From now through September 22, 2025, we’re running our SQLsplorer Challenge, focused on SQL Injection vulnerabilities. During this challenge, we’re expanding the scope of the Wordfence Bug Bounty Program to encourage deeper research into SQL Injection vulnerabilities and broader participation from researchers looking to get started, and we’re adding a 20% bounty bonus for all valid SQL Injection reports submitted during the challenge.
Opportunities for Researchers of All Levels
Last year’s XSSplorer Challenge was a great success, opening the door for many new researchers to get started with the Wordfence Bug Bounty Program. Since then, we’ve been eager to launch a new challenge with the same goal: providing new researchers a chance to sharpen their skills, while giving seasoned researchers an opportunity to earn even more.
Expanded Scope: SQL Injection Across All Auth Levels
During the SQLsplorer Challenge, all SQL Injection vulnerabilities are in-scope with a minimum active installation count of 25 installs, and for all authentication levels except for high-privileged. This scope expansion applies to all researchers, regardless of your current researcher tier.
This means that all researchers, new and experienced, can submit SQL Injection vulnerabilities such as contributor-level, subscriber-level, unauthenticated, or author-level in all WordPress plugins and themes as long as it has 25 active installations, and earn a bounty per submission.
The only exception: High-privileged authentication levels, such as Administrator or Editor, remain out of scope. This is consistent with our standard policy and ensures we maintain a strong focus on vulnerabilities that present broader risk.
20% Bonus on SQL Injection Reports
All valid SQL Injection vulnerabilities submitted during the SQLsplorer Challenge will receive a 20% bonus added to the standard bounty payout. This bonus applies automatically to eligible reports submitted through the Wordfence Bug Bounty Program between now and September 22, 2025. Please note this bonus is automatically factored in when using the bounty estimator.
Introducing the SQLi Achievement Badge
To mark this occasion, we are also introducing a new Achievement Badge for SQL Injection (SQLi) vulnerabilities. Any researcher who has already submitted at least one SQLi vulnerability will receive this badge, and new researchers who submit their first SQLi vulnerability during the challenge, or in the future, will also be awarded the badge.
Spring into Summer High Threat Challenge Extended
We’ve also been running our Spring into Summer Challenge for the past 60 days and due to the success of the challenge, we’ve decided to extend it for an additional month.
All valid submissions for vulnerabilities in our high threat list receive 2x the standard reward through September 4th, 2025. Please note our superhero bounties in the 5,000,000+ active install range are excluded from the challenge (those rewards are still up to $31,200).
As a reminder, vulnerabilities from our high threat list in wp.org software with at least 25 active installations are in-scope for ALL researchers. The minimum install count for off-repo software is 1,000 for all researchers. High Threat Vulnerabilities include any of the following vulnerability types exploitable by unauthenticated or authenticated low-level (subscriber, customer) users:
- Arbitrary File Upload (that leads to RCE) – bounties up to $20,800 (excl. superhero bounties)
- Remote Code Execution – bounties up to $20,800 (excl. superhero bounties)
- Arbitrary Options Update (where the default role can be updated to administrator) – bounties up to $20,800 (excl. superhero bounties)
- Privilege Escalation to Admin – bounties up to $20,800 (excl. superhero bounties)
- Authentication Bypass to Admin – bounties up to $20,800 (excl. superhero bounties)
- Arbitrary File Deletion – bounties up to $14,400 (excl. superhero bounties)
- Arbitrary File Read – bounties up to $4,267 (excl. superhero bounties)
Wordfence’s Commitment to WordPress Security
Wordfence remains committed to advancing WordPress security research. Since the launch of our Bug Bounty Program in November 2023, we have awarded over half a million dollars in bounties, which you can track here. We ensure that vulnerabilities are confidentially disclosed to vendors through our new vulnerability management portal, who we work with to patch and release updates before any findings are made public. We then share prominent vulnerabilities on our blog to help other security vendors improve their products and to raise awareness within the community about the importance of keeping software up to date.
In addition to our bug bounty program, Wordfence offers a free, comprehensive vulnerability database accessible through a web interface, webhook integration, and API. While some vendors treat vulnerabilities as proprietary, we believe they should be considered public information, and we do not charge for access to our database. Our commitment to timely and responsible disclosure further underscores our mission to secure the web.
Join the Effort to Secure the Web
If you are a vulnerability researcher, the WordPress community greatly appreciates your work, and the Wordfence team is excited to support you in our shared mission of securing the Web.
Join the Program Submit a Vulnerability
If you are interested in becoming a researcher, we encourage you to learn more and sign up here. We look forward to your participation. Happy hunting!
P.S. Stay tuned for a complete guide to hunting SQLi vulnerabilities for beginners that we’ll be publishing this week!
The post WordPress SQLsplorer Challenge: Bigger Scope and Bounties for All Researchers in the Wordfence Bug Bounty Program appeared first on Wordfence.
