Last month in July 2025, the Wordfence Bug Bounty Program received 325 vulnerability submissions from our growing community of security researchers working to improve the overall security posture of the WordPress ecosystem. These submissions are reviewed, triaged, and processed by the Wordfence Threat Intelligence team, with validated vulnerabilities responsibly disclosed to vendors, often through the Wordfence Vulnerability Management Portal, and protected through the Wordfence Firewall where appropriate.
Our mission with the Wordfence Bug Bounty Program is to engage the broader security community in identifying and responsibly disclosing vulnerabilities in WordPress plugins and themes, so we can get them patched before attackers discover them. This collaborative effort enables Wordfence to accelerate patch adoption, provide early protection to millions of websites, and ensure that high-quality vulnerability intelligence reaches the WordPress ecosystem as efficiently as possible. It also ensures that we are able to remediate vulnerabilities before attackers are able to discover them and start exploiting them. That is why we reward researchers for valid submissions, and why we remain committed to processing every report with transparency, accuracy, and urgency.
Join the Wordfence Bug Bounty Program
Help secure the WordPress ecosystem while earning rewards for your security research.
We’re actively seeking skilled researchers to identify vulnerabilities in WordPress plugins and themes, with prompt payments and transparent processes.
As the most comprehensive and highest-quality WordPress vulnerability program, the Wordfence Bug Bounty Program plays a critical role in helping site owners, developers, and hosting providers stay ahead of emerging threats at all stages of the open source lifecycle.
In this report, we highlight key metrics of the Bug Bounty Program from July 2025, recognize the researchers contributing to WordPress security, and provide insight into the vulnerabilities uncovered and addressed.
If you’re interested in joining the program or learning more about how we responsibly manage disclosures and protect WordPress users, visit the Bug Bounty Program page.
Program Submission Highlights – July 2025
The Wordfence Bug Bounty Program is designed for momentum: rapid triage of critical issues, clear feedback, and fast, fair rewards. Each submission moves through our standardized workflow of validation, vendor coordination, patch verification, and firewall coverage where applicable, so research translates into real-world protection quickly.
Real-Time Protection Impact
Every vulnerability disclosed through this program is a threat you don’t have to face blindly. Our researchers uncover and report vulnerabilities before they can be exploited, and Wordfence Premium, Care and Response users get protection in real-time through our firewall. Free users are protected in 30 days.
Behind the numbers is meaningful impact for site owners. The issues surfaced here inform new firewall rules, strengthen our detection logic, and help vendors ship safer releases. If you’re new to bounty hunting, this is a great place to start: we publish scope clearly, pay promptly, and credit the work that keeps WordPress secure.
Total Submissions
Active Researchers
High Threat
Common & Dangerous
WAF Rules Released
Vulnerability Focus Areas
- High Threat Vulnerabilities: Issues that could result in full site compromise, such as Arbitrary File Uploads or Remote Code Execution. Must be exploitable by unauthenticated or low-level authenticated attackers with software having 25+ active installations.
- Common & Dangerous: Stored Cross-Site Scripting and SQL Injection vulnerabilities exploitable by unauthenticated or low-level authenticated attackers. Software must have 500+ active installations.
Bounty Insights – July 2025
Our research powers real investment back into the community. This section totals bounties and bonuses paid for the month and showcases standout findings. Our philosophy is simple: reward high-quality, responsibly disclosed research that measurably reduces risk for WordPress users.
Total Bounties Awarded
Average Bounty Per Submission
Highest Single Bounty
Top 5 Bounties Awarded
| Vulnerability | Bounty | Install Count |
|---|---|---|
| AI Engine 2.9.3 – 2.9.4 – Authenticated (Subscriber+) Arbitrary File Upload | $1,170.00 | 100,000 |
| Unauthenticated Privilege Escalation (In Disclosure) | $1,073.00 | 10,000 |
| Authentication Bypass to Admin (In Disclosure) | $1,047.00 | 9,000 |
| Authenticated (Subscriber+) Arbitrary File Deletion (In Disclosure) | $936.00 | 20,000 |
| AI Engine <= 2.9.4 – Missing URL Scheme Validation to Authenticated (Subscriber+) Arbitrary File Read via simpleTranscribeAudio and get_audio Functions | $720.00 | 100,000 |
Want to earn more? Read the scope carefully, target high-threat classes, and include clear reproduction steps with proof of impact. We pay promptly on validated issues, and bonus multipliers may apply during limited-time promotions and challenges.
WordPress Software Vulnerability Submission Insights – July 2025
This section breaks down how reports map to our program outcomes. What’s in scope, what isn’t, and where the highest security impact typically sits. We highlight the most common in-scope vulnerability classes and the categories that yielded the largest rewards so researchers can focus their efforts where they matter most.
Authentication level and exploit preconditions drive risk and reward through our program. Unauthenticated and low-privilege paths tend to have outsized impact because they scale to more real-world compromise. Use these insights to prioritize your testing strategy and maximize both security value and bounty potential.
Total Number of Vulnerabilities Considered In Scope, Out of Scope, Rejected, or Duplicate
| In Scope | Out of Scope | Rejected | Duplicate |
|---|---|---|---|
| 138 | 122 | 47 | 18 |
Top 10 Most Commonly Submitted In-Scope Vulnerability Types
The most frequently submitted vulnerability types highlight current testing focus areas across the researcher community. These patterns often reflect both ease of discovery and prevalence in the WordPress ecosystem.
| Vulnerability Type | Total Submissions | Total Rewards | Avg. Reward |
|---|---|---|---|
| CWE 79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 58 | $1,083.00 | $18.67 |
| CWE 862: Missing Authorization | 16 | $2,639.00 | $164.94 |
| CWE 22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 12 | $2,911.00 | $242.58 |
| CWE 352: Cross-Site Request Forgery (CSRF) | 9 | $288.00 | $32.00 |
| CWE 269: Improper Privilege Management | 4 | $1,640.00 | $410.00 |
| CWE 288: Authentication Bypass Using an Alternate Path or Channel | 4 | $2,099.00 | $524.75 |
| CWE 285: Improper Authorization | 3 | $65.00 | $21.67 |
| CWE 434: Unrestricted Upload of File with Dangerous Type | 3 | $1,838.00 | $612.67 |
| CWE 502: Deserialization of Untrusted Data | 3 | $551.00 | $183.67 |
| CWE 98: Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 3 | $323.00 | $107.67 |
Top 10 Highest Rewarded In-Scope Vulnerability Types
While some vulnerabilities appear frequently, others command premium rewards. This breakdown shows which vulnerability classes generated the highest total payouts, indicating both severity and exploitability value.
| Vulnerability Type | Total Rewards | Total Submissions | Avg. Reward |
|---|---|---|---|
| CWE 22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | $2,911.00 | 12 | $242.58 |
| CWE 862: Missing Authorization | $2,639.00 | 16 | $164.94 |
| CWE 288: Authentication Bypass Using an Alternate Path or Channel | $2,099.00 | 4 | $524.75 |
| CWE 434: Unrestricted Upload of File with Dangerous Type | $1,838.00 | 3 | $612.67 |
| CWE 269: Improper Privilege Management | $1,640.00 | 4 | $410.00 |
| CWE 639: Authorization Bypass Through User-Controlled Key | $1,300.00 | 2 | $650.00 |
| CWE 79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | $1,083.00 | 58 | $18.67 |
| CWE 200: Exposure of Sensitive Information to an Unauthorized Actor | $974.00 | 2 | $487.00 |
| CWE 502: Deserialization of Untrusted Data | $551.00 | 3 | $183.67 |
| CWE 89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | $541.00 | 2 | $270.50 |
In-Scope Vulnerability Distribution by Authentication Level
Authentication requirements directly impact real-world exploitability. Unauthenticated and subscriber-level vulnerabilities typically pose greater risk, reflected in both our prioritization and reward structure.
| Authentication Level | Total Vulnerabilities | Avg. Reward |
|---|---|---|
| Contributor | 59 | $23.07 |
| Unauthenticated | 38 | $251.22 |
| Subscriber | 21 | $251.10 |
| Unauthenticated – UI Required | 15 | $102.67 |
| Author | 4 | $23.25 |
| Custom | 1 | $34.00 |
Vulnerability Submission Install Count Spread
Install counts help us gauge blast radius. Higher install bases can move a finding into higher priority and often correlate with stronger payouts, while smaller-but-critical ecosystems still qualify when the exploitability and impact warrant it.
| Install Range | Total Vulnerabilities | Average CVSS | Avg. Reward |
|---|---|---|---|
| 1,000–49,999 | 82 | 7.02 | $145.39 |
| 100,000–999,999 | 19 | 6.62 | $187.84 |
| 50,000–99,999 | 17 | 5.95 | $62.65 |
| 0–499 | 15 | 9.13 | $54.47 |
| 500–999 | 3 | 8.10 | $137.33 |
| 1,000,000–4,999,999 | 2 | 5.35 | $93.00 |
Top WordPress Security Researchers – July 2025
Security is a team sport, and this leaderboard celebrates the people raising the bar. We recognize contributors by valid in-scope submissions, overall earnings, and average severity to highlight different paths to excellence.
Top 5 Researchers based on Volume of In-Scope Submissions
Volume leaders demonstrate consistent vulnerability discovery across diverse targets. These researchers excel at systematic testing and maintaining high validation rates.
| Researcher | Total Submissions | Avg. Reward |
|---|---|---|
| zer0gh0st | 44 | $12.05 |
| wesley (wcraft) | 22 | $119.95 |
| Phat RiO – BlueRock | 7 | $324.14 |
| mikemyers | 5 | $191.40 |
| stealthcopter | 5 | $57.20 |
Top 5 Researchers Based on Average CVSS of In-Scope Submissions
Quality over quantity defines these researchers who consistently identify high-severity vulnerabilities. Their average CVSS scores reflect expertise in finding critical security gaps.
| Researcher | Average CVSS | Total Submissions | Avg. Reward |
|---|---|---|---|
| Foxyyy | 9.80 | 1 | $716.00 |
| kr0d | 9.40 | 5 | $130.60 |
| Alyudin Nafiie | 9.30 | 4 | $304.25 |
| johska | 9.20 | 4 | $42.50 |
| Phat RiO – BlueRock | 9.17 | 7 | $324.14 |
Top 5 Researchers Based On Total Bounties Earned
Combining volume with severity, these top earners maximized their impact and rewards through strategic vulnerability research and comprehensive reporting.
| Researcher | Total Earned | Total Submissions | Avg. Reward |
|---|---|---|---|
| wesley (wcraft) | $2,639.00 | 22 | $119.95 |
| Tonn | $2,639.00 | 5 | $527.80 |
| Phat RiO – BlueRock | $2,269.00 | 7 | $324.14 |
| ISMAILSHADOW | $2,130.00 | 3 | $710.00 |
| Peter Thaleikis | $1,388.00 | 4 | $347.00 |
Researchers Promoted to the Next Tier
Congratulations to the following researchers who have unlocked the next tier! Tier promotions reflect sustained performance, precision, and professionalism in disclosure. Advancing unlocks higher caps, faster reviews, and more visibility. If you’re climbing the ranks, focus on high risk vulnerabilities, keep reports crisp, attach working PoCs, and include mitigation notes vendors can ship quickly.
Elite Researcher Tier (1337)
Resourceful Researcher Tier
Current WordPress Bug Bounty Program Promotions
From time to time, we expand scope and add bonuses to accelerate research in high-impact areas. Below you’ll find any active challenges with their timelines and a quick summary of how rewards are calculated.
Spring Into Summer Challenge: Critical Threats = Critical RewardsNow through September 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5 million active installs. Submit bold. Earn big!
The SQLsplorer Challenge: Refine your SQLi hunting skills with an expanded scopeNow through September 22, 2025, all SQL Injection vulnerabilities in software with at least 25 active installs are considered in-scope for all researchers, regardless of researcher tier AND earn a 20% bonus on all SQL Injection vulnerability submissions. Read More Here.
New to promotions? Start by confirming the software and version range are in scope, validate exploitability on a clean test environment, and submit with clear steps, affected code paths, and impact. Promotions are perfect opportunities for both new and seasoned researchers to maximize earnings while driving faster patch adoption. And remember, you can always check what’s in-scope and out-of-scope by using the Wordfence bounty estimator.
Critical WordPress Software Vulnerability Highlights – July 2025
These case studies spotlight high-impact vulnerabilities uncovered through the program, why they matter, and how quickly protection rolled out. We share technical detail to help researchers learn, vendors harden code, and users understand why timely updates aren’t optional.
If you maintain a site, update to the patched versions listed and ensure Wordfence is active so you benefit from new firewall coverage as it ships. If you’re a researcher, use these write-ups to inform your hunt: patterns repeat, and past root causes often reappear in adjacent code.
Forminator Forms Critical Vulnerability
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 – Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion
Phat RiO – BlueRock
$8,100
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ‘entry_delete_upload_files’ function in all versions up to, and including, 1.44.2.
This makes it possible for unauthenticated attackers to include arbitrary file paths in a form submission. The file will be deleted when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings.
This can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Read the complete vulnerability analysis
HT Contact Form Multiple Vulnerabilities
HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. <= 2.2.1 – Multiple Vulnerabilities
$1,431.00, $991.00 and $675.00
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload() function.
It’s also vulnerable to arbitrary file deletion and file moving due to insufficient file path validation. These vulnerabilities affect unauthenticated users and can lead to remote code execution.
Alone Theme Active Exploitation
Alone – Charity Multipurpose Non-profit WordPress Theme <= 7.8.3 – Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation
Thái An
$501.00
The “Alone – Charity Multipurpose Non-profit WordPress Theme” theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3.
This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.
AI Engine Arbitrary File Upload
AI Engine 2.9.3 – 2.9.4 – Authenticated (Subscriber+) Arbitrary File Upload
ISMAILSHADOW
$1,170.00
The AI Engine plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the rest_simpleFileUpload() function in versions 2.9.3 and 2.9.4.
This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site’s server when the REST API is enabled, which may make remote code execution possible.
SureForms File Deletion Vulnerability
SureForms – Drag and Drop Form Builder for WordPress <= 1.7.3 – Unauthenticated Arbitrary File Deletion Triggered via Administrator Submission Deletion
Phat RiO – BlueRock
$4,050.00
The “SureForms – Drag and Drop Form Builder for WordPress” plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.7.3.
This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Conclusion
WordPress thrives when researchers, vendors, hosts, and site owners pull in the same direction. By funding high-quality research, coordinating responsible disclosure, and shipping firewall rules at scale, Wordfence turns findings into protection for millions of sites.
If you’re a researcher, join the program and submit your next report. If you’re a site owner, update early and often, and run Wordfence to stay ahead of emerging threats. If you’re a vendor, sign up for the vulnerability management portal to receive real-time notifications when new vulnerabilities are reported in your software. Together, we make the ecosystem safer every month.
The post Wordfence Bug Bounty Program Monthly Report – July 2025 appeared first on Wordfence.
