We often find misleading to outright false information about supposed WordPress plugin vulnerabilities coming from claimed security researchers. That frequently involves claims of non-existent vulnerabilities and, more problematically, false claims that real vulnerabilities have been fixed when they haven’t. We are now compiling information on claimed security researchers to help identify untrustworthy researchers and others trying to take advantage of the WordPress community.

If you are a WordPress plugin developer that has been approached by one of the less than trustworthy "researchers" or their partners (Patchstack, Wordfence, or WPScan) and are looking for help to identify if there really is an issue and what needs to be done to fix it, we offer free help.

Proper research involves providing details of claimed vulneraibilites and or a proof of concept, which allows others to understand the issue and for peer review to take place. It also involves making sure the issue is actually fixed before claimit it is fixed. Issues should not be reported to third-parties instead of the developers.

Researchers

• 0xd4rk5id3
• Abdi Pranata
• Bob Matyas (Automattic)
• Dave Jong (Patchstack)
• Dhabaleshwar Das
• Dimas Maulana
• Dmitrii Ignatyev (CleanTalk)
• Francesco Carlucci
• István Márton (Lana Codes)
• Jerome Bruandet (NinTechNet)
• João Pedro Soares de Alcântara (Kinorth)
• Joshua Chan
• kauenavarro
• Kévin Mosbahi (Mika)
• Krzysztof Zając (CERT PL)
• Le Ngoc Anh (sun*inc)
• Lucio Sá
• LVT-tholv2k
• Marco Wotschka (Wordfence)
• Mat Rollings (stealthcopter)
• Ngô Thiên An (ancorn_) (VNPT-VCI)
• Nguyen Xuan Chien
• Peter Thaleikis
• R3N0
• Rafie Muhammad
• Rio Darmawan (Zerobyte)
• Rio Darmawan (Zerobyte)
• SOPROBRO
• theviper17y
• thiennv
• Trương Hữu Phúc (truonghuuphuc)
• vgo0
• Webbernaut
• wesley (wcraft)
• WPScan Team