WordPress Vulnerability Disclosure Policy

Our coordinated vulnerability disclosure policy for WordPress plugins, themes, and core. We work with security researchers to identify, report, and coordinate the remediation of WordPress security vulnerabilities.

Last Updated: December 2024

Introduction

TuranSecurity is a CVE Numbering Authority (CNA) specializing in security research for the WordPress ecosystem. We identify, document, and coordinate the disclosure of vulnerabilities in WordPress plugins, themes, and core. This policy describes how to report WordPress vulnerabilities to us, what you can expect from us, and what we expect from you.

Safe Harbor: TuranSecurity will not pursue legal action against security researchers who discover and report vulnerabilities in good faith and in accordance with this policy.

Scope

This policy applies to security vulnerabilities in WordPress-based products:

  • WordPress Plugins - All plugins available on WordPress.org repository
  • WordPress Themes - All themes available on WordPress.org repository
  • WordPress Core - The core WordPress software and its components

Vulnerability Types

We accept reports for all types of security vulnerabilities including but not limited to:

  • SQL Injection (SQLi)
  • Cross-Site Scripting (XSS) - Stored, Reflected, DOM-based
  • Cross-Site Request Forgery (CSRF)
  • Remote Code Execution (RCE)
  • Local File Inclusion (LFI) / Remote File Inclusion (RFI)
  • Authentication Bypass
  • Privilege Escalation
  • Insecure Direct Object References (IDOR)
  • Arbitrary File Upload/Download/Deletion
  • Server-Side Request Forgery (SSRF)
  • Sensitive Data Exposure
  • Missing Authorization / Broken Access Control

Out of Scope

The following are not covered under this policy:

  • Vulnerabilities requiring unlikely user interaction
  • Self-XSS vulnerabilities
  • Missing security headers without demonstrated impact
  • Denial of service (DoS/DDoS) attacks
  • Social engineering attacks
  • Physical security issues
  • Vulnerabilities in outdated/unsupported versions when current version is patched
  • Third-party services or libraries unless directly exploitable through WordPress

How to Report

To report a WordPress security vulnerability, please use one of the following methods:

Required Information

When reporting a WordPress vulnerability, please include:

  1. Product Information: Plugin/Theme name, slug, and version number
  2. WordPress Version: The WordPress version used during testing
  3. Vulnerability Type: Classification (e.g., SQLi, XSS, CSRF)
  4. Description: Detailed explanation of the vulnerability
  5. Reproduction Steps: Step-by-step instructions to reproduce
  6. Proof of Concept: Working PoC code, HTTP requests, or screenshots (Allowed formats: MP4, JPG, PNG, ZIP)
  7. Impact Assessment: What an attacker could achieve
  8. Affected File/Function: Specific code location if known
  9. CVSS Score: Your severity assessment (optional)

CVE Assignment

As a CVE Numbering Authority (CNA), TuranSecurity assigns CVE IDs for vulnerabilities in:

  • WordPress plugins available on WordPress.org
  • WordPress themes available on WordPress.org
  • WordPress core components
  • WordPress-related libraries and dependencies

CVE Process

  1. Submit your vulnerability report with all required information
  2. We validate and verify the vulnerability
  3. We assign a CVE ID and notify you
  4. We coordinate with the vendor/developer for remediation
  5. CVE is published after patch release or disclosure deadline

To request a CVE ID, submit your vulnerability report through our CVE Request form.

Researcher Guidelines

We ask that security researchers:

  • Test safely: Use your own WordPress installations for testing, not production sites
  • Avoid data access: Do not access, modify, or exfiltrate user data
  • No automation on live sites: Do not run automated scanners against live WordPress installations you don't own
  • Report promptly: Submit vulnerabilities as soon as they are discovered
  • Maintain confidentiality: Do not disclose vulnerabilities publicly until coordinated disclosure
  • Provide details: Include sufficient technical information for verification
  • One report per vulnerability: Submit separate reports for each unique vulnerability
  • Coordinate with us: Work with us on disclosure timing

Recognition & Credit

We value security researchers and provide proper recognition:

  • Full credit in CVE records and security advisories
  • Listed in our public disclosures with your preferred name/handle
  • Option for anonymity if preferred
  • Coordinated public disclosure timing
  • Featured in our Hall of Fame for significant contributions

Our Commitment

When you report a WordPress vulnerability to us, we commit to:

  • Acknowledge your report within 72 hours
  • Validate and verify the vulnerability
  • Assign a CVE ID for confirmed vulnerabilities
  • Coordinate with plugin/theme developers for patches
  • Keep you informed throughout the process
  • Credit you in all public disclosures
  • Publish advisory after patch or disclosure deadline
  • Never pursue legal action against good-faith researchers

Contact Information

For WordPress security research and CVE requests: