Security Bug Bounty Program for WordPress Plugins


  • The bug must not have been previously reported.
  • The bug must be in the most recently released version of the plugin.
  • You must not have created the buggy code or are in anyway involved in the creation of it.
  • For plugins with over 50,000+ active installs according to The bounties are also available for our plugins Automatic Plugin Updates, No Longer in Directory, and Plugin Vulnerabilities.

Eligible Vulnerability Types

  • Unauthenticated remote execution of arbitrary PHP code: US$250
  • Unauthenticated remote malicious file inclusion: US$250
  • Unauthenticated PHP object injection: US$125
  • Unauthenticated SQL injection that can modify the database: US$125
  • Unauthenticated persistent cross-site scripting (XSS): US$125
  • Privilege escalation from unauthenticated to an Administrator role: US$125
  • Unauthenticated arbitrary file viewing that exposes wp-config.php file contents: US$125
  • Unauthenticated information disclosure that exposes website backup files: US$125
  • Unauthenticated information disclosure that exposes customer information: US$125


To receive the bounty you need report the vulnerability to us first, we will then notify the developer of the plugin of the issue. If there has not been a response from them within a 7 days we will then publicly disclose the vulnerability. For developer that respond we will disclose the vulnerability after the vulnerability is fixed or after 30 days, which eve comes first.

The bounty will be paid as soon as we have confirmed that the vulnerability exists.

The bounty will be paid via PayPal. The bounty can also be donated to a charity of your choice.