If you find a plugin with a security issue, please do not post about it publicly anywhere. Even if there’s a report filed on one of the official security tracking sites, bringing more awareness to the security issue tends to increase people being hacked, and rarely speeds up the fixing.

To report a plugin, please email plugins@wordpress.org with the following:

• a clear and concise description of the issue
• a link to the specific plugin
• whether or not you have validated the security issue yourself
• optional – links to any public disclosures on 3rd party sites

In the case of serious exploits, please keep in mind responsible and reasonable disclosure. Every attempt to contact the developer directly should be made before you reported the plugin to us (though we understand this can be difficult – check in the source code of the plugin first, many developers list their emails). If you cannot contact them privately, please contact us directly and we’ll help out.

Most plugins are closed to prevent new downloads until the issue is resolved. As such, you may not be alerted of a fix until the plugin is updated. We also do not provide assistance with filing CVEs at this time, due to a lack of resources. You’re welcome to do so on your own, but we cannot help you.

If you’ve already posted the vulnerability in public and provided a link to your report, please do not delete it! We will pass it on directly to the developers of the plugin.