Skip to Main Content

WordPress Security Bug Bounty Program

Our bug bounty program for WordPress is intended to promote security research of WordPress and its plugins and to help with the continuing process of keeping WordPress and its plugins secure, as we use WordPress, support it for our clients, and clean up WordPress websites that have been hacked.


  • The bug must not have been previously reported.
  • The bug must be in the most recently released version.
  • You must not have created the buggy code or are in anyway involved in the creation of it.

WordPress Bounties

  • Remote execution of arbitrary PHP code: US$1000
  • Remote malicious file inclusion: US$1000
  • Remote SQL injection that allows reading or modifying the database: US$500
  • Persistent cross-site scripting (XSS) (Please note that admin and editor level users are permitted by WordPress to use unfiltered HTML): US$500
  • Authentication flaw that allow access to Admin-level capabilities: US$500
  • Privilege escalation from Subscriber to Admin or Super Admin: US$500
  • Information disclosure that exposes wp-config.php file contents: US$500
  • Reflective cross-site scripting (XSS): US$200
  • DOM-based cross-site scripting (XSS): US$200
  • Cross-site request forgery (CSRF): US$200
  • Privilege escalation: US$100

WordPress Plugin Bounties

For plugins with over 100,000+ active installs according to The bounties are also available for our plugins Automatic Plugin Updates, No Longer in Directory, and Plugin Vulnerabilities.

  • Unauthenticated remote execution of arbitrary PHP code: US$250
  • Unauthenticated remote malicious file inclusion: US$250
  • Unauthenticated SQL injection that can modify the database: US$125
  • Unauthenticated persistent cross-site scripting (XSS): US$125
  • Privilege escalation from unauthenticated to a Admin lever user: US$125
  • Unauthenticated information disclosure that exposes wp-config.php file contents: US$125


To receive the bounty you need to mention the bounty program when you first contact the developer about the bug and they need to acknowledge that. Instructions for contacting the WordPress developers about security issues in WordPress are located here. For plugins you should contact the developer directly. If you provide us details of the bug before the developer has had a chance to review the report then the security bug will not be eligible for a bounty. Once that has been completed you will also need to provide enough information for us to recreate the exploitation of the bug. The bounty will be paid via PayPal. The bounty can also be donated to a charity of your choice.


  • 1/29/2013 - Reflective cross-site scripting bug in WP-Table Reloaded (fixed in 1.9.4)
  • 12/7/2012 - Persistent cross-site scripting bug in BuddyPress (fixed in 1.6.2)
  • 1/18/2012 - Remote SQL injection bug in WP e-Commerce (fixed in
  • 1/6/2012 - Reflective cross-site scripting bug in WP e-Commerce (fixed in
  • 10/27/2011 - Reflective cross-site scripting bug in NextGEN Gallery (fixed in 1.8.4)
  • 10/27/2011 - Reflective cross-site scripting bug in WP e-Commerce (fixed in