Top reports from WordPress program at HackerOne:
- Stored XSS Vulnerability to WordPress - 355 upvotes, $500
- Stored XSS in Private Message component (BuddyPress) to WordPress - 331 upvotes, $500
- Stored XSS on byddypress Plug-in via groups name to WordPress - 127 upvotes, $450
- Wordpress unzip_file path traversal to WordPress - 108 upvotes, $800
- Reflected XSS on https://make.wordpress.org via 'channel' parameter to WordPress - 95 upvotes, $387
- CSRF to HTML Injection in Comments to WordPress - 92 upvotes, $950
- Potential unprivileged Stored XSS through wp_targeted_link_rel to WordPress - 79 upvotes, $650
- Mssing Authorization on Private Message replies (BuddyPress) to WordPress - 63 upvotes, $375
- plugins.trac.wordpress.org likely vulnerable to Cross Site Tracing (xst), TRACE HTTP method should be disabled to WordPress - 55 upvotes, $150
- Multiple stored XSS in WordPress to WordPress - 35 upvotes, $1200
- "Bad Protocols Validation" Bypass in "wp_kses_bad_protocol_once" using HTML-encoding without trailing semicolons to WordPress - 34 upvotes, $350
- Logic flaw in the Post creation process allows creating posts with arbitrary types without needing the corresponding nonce to WordPress - 32 upvotes, $900
- [mercantile.wordpress.org] Reflected XSS via AngularJS Template Injection to WordPress - 28 upvotes, $300
- Add users to groups who have restricted group invites to WordPress - 28 upvotes, $275
- Information / sensitive data disclosure on some endpoints to WordPress - 27 upvotes, $0
- Open API For Username enumeration to WordPress - 24 upvotes, $0
- Wordpress 4.7.2 - Two XSS in Media Upload when file too large. to WordPress - 23 upvotes, $350
- DOM Based XSS In mercantile.wordpress.org to WordPress - 21 upvotes, $275
- [FG-VD-18-165] Wordpress Cross-Site Scripting Vulnerability Notification II to WordPress - 20 upvotes, $650
- Reflected Swf XSS In ( plugins.svn.wordpress.org ) to WordPress - 20 upvotes, $350
- Content Spoofing @ https://irclogs.wordpress.org/ to WordPress - 20 upvotes, $0
- Wordpress 4.7 - CSRF -> HTTP SSRF any private ip:port and basic-auth to WordPress - 19 upvotes, $750
- Infrastructure - Photon - SSRF to WordPress - 18 upvotes, $350
- XSS in the search bar of mercantile.wordpress.org to WordPress - 18 upvotes, $275
- WordPress DB Class, bad implementation of prepare method guides to sqli and information disclosure to WordPress - 17 upvotes, $0
- Reflected XSS at https://da.wordpress.org/themes/?s= via "s=" parameter to WordPress - 16 upvotes, $387
- Arbitrary file deletion in wp-core - guides towards RCE and information disclosure to WordPress - 16 upvotes, $0
- CSRF to add admin [wordpress] to WordPress - 15 upvotes, $1337
- Authenticated Cross-site Scripting in Template Name to WordPress - 15 upvotes, $350
- Reflected XSS: Taxonomy Converter via tax parameter to WordPress - 15 upvotes, $275
- Clickjacking In jobs.wordpress.net to WordPress - 15 upvotes, $0
- Stored self-XSS in mercantile.wordpress.org checkout to WordPress - 14 upvotes, $275
- Buddypress 2.9.1 - Exceeding the maximum upload size - XSS leading to potential RCE. to WordPress - 14 upvotes, $275
- Open Redirect on the nl.wordpress.net to WordPress - 13 upvotes, $50
- Clickjacking wordcamp.org to WordPress - 13 upvotes, $0
- [mercantile.wordpress.org] Reflected XSS to WordPress - 11 upvotes, $225
- Missing SSL can leak job token to WordPress - 11 upvotes, $0
- Stored xss via template injection to WordPress - 10 upvotes, $300
- Clickjacking mercantile.wordpress.org to WordPress - 10 upvotes, $0
- MediaElements XSS to WordPress - 9 upvotes, $450
- [Buddypress] Arbitrary File Deletion through bp_avatar_set to WordPress - 8 upvotes, $350
- Lack of Sanitization and Insufficient Authentication to WordPress - 8 upvotes, $300
- XSS on support.wordcamp.org in ajax-quote.php to WordPress - 8 upvotes, $225
- Allow authenticated users can edit, trash,and add new in BuddyPress Emails function to WordPress - 8 upvotes, $225
- Stored but [SELF] XSS in mercantile.wordpress.org to WordPress - 8 upvotes, $150
- Self-XSS in WordPress Editor Link Modal to WordPress - 8 upvotes, $150
- xss - reflected to WordPress - 8 upvotes, $50
- code.wordpress.net subdomain Takeover to WordPress - 8 upvotes, $25
- Clickjacking - https://mercantile.wordpress.org/ to WordPress - 8 upvotes, $0
- Stored XSS on Wordpress 5.3 via Title Post to WordPress - 8 upvotes, $0
- [BuddyPress 2.9.1] Open Redirect via "wp_http_referer" parameter on "bp-profile-edit" endpoint to WordPress - 7 upvotes, $275
- Lack of Password Confirmation when Changing Password and Email to WordPress - 7 upvotes, $0
- [support.wordcamp.org] - publicly accessible .svn repository to WordPress - 7 upvotes, $0
- Unauthenticated hidden groups disclosure via Ajax groups search to WordPress - 5 upvotes, $275
- WordPress core - Denial of Service via Cross Site Request Forgery to WordPress - 5 upvotes, $250
- CSRF in Profile Fields allows deleting any field in BuddyPress to WordPress - 5 upvotes, $225
- Account takeover vulnerability by editor role privileged users/attackers via clickjacking to WordPress - 5 upvotes, $0
- Improper Access Control in Buddypress core allows reply,delete any user's activity to WordPress - 4 upvotes, $225
- Administrator(s) Information disclosure via JSON on wordpress.org to WordPress - 4 upvotes, $0
- Wordpress 4.8.1 - Rogue editor leads to RCE. And the risks of same origin frame scripting in general to WordPress - 4 upvotes, $0
- Privilege Escalation in BuddyPress core allows Moderate to Administrator to WordPress - 3 upvotes, $225
- antispambot does not always escape <, >, &, " and ' to WordPress - 3 upvotes, $0
- Stored XSS in WordPress to WordPress - 2 upvotes, $0
- WordPress Automatic Update Protocol Does Not Authenticate Updates Provided by the Server to WordPress - 2 upvotes, $0
- Parameter tampering : Price Manipulation of Products to WordPress - 2 upvotes, $0
- Clickjacking irclogs.wordpress.org to WordPress - 1 upvotes, $0
- UnResolved ChangeSet are Visible to Public That also Causes Information Disclosure to WordPress - 0 upvotes, $0