WordPress - HackerOne Bug Reports

Public WordPress bug reports.

4,419 Bug Reports - $2,030,173 Paid Out
Last Updated: 12th September, 2017

Team	Bounty	Title
WordPress	-	Clickjacking - https://mercantile.wordpress.org/
WordPress	-	Vulnerable to clickjacking
WordPress	$275	DOM Based XSS In mercantile.wordpress.org
WordPress	-	[mercantile.wordpress.org] Reflected XSS via AngularJS Template Injection
WordPress	$275	Stored self-XSS in mercantile.wordpress.org checkout
WordPress	-	Lack of Password Confirmation when Changing Password and Email
WordPress	$150	Stored but [SELF] XSS in mercantile.wordpress.org
WordPress	$387.50	Reflected XSS at https://da.wordpress.org/themes/?s= via "s=" parameter
WordPress	$275	XSS in the search bar of mercantile.wordpress.org
WordPress	-	Administrator(s) Information disclosure via JSON on wordpress.org
WordPress	$350	Infrastructure - Photon - SSRF
WordPress	$350	Wordpress 4.7.2 - Two XSS in Media Upload when file too large.
WordPress	$350	[Buddypress] Arbitrary File Deletion through bp_avatar_set
WordPress	$1,337	CSRF to add admin [wordpress]