
  • File Uploads with Embedded Client-Side Scripts or Macros (i.e. PDF files injected with XSS payloads)
  • Double Extension File Upload Attacks (i.e. .php.png)
  • Uploaded files in publicly accessible directories where the information exposed can not lead to a full site compromise
  • Private/Hidden/Draft/Pending/Password Protected Post Access

We may still assign CVEs to any vulnerabilities discovered in the out of scope list above, however, they will not be eligible for a bounty through our bug bounty program.

Program Rules Key Highlights & Important Things to Know

  • Our rewards go all the way up to $31,200 for Standard Researchers, and $32,760 for 1337 Researchers. Use our bounty estimator to get an idea of what bounties you may be awarded for different vulnerability types, or check out our Bounty Hall of Fame to see real examples of the bounties we have awarded. Researchers are also eligible for additional bonuses that may increase bounties further.
  • You must be a registered researcher on the Wordfence website, and be authenticated at the time of submission, in order to submit a vulnerability for the Bug Bounty Program.
  • Vulnerabilities that require more than one CVE assignment may only earn a single bounty for the higher awarding CVE (i.e. Cross-Site Request Forgery and Missing Authorization in a single function)
  • Researchers can be banned or throttled from the program if they are continuously submitting low-quality or spammy false positive reports, or appear to be gaming the rules of the program in a harmful fashion.
  • Developers cannot report vulnerabilities in their own software for bounties, though they can submit issues for CVE ID assignments.
  • Wordfence must handle the responsible disclosure process for any reported vulnerabilities, and you must keep the information confidential until we publicly disclose the issue in our database. This means Wordfence must be the only organization you submit the vulnerability to.
  • The first researcher to submit a vulnerability with a valid and working proof of concept will be the only one to receive a bounty in the event of a duplicate report.
  • Bounty payments are processed in bulk on the 1st and 15th of every month.
  • In-Scope submissions are typically triaged within 5-7 business days, with critical issues typically having a much faster turnaround. Out-of-Scope submissions are triaged as time allows.
  • You may be eligible for a monthly streak bonus reward depending on the quality and volume of submissions you make in any calendar month. Review our monthly streak bonus details here.
  • Once registered, you will have access to our researcher dashboard where you can track and manage all of your vulnerability submissions, reward payments, profile details, and referral information.
  • Remember that when you participate in our Bug Bounty program, you are giving back to the security of the WordPress ecosystem. All of the vulnerabilities submitted to us are added to the Wordfence Intelligence vulnerability database which is given back to the community through webhook and API access completely for free. All other WordPress-centric vulnerability databases charge for this level of access.

Pending In-Scope Report Limits

All researchers have a limit to the number of vulnerabilities that can be actively submitted and pending triage at one time for participation in the Bug Bounty Program. The following outlines these pending report limits:

Standard Researchers

10 pending in-scope reports

Resourceful Researchers

25 pending in-scope reports

1337 Researchers

50 pending in-scope reports

Out-of-scope submissions adequately marked as such upon submission do not count against this limit so you can still request CVEs for anything that would not constitute a bounty under our program.

This allows us to control the flow of submissions to ensure we can sustain reasonable triage times for all of our researchers and everyone has a fair chance at submitting qualifying vulnerabilities.

When do in-scope reports roll over?

Only vulnerabilities in triage or pending triage will count against your pending report limit. This means that as soon as a vulnerability is validated by our team, you are eligible to submit another in-scope report.

Pro-Tip: You can track and manage how many submissions you have available on the researcher dashboard. In addition, you will know if you are at your pending report limit by accessing the vulnerability submission form. If you get a notice that you are at your limit then you can not submit any more vulnerabilities for participation in the Bug Bounty Program. If you do not get a notice, then you are all clear to submit another bounty-eligible report.

For a more detailed overview, please read our terms and conditions.

There are various researcher tiers that control what your scope is and how many pending vulnerability submission reports you can have at any given time.

Standard Researchers

Every registered researcher starts out in our standard researcher tier.

This tier allows:

Resourceful Researchers

These are researchers who have proven they have what it takes to provide significant and meaningful contributions to security of the WordPress ecosystem.

This tier allows:

To unlock this tier, you must:

  • submit 1 critical severity, high impact, in scope vulnerability
  • or 3 high severity, high impact, in scope vulnerabilities
  • or 10 high or critical severity, medium impact, in scope vulnerabilities

and:

  • you must not have submitted more than 5 False Positive or Low Quality Reports.

Additional Benefits

  • an exclusive achievement badge added to your profile

1337 Researchers

These are researchers who have demonstrated exceptional and meaningful research in the WordPress ecosystem.

This tier allows:

To unlock this tier, you must:

  • submit 5 critical severity in scope vulnerabilities
  • or 10 high severity in scope vulnerabilities

and:

  • submit proof of a certification (OSCP, OSWA, OSWE, OSEP, OSED, eWPTx, eWPT, CISSP, CISM, CISA, GWAPT)
  • or submit 15 high quality valid vulnerabilities in total

and:

  • submit no more than 10 False Positive or Low Quality reports.

Additional Benefits

  • 5% automatic bonus on all eligible submissions
  • an exclusive achievement badge added to your profile

Special Note: Anything in the lists of examples below, in software with 1,000 to 50,000 Active Installs is considered a 'Medium' impact issue and will count towards earning the Resourceful Researcher tier.

What are critical or high severity vulnerabilities in our eyes?

Qualifying vulnerabilities are not based on CVSS score, but rather a combination of CVSS scoring and the threat factor (i.e. likelihood of mass exploitation) of the vulnerability. The following outlines vulnerabilities that are critical and high "severity" qualifying vulnerabilities. This list is exhaustive, but exceptions may be made for vulnerabilities on a case by case basis. Please note that these all assume there are no prerequisites to exploit (i.e. settings or user interaction). In order for a vulnerability to qualify, the vulnerable plugin or theme should have >=50,000 active installations.

Critical Severity Examples

  • Unauthenticated Arbitrary File Deletion
  • Unauthenticated Arbitrary File Read
  • Unauthenticated Arbitrary File Upload to Remote Code Execution
  • Unauthenticated Remote Code Execution
  • Unauthenticated Privilege Escalation
  • Unauthenticated SQL Injection
  • Unauthenticated Stored Cross-Site Scripting
  • Missing Authorization to Unauthenticated Data Alteration or Read in a Critical Way
  • Authentication Bypass to Admin

High Severity Examples

  • Authenticated (Subscriber/Customer) Remote Code Execution
  • Authenticated (Subscriber/Customer) Arbitrary File Upload to Remote Code Execution
  • Authenticated (Subscriber/Customer) Arbitrary File Deletion
  • Authenticated (Subscriber/Customer) Arbitrary File Read
  • Authenticated (Subscriber/Customer) Privilege Escalation to Admin
  • Authenticated (Subscriber/Customer) SQL Injection
  • Authenticated (Subscriber/Customer) Stored Cross-Site Scripting
  • Missing Authorization to Authenticated (Subscriber/Customer) Data Alteration or Read in a Critical Way

Our goal with the Wordfence Bug Bounty Program is to get the most impactful and harder to find vulnerabilities remediated before threat actors can find and exploit them as an 0-day. This means we award the highest bounty rewards for things like authentication bypasses, privilege escalation, arbitrary file uploads, and arbitrary options updates while easier to find vulnerabilities like Cross-Site Scripting, or less likely to be exploited vulnerabilities, like vulnerabilities that require contributor-level access or user interaction to exploit, are awarded far less. We hope this encourages researchers to spend more time focusing on harder to find critical issues that greatly increase the overall security of the WordPress ecosystem.

All bounty rewards are based on how many active installations the vulnerable piece of software has, the type of vulnerability being reported, the authentication requirements to exploit the vulnerability, the impact of the vulnerability, and what, if any, prerequisites to exploit.

Our rewards go all the way up to $31,200 for standard researchers, and $32,760 for 1337 Researchers. Use our bounty estimator to get an idea of what bounties you may be awarded for different vulnerability types, or check out our Bounty Hall of Fame to see real examples of the bounties we have awarded.

Bounty Estimator

1 For any software with an estimated active install count lower than 1,000, the plugin or theme must be available in the WordPress.org repository to be considered in scope. This means that premium plugins and themes are excluded from our scope if the software has fewer than 1,000 estimated active installations.

By using the Bounty Estimator you agree that the tool provides an estimated reward amount only and does not guarantee that the reward amount is accurate or will be paid to you. Your use of the Bounty Estimator is subject to the Defiant Terms of Service.

Please note that the bounty estimator provides an estimated reward amount only and is subject to change at any time. Any estimate provided by the bounty estimator is not a guarantee of a specific reward amount. Many factors can impact the bounties we award such as:

  • Prerequisites to exploit, such as software settings or specific server configuration
  • Ease and replicability of exploitation (i.e. if the vulnerability can be automatically exploited across various environments)
  • Active user interaction, or unlikely passive user interaction, as a requirement to exploit
  • The impact the vulnerabilities has on the site as a whole (i.e. to what extent does the vulnerability impact the CIA of the site).
  • Dependency on another vulnerability not present in the same vulnerable piece of software. Typically the payout is divided by at least half.
  • We have a minimum bounty award of $5.

Other important things to consider with the bounties we typically award:

  • PHP Object Injection will be awarded at the highest level of impact if a newly documented usable gadget is present in the software, or in the current version of WordPress Core, and exploitation of it is demonstrated in the submitted report. Otherwise, PHP Object Injection is awarded at a lower rate to account for the fact that no usable gadget means no real impact or the presence of a useable gadget is already known and has been demonstrated to earn a maximum reward. Note: “newly documented” means the POP Chain present in the plugin has not been previously leveraged to earn a bounty in the Wordfence Bug Bounty Program.
  • The ‘Basic Information Disclosure’ type is often used when information is exposed to unauthorized users, but the information is not incredibly sensitive (i.e. email disclosure, log file exposure, phpinfo access, etc.)
  • For premium plugins and themes without public active installation counts, we defer to number of sales as a 1-to-1 count of active installations. This means that if a plugin has 150,000 sales then we would consider that 150,000 active installations. If no sales information is available, we use an internal metric to ballpark estimate active installation counts.
  • If there is a premium version of a free plugin or theme where the premium version of the software is in an in-scope installation range, we may consider the premium version of the software in-scope based on the free plugin's install count. However, the reward will be based on the premium version of the plugin or theme's installation counts.

Monthly Bug Detector Streak Bonus

Each calendar month (e.g. January 1st to January 31st), you can earn a bug detector bonus based on the quantity and quality of your vulnerability submissions. Please note that the bonuses are not cumulative, but are rather determined based on where your submissions land at any given month. For example, if you qualify for a bonus after submitting 20 vulnerabilities your bonus reward would be a total of $200.

The breakdown below details how to qualify for each bonus phase:

Apprentice Bug Detector

For your first 10 submissions each month (including out-of-scope vulnerabilities, except those on the explicitly out of scope list like exploits requiring administrative level access), you may qualify for a:

  • $35 bonus if you submit at least 5 vulnerabilities.
  • $75 bonus if you submit at least 10 vulnerabilities.

Trainee Bug Detector

For submissions 11-30, only in-scope vulnerabilities will count toward increasing your bonus:

  • $200 bonus for 20 total valid submissions, with at least 10 in-scope.
  • $300 bonus for 30 total valid submissions, with at least 20 in-scope.

Professional Bug Detector

For submissions 31+, only vulnerabilities from our high-threat list will count towards increasing your bonus:

  • $600 bonus for 40 valid submissions, with at least 20 in-scope and 10 from the high-threat list.
  • $1,000 bonus for 50 valid submissions, with at least 20 in-scope and 20 from the high-threat list.
  • $1,200 bonus for 60 valid submissions, with at least 20 in-scope and 30 from the high-threat list.

The Monthly Bug Detector Streak Bonus reward will be paid out on the same payout schedule as awarded bounty rewards, which is the 1st and 15th of every month, after the reward has been reviewed and approved by our team.

Bounty Bonuses

In addition to our bounties, we offer bonuses for exceptional, well documented, and unique researchers. Please find all of the additional bonuses we may award listed below:

Proof of Active Exploitation on an 0-day?
15%

If you are able to supply sufficient evidence that a vulnerability is being actively exploited, without a patch in place, and we can corroborate that evidence, you may receive this multiplier.

Chaining Master!
15%

If you are able to successfully chain multiple vulnerabilities together in a single piece of software to achieve a higher impact vulnerability, such as privilege escalation to admin, you may receive this multiplier.

Creative Vulnerability Finder
10%

If you find a new technique or vulnerability type that hasn’t received much coverage, you may receive this multiplier.

Meaningful Researcher
10%

If you submit a vulnerability report with ample documentation and an easy to use proof of concept to verify the vulnerability, you may receive this multiplier.

1337 Wordfence Vulnerability Researcher Program Bonus
5%

Once you earn 1337 Wordfence Vulnerability Researcher status, you are automatically eligible to receive this bonus on all vulnerabilities found and reported to the Wordfence bug bounty program.

Affects Multiple Assets?
Varies

If you submit a vulnerability that affects multiple pieces of software (i.e. the same code is present in multiple pieces of software) and you detail all the software, you may receive a multiplier of +10% for every 10 pieces of software affected.

This may be limited to 100 affected software pieces. A researcher is only eligible for this bonus if they have documented all affected software and versions in their report.

Affects Multiple Functions?
Varies

If you submit a vulnerability type that affects multiple functions (i.e. the vulnerability type is present in multiple functions or pieces of functionality) and you detail all the functions, widgets, and/or functionality you may receive a multiplier of +20% for each of the first 5 functions or widgets affected, +10% for every 5 functions affected from 6 to 20, and then +5% for every 5 functions affected from 21-50.

This may be limited to 50 affected functions. A researcher is only eligible for this bonus if they have documented all affected functions adequately in their report.

The Achievement Badges for the Wordfence Bug Bounty Program are designed to recognize the contributions and skills of participants in enhancing the security of the WordPress open-source community. Through a system of badges named "Achievements," individuals are rewarded for their expertise, perseverance, and collaborative efforts in making the WordPress environment safer. These badges signify not only personal growth and discovery but also professional development, as they are displayed on the researcher's profile, enhancing their reputation and providing clear milestones in their bug-hunting career.

This initiative encourages both seasoned and novice security researchers to engage actively, pursue continual improvement, and gain acknowledgment within the open-source ecosystem, with the promise of expanding the badge offerings in the future to further incentivize and track progress in contributing to a more secure open-source community.

Submitted XSS Vulnerability

This achievement is awarded to individuals who have submitted at least one valid Cross-Site Scripting (XSS) vulnerability to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.

WordPress Superhero

This achievement is awarded to individuals who have submitted at least one critical or high severity vulnerability in a plugin or theme with over 5,000,000 Active Installations to the Wordfence Bug Bounty Program.

Resourceful Researcher

This achievement is exclusively for researchers who earn the Resourceful Researcher status. These individuals have demonstrated significant and meaningful research in the WordPress Security space.

1337 Vulnerability Researcher

This achievement is exclusively for researchers who earn 1337 Wordfence Vulnerability Researcher status. These individuals have demonstrated exceptional and meaningful research in the WordPress Security space.

Submitted 1 Vulnerability

This achievement is awarded to individuals who have submitted at least one valid vulnerability to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.

Submitted 5 Vulnerabilities

This achievement is awarded to individuals who have submitted at least five valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.

Submitted 10 Vulnerabilities

This achievement is awarded to individuals who have submitted at least ten valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.

Submitted 25 Vulnerabilities

This achievement is awarded to individuals who have submitted at least twenty five valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.

Submitted 50 Vulnerabilities

This achievement is awarded to individuals who have submitted at least fifty valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.

Submitted 75 Vulnerabilities

This achievement is awarded to individuals who have submitted at least seventy five valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.

Submitted 100 Vulnerabilities

This achievement is awarded to individuals who have submitted at least one hundred valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.

Submitted 200 Vulnerabilities

This achievement is awarded to individuals who have submitted at least two hundred valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.

Submitted 300 Vulnerabilities

This achievement is awarded to individuals who have submitted at least three hundred valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.

Submitted 400 Vulnerabilities

This achievement is awarded to individuals who have submitted at least four hundred valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.

Submitted 500 Vulnerabilities

This achievement is awarded to individuals who have submitted at least five hundred valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.

Submitted 750 Vulnerabilities

This achievement is awarded to individuals who have submitted at least seven hundred and fifty valid vulnerabilities to the bug bounty program. Please note, in order for a researcher to earn this badge the vulnerability must be submitted directly to Wordfence and must have a registered researcher account at the time of submission.

Wordfence Vulnerability Researcher

This achievement is exclusively for employees and contractors of Wordfence. The only way to earn this achievement is to be an employee of Wordfence, or a contractor working with Wordfence, and discover at least one vulnerability.

Refer a Researcher

This achievement is awarded to researchers who have referred at least one contributing researcher to the Wordfence Bug Bounty Program.

Our Hall of Fame showcases some of the most notable bounties we've awarded over the years and provides a glimpse into the total rewards distributed through our program along with the total number of in-scope vulnerabilities we have received.

Please keep in mind that some of these bounties were issued during promotional periods and may not reflect current reward amounts for similar vulnerabilities. For the most accurate and up-to-date bounty estimates, check out our bounty estimator.

All-Time Bounty Payouts

$485,979

All-Time In-Scope Submissions

4371

289 submissions in the last 30 days.

1. LayerSlider 7.9.11 - 7.10.0 - Unauthenticated SQL Injection

Bounty

$5,500

Date

Apr 29, 2024

CVE ID

CVE-2024-2879

CVSS

9.8

2. GiveWP – Donation Plugin and Fundraising Platform <= 3.14.1 - Unauthenticated PHP Object Injection to Remote Code Execution

Bounty

$4,998

Date

Jul 1, 2024

CVE ID

CVE-2024-5932

CVSS

10.0

3. GravityForms <= 2.9.1.3 - Unauthenticated Stored Cross-Site Scripting via 'alt' parameter

Bounty

$4,224

Date

Jan 17, 2025

CVE ID

CVE-2024-13377

CVSS

7.2

4. WP Reset <= 2.0 - Sensitive Information Exposure due to Insufficient Randomness

Bounty

$4,150

Date

Feb 14, 2024

CVE ID

CVE-2023-6799

CVSS

5.9

5. POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 - Authorization Bypass via type connect-app API

Bounty

$4,125

Date

Feb 14, 2024

CVE ID

CVE-2023-6875

CVSS

9.8

6. Spam protection, Anti-Spam, FireWall by CleanTalk <= 6.43.2 - Authorization Bypass via Reverse DNS Spoofing to Unauthenticated Arbitrary Plugin Installation

Bounty

$4,095

Date

Nov 1, 2024

CVE ID

CVE-2024-10542

CVSS

9.8

7. W3 Total Cache <= 2.8.1 - Authenticated (Subscriber+) Missing Authorization to Server-Side Request Forgery

Bounty

$3,971

Date

Dec 15, 2024

CVE ID

CVE-2024-12365

CVSS

8.5

8. Modern Events Calendar <= 7.11.0 - Authenticated (Subscriber+) Arbitrary File Upload

Bounty

$3,094

Date

Jun 1, 2024

CVE ID

CVE-2024-5441

CVSS

8.8

9. Backup Migration <= 1.3.7 - Unauthenticated Remote Code Execution

Bounty

$2,776

Date

Feb 14, 2024

CVE ID

CVE-2023-6553

CVSS

9.8

10. Avada | Website Builder For WordPress & WooCommerce <= 7.11.4 - Authenticated (Contributor+) Arbitrary File Upload

Bounty

$2,751

Date

Mar 1, 2024

CVE ID

CVE-2024-1468

CVSS

8.8

11. Ultimate Member <= 2.9.1 - Unauthenticated SQL Injection

Bounty

$2,640

Date

Jan 17, 2025

CVE ID

CVE-2025-0308

CVSS

7.5

12. OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. <= 5.7.9 - Missing Authorization to Unauthenticated Directory Deletion and Cross-Site Scripting

Bounty

$2,525

Date

Jan 3, 2024

CVE ID

CVE-2023-6600

CVSS

8.6

13. Uncode <= 2.9.1.6 - Unauthenticated Arbitrary File Read in uncode_admin_get_oembed

Bounty

$2,376

Date

Feb 1, 2025

CVE ID

CVE-2024-13681

CVSS

7.5

14. WPForms 1.8.4 - 1.9.2.1 - Missing Authorization to Authenticated (Subscriber+) Payment Refund and Subscription Cancellation

Bounty

$2,376

Date

Nov 15, 2024

CVE ID

CVE-2024-11205

CVSS

8.5

15. Jupiter X Core <= 4.6.5 - Unauthenticated Arbitrary File Upload

Bounty

$2,145

Date

Aug 15, 2024

CVE ID

CVE-2024-7772

CVSS

9.8

16. Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin 2.1.3 - 2.8.2 - Unauthenticated SQL Injection

Bounty

$2,063

Date

Feb 14, 2024

CVE ID

CVE-2024-1071

CVSS

9.8

17. User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin <= 3.1.5 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

Bounty

$2,063

Date

Mar 15, 2024

CVE ID

CVE-2024-2417

CVSS

8.8

18. Better Search Replace <= 1.4.4 - Unauthenticated PHP Object Injection

Bounty

$2,000

Date

Feb 14, 2024

CVE ID

CVE-2023-6933

CVSS

8.8

19. LearnPress <= 4.2.5.7 - Command Injection

Bounty

$1,900

Date

Feb 14, 2024

CVE ID

CVE-2023-6634

CVSS

8.1

20. Cookie Information | Free GDPR Consent Solution <= 2.0.22 - Authenticated (Subscriber+) Arbitrary Options Update

Bounty

$1,900

Date

Jan 3, 2024

CVE ID

CVE-2023-6700

CVSS

8.8
Rank Description Amount CVE ID CVSS Date
1 LayerSlider 7.9.11 - 7.10.0 - Unauthenticated SQL Injection $5,500 CVE-2024-2879
9.8
 Apr 29, 2024
2 GiveWP – Donation Plugin and Fundraising Platform <= 3.14.1 - Unauthenticated PHP Object Injection to Remote Code Execution $4,998 CVE-2024-5932
10.0
 Jul 1, 2024
3 GravityForms <= 2.9.1.3 - Unauthenticated Stored Cross-Site Scripting via 'alt' parameter $4,224 CVE-2024-13377
7.2
 Jan 17, 2025
4 WP Reset <= 2.0 - Sensitive Information Exposure due to Insufficient Randomness $4,150 CVE-2023-6799
5.9
 Feb 14, 2024
5 POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 - Authorization Bypass via type connect-app API $4,125 CVE-2023-6875
9.8
 Feb 14, 2024
6 Spam protection, Anti-Spam, FireWall by CleanTalk <= 6.43.2 - Authorization Bypass via Reverse DNS Spoofing to Unauthenticated Arbitrary Plugin Installation $4,095 CVE-2024-10542
9.8
 Nov 1, 2024
7 W3 Total Cache <= 2.8.1 - Authenticated (Subscriber+) Missing Authorization to Server-Side Request Forgery $3,971 CVE-2024-12365
8.5
 Dec 15, 2024
8 Modern Events Calendar <= 7.11.0 - Authenticated (Subscriber+) Arbitrary File Upload $3,094 CVE-2024-5441
8.8
 Jun 1, 2024
9 Backup Migration <= 1.3.7 - Unauthenticated Remote Code Execution $2,776 CVE-2023-6553
9.8
 Feb 14, 2024
10 Avada | Website Builder For WordPress & WooCommerce <= 7.11.4 - Authenticated (Contributor+) Arbitrary File Upload $2,751 CVE-2024-1468
8.8
 Mar 1, 2024
11 Ultimate Member <= 2.9.1 - Unauthenticated SQL Injection $2,640 CVE-2025-0308
7.5
 Jan 17, 2025
12 OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. <= 5.7.9 - Missing Authorization to Unauthenticated Directory Deletion and Cross-Site Scripting $2,525 CVE-2023-6600
8.6
 Jan 3, 2024
13 Uncode <= 2.9.1.6 - Unauthenticated Arbitrary File Read in uncode_admin_get_oembed $2,376 CVE-2024-13681
7.5
 Feb 1, 2025
14 WPForms 1.8.4 - 1.9.2.1 - Missing Authorization to Authenticated (Subscriber+) Payment Refund and Subscription Cancellation $2,376 CVE-2024-11205
8.5
 Nov 15, 2024
15 Jupiter X Core <= 4.6.5 - Unauthenticated Arbitrary File Upload $2,145 CVE-2024-7772
9.8
 Aug 15, 2024
16 Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin 2.1.3 - 2.8.2 - Unauthenticated SQL Injection $2,063 CVE-2024-1071
9.8
 Feb 14, 2024
17 User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin <= 3.1.5 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation $2,063 CVE-2024-2417
8.8
 Mar 15, 2024
18 Better Search Replace <= 1.4.4 - Unauthenticated PHP Object Injection $2,000 CVE-2023-6933
8.8
 Feb 14, 2024
19 LearnPress <= 4.2.5.7 - Command Injection $1,900 CVE-2023-6634
8.1
 Feb 14, 2024
20 Cookie Information | Free GDPR Consent Solution <= 2.0.22 - Authenticated (Subscriber+) Arbitrary Options Update $1,900 CVE-2023-6700
8.8
 Jan 3, 2024
Standard researchers can have 10 vulnerabilities in scope of the Bug Bounty Program pending triage at any given time. Resourceful researchers can have 25 vulnerabilities in scope of the Bug Bounty Program pending at any given time. 1337 researchers can have 50 vulnerabilities in scope of the Bug Bounty Program pending at any given time. This means that once you reach the limit, no further submissions are considered eligible for a bounty until the currently pending vulnerabilities are triaged. Out-of-Scope vulnerabilities submitted correctly do not count against the pending triage limit.
Vulnerabilities are triaged in order of vulnerability impact and number of users affected. The most critical and impactful vulnerabilities will be processed first, with the least impactful being triaged last.
It’s easy to participate in the Bug Bounty Program! Simply sign-up using this form or, if you're already registered on wordfence.com, you can set-up your researcher profile through the researcher dashboard located here. Once you are ready, you can submit a vulnerability using this form. If the vulnerability is in scope of the Bug Bounty Program and submitted via that form, it will automatically be considered for participation in the Bug Bounty Program. Make sure to review all rules and guidelines prior to participating so you know exactly what to expect.
Bounty reward payouts are processed twice a month: once on the first (1st) of the month and once on the fifteenth (15th) of the month. Any bounty accrued during the period before the next reward payout date will be paid in bulk on the day of processing.

If you do not have a PayPal address on file at the time of reward payout processing, you will need to wait until the next reward payout date to receive any accrued bounties.
Currently, all reward payments are sent through PayPal. Please make sure you have a PayPal email address on file here.
If you are already a registered user on wordfence.com, then you can simply log in to your account and navigate to the researcher dashboard where you can then follow the instructions to set up your researcher profile. These details will show up in the Wordfence Intelligence User Interface once you've submitted at least one valid vulnerability that is in production.
There is no maximum amount of bounties you can earn! The opportunities are endless.
Yes, Wordfence reserves the right to ban any user from participating in the Wordfence Intelligence Bug Bounty Program. Common reasons a user may get banned are exceeding the false positive or out-of-scope vulnerability submission allowance, abusing the system by trying to undergo “bulk” automated bounty hunting, and general misconduct.
Absolutely! You can use the same vulnerability submission form, and just make sure to check the box ‘Yes’ for the question ‘Is this an out-of-scope report just for a CVE assignment or submission to the database? If yes, you will not be eligible for a Bug Bounty.’ on the form.
Absolutely! You can use the same vulnerability submission form, and just make sure to check the box ‘Yes’ for the question ‘Is this an out-of-scope report just for a CVE assignment or submission to the database? If yes, you will not be eligible for a Bug Bounty.’ on the form.
We handle the responsible disclosure for all bounty eligible vulnerabilities. You're welcome to handle the repsonsible disclosure process yourself, however, the vulnerability would not be eligible for a bounty and would simply just get a CVE ID assignment. If you would like to handle the responsible disclosure process yourself, make sure to check ‘No’ for the question ‘Would you like Wordfence to handle the responsible disclosure of this vulnerability on your behalf?’ when completing the vulnerability submission form.
If you do not already have an account on wordfence.com, then you should use this researcher registration form that allows you to supply all of your profile details during registration.

If you already have an account on wordfence.com, then you should access your account here.
No, they are excluded. Submitting too many of these vulnerabilities may cause you to get banned or temporarily blocked from participating in the Bug Bounty Program.
No, plugins and themes with existing Bug Bounty Programs are considered out-of-scope for participation in the Bug Bounty Program.
No, developers are not eligible for bounties in their own software. You’re more than welcome to submit the vulnerability to the database, however, you will not be awarded any bounties for the submission.
All WordPress plugins and themes with over 50,000 active installations, and no existing bug bounty program, are considered explicitly in scope for all standard researchers.

For those in our Resourceful Researchers tier, all WordPress plugins and themes with over 10,000 active installations, and no existing bug bounty program, are considered explicitly in scope.

All WordPress plugins and themes with over 500 active installations, and no existing bug bounty program, are considered explicitly in scope for all 1337 Researchers.
For premium plugins and themes, we default to using the sales count as the equivalent to active installation. This means that if a plugin has 150,000 sales then we would consider that 150,000 active installations. If no sales information is available, we use an internal metric to ballpark estimate active installation counts.
  • Stored Cross-Site Scripting
  • Reflected Cross-Site Scripting
  • Cross-Site Request Forgery, that has a considerable impact on a site's security
  • Missing Authorization, that leads to a considerable impact on a site's security
  • Arbitrary Content Deletion
  • SQL Injection
  • Insecure Direct Object Reference
  • Arbitrary File Upload
  • Arbitrary File Download/Read
  • Arbitrary File Deletion
  • Local File Include/Remote File Include
  • Directory Traversal
  • Privilege Escalation to Admin
  • Privilege Escalation to Non-Admin
  • Authentication Bypass to Admin
  • Authentication Bypass to Non-Admin
  • Remote Code Execution/Code Injection
  • Information Disclosure
  • Server-Side Request Forgery
  • PHP Object Injection
  • Intentional Backdoors Added by Developers that are Accessible by Threat Actors
  • CSV Injection
  • IP Spoofing, where the only impact is integrity
  • Secrets (such as 2FA secrets) that are stored in plaintext in a database that can’t be exploited through another Vulnerability in the plugin
  • Web Application Firewall (WAF) Rule Bypasses
  • CSS Injection, where this is not a considerable and demonstrable impact to site’s security
  • HTML Injection, where this is not a considerable and demonstrable impact to site’s security
  • DoS Vulnerabilities, where this is not a considerable and demonstrable impact to site’s security
  • CAPTCHA Bypasses
  • CORS Issues
  • Software containing vulnerable packages or dependencies that are not verifiably exploitable in that plugin or theme
  • Any Vulnerability requiring PR:H to Exploit. Administrator, Editor, and Shop Manager roles, along with any other role that has the 'unfiltered_html' capability fall into this category.
  • Open Redirect
  • TabNabbing
  • Vulnerabilities dependent on successfully exploiting a race condition that is not easily replicable in a common configuration.
  • Cache Poisoning, where this is not a considerable and demonstrable impact to site’s security
  • TOCTOU, where this is not a considerable and demonstrable impact to site’s security
  • Self Cross-Site Scripting
  • Issues that lead to Username Enumeration
  • Theoretical Vulnerabilities
  • Lack of HTTP Headers
  • Clickjacking
  • Server-Side Request Forgery via DNS Rebinding
  • API Key Updates/Overwrites/Reads
  • Full Path Disclosure
  • Cross-Site Request Forgery on unauthenticated forms or on forms with no sensitive actions (examples include disabling a non-critical admin notice)
  • Vulnerabilities that only affect users of outdated or unpatched browsers (An outdated or unpatched browser is considered 2 stable versions behind the latest released version).
  • Any Vulnerability with a CVSS 3.1 score that is lower than 4.0 and can’t be leveraged to achieve a higher score.
  • Vulnerabilities only exploitable on configurations running EOL versions of software, such as PHP, mysql, apache, nginx, openssl
  • Any SQL Injection that requires wp_magic_quotes to be disabled in order to exploit
  • Security issues or vulnerabilities that require local access to the server to exploit
  • Vulnerabilities that can only be exploited by an administrator explicitly granting access to a lower-privileged user where the likelihood of an administrator granting access is minimal or the administrator is granting access to functionality and features that can be abused
  • Vulnerabilities that require excessive brute force to exploit. Please note we may accept vulnerabilities as in scope where brute force is required and the likelihood of success is relatively high. Scope eligibility will be determined on a case-by-case basis
  • File Uploads with Embedded Client-Side Scripts or Macros (i.e. PDF files injected with XSS payloads)
  • Double Extension File Upload Attacks (i.e. .php.png)
  • Uploaded files in publicly accessible directories where the information exposed can not lead to a full site compromise
  • Private/Hidden/Draft/Pending/Password Protected Post Access
Once your profile has been approved for the first time, you can manage your payment and reward payout history here. If you chose to use the same email for PayPal and your email address during registration, your email will automatically be there. Otherwise, you can add your preferred PayPal address here. This is also where you will see all of your upcoming rewards and reward payout history once you have approved bounties.

To be considered for "1337 Wordfence Vulnerability Researcher" status, a Researcher must meet and maintain the following requirements.

  • The Researcher must complete at least one of the following:
    • Discover and submit 5 or more Critical Severity, High Impact Vulnerabilities with high quality reports.
    • Discover and submit 10 or more High Severity, High Impact Vulnerabilities with high quality reports.
  • In addition to completing at least one of the following:
    • Discover and submit 15 high quality Vulnerability reports. These reports have very detailed information and an easy to validate proof of concept.
    • Has not submitted more than 10 false positive or out-of-scope Vulnerability reports.
    • Submit proof of approved offensive security certification or other mastery security certification. The following list is exhaustive, and additional qualifying certifications may be added over time: OSCP, OSWA, OSWE, OSEP, OSED, eWPTx, eWPT, CISSP, CISM, CISA.
  • To maintain 1337 Wordfence Vulnerability Researcher credibility, a Researcher must ensure the following is completed each year:
    • Ensure you don't submit more than 10 false positive or Low Quality Vulnerability reports in a 90 day window.
    Additionally, at least one of the following must be completed in the same period:
    • Report at least 5 critical severity Vulnerabilities
    • Report at least 10 high severity Vulnerabilities
    • Report at least 20 medium severity Vulnerabilities

Refer-A-Researcher Program

Introducing the Wordfence Refer-A-Researcher Program! This initiative rewards our top security researchers for bringing new talent to our Bug Bounty Program. If you're an active contributor, you can refer researchers and earn commissions while helping to strengthen WordPress security.

Eligible researchers will be notified by email once they’ve met the Wordfence Refer-A-Researcher Program eligibility requirements. At that point, access to apply to the Wordfence Refer-A-Researcher Program can be found on the researcher dashboard. Note that researchers who do not meet the eligibility requirements will not be able to view or complete the application until the requirements are met.

Researchers that are a part of the Wordfence Refer-A-Researcher Program will receive a special referral link that can be shared to new researchers for signing-up that will allow referring researchers to earn a commission based on the first few submissions of a newly referred researcher.

Benefits

Earn a 20% commission on the cumulative bounties from the first five validated reports submitted by your referrals. It's a rewarding way to help expand our community of security experts! The commission earnings are unlimited, meaning there are no caps to how much you can earn by referring researchers.

Maximize your commissions by encouraging and helping other researchers learn how to hunt for the most impactful and critical vulnerabilities in WordPress, which will ultimately lead to a bigger reward for you, your referral, and the WordPress ecosystem.

To provide an example, if a researcher submits 5 vulnerabilities earning $100 each, then the referring researcher would earn a bonus of $100 after those 5 vulnerabilities have been submitted, validated, and their bounties approved.

Eligibility

To qualify, you must:

  • Be registered as a researcher for at least one month
  • Submit at least 10 valid in-scope vulnerabilities
  • Actively promote meaningful vulnerability research in WordPress
  • Receive approval from the Wordfence Bug Bounty Team
  • Once eligible, you will receive an email letting you know that you can apply. You can also track your eligibility in your Researcher Dashboard.

How it Works

After you're approved, here's how it works:

  1. You share your unique referral link to a researcher who is not already registered as part of our program.
  2. The researcher signs up using the link you've provided them. Our team approves their profile.
  3. You help and encourage the referred researcher to submit their first 5 in-scope reports.
  4. You can track their progress from your Researcher Dashboard.
  5. After the researcher submits their first 5 in-scope validated reports, you earn a commission bonus of 20% of the total bounties that were awarded for those submissions.

Review the full terms and conditions.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation

This site uses cookies in accordance with our Privacy Policy.