_ Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through December 9th, 2024: _ All in-scope vulnerability types for WordPress plugins/themes with > = 1,000 active installations are in-scope for ALL researchers All plugins and themes with 50-999 active installs hosted in the WordPress.org repository and updated within the last 2 years are in-scope for all researchers! Minimum bounty of $5 for all valid in-scope submissions. All researchers earn automatic bonuses of between 5% to 180% for valid submissions Pending report limits are increased for all It’s possible to earn up to $31,200 for high impact vulnerabilities! On October 30th, 2024, we received a submission for an Authorization Bypass via Reverse DNS Spoofing vulnerability in Anti-Spam by CleanTalk, a WordPress plugin with more than 200,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to install and activate arbitrary plugins on a vulnerable site, which can be leveraged to achieve remote code execution. A few days later on November 4th, our Threat Intelligence Team discovered another vulnerability in the same functionality that could be leveraged to perform the same actions. Props to mikemyers who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $4,095.00 for this discovery….Read More
