On October 11th, 2025, we received a submission for an Account Takeover via Email Log Disclosure vulnerability in Post SMTP, a WordPress plugin with more than 400,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to view email logs, including password reset emails, and change the password of any user, including an … Read more
Calling all Vulnerability Researchers and Bug Bounty Hunters! The LFInder Challenge: Refine your LFI hunting skills with an expanded scope. Now through November 24, 2025, all LFI vulnerabilities in software with at least 25 active installs are considered in-scope for all researchers, regardless of researcher tier, AND earn a 30% bonus on all Local File … Read more
Calling all Vulnerability Researchers and Bug Bounty Hunters! Operation: Maximum Impact Challenge! Now through November 10, 2025, earn 2X bounty rewards for all in-scope submissions in software with at least 5,000 active installs and fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big! The LFInder Challenge: Refine … Read more
On October 4th, 2025, we received a submission for a Sensitive Information Exposure vulnerability in AI Engine, a WordPress plugin with more than 100,000 active installations. This vulnerability can be exploited by unauthenticated attackers to extract the bearer token and then get full access to the MCP and execute various commands like ‘wp_update_user’, allowing them … Read more
On October 11th, 2025, we received a submission for an Account Takeover via Email Log Disclosure vulnerability in Post SMTP, a WordPress plugin with more than 400,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to view email logs, including password reset emails, and change the password of any user, including an … Read more
