Reporting Plugin Security Issues
Warning: Please do not report security issues with WordPress Core to the plugin team. To report an issue with WordPress itself, follow the directions for reporting security vulnerabilities.
If you find a plugin with a security issue, please do not post about it publicly anywhere. Even if there’s a report filed on one of the official security tracking sites, bringing more awareness to the security issue tends to increase people being hacked, and rarely speeds up the fixing.
Please email plugins@wordpress.org with a clear and concise description of the issue. It greatly helps if you can provide us with how you verified this is an exploit (links to the plugin listing on sites like secunia.com are perfect).
In the case of serious exploits, please keep in mind responsible and reasonable disclosure. Every attempt to contact the developer directly should be made before you reported the plugin to us (though we understand this can be difficult – check in the source code of the plugin first, many developers list their emails). If you cannot contact them privately, please contact us directly and we’ll help out.
Most plugins are closed to prevent new downloads until the issue is resolved. As such, you may not be alerted of a fix until the plugin is updated. We also do not provide assistance with filing CVEs at this time, due to a lack of resources. You’re welcome to do so on your own, but we cannot help you.
If you provided a link to your report, please do not delete it! We will pass it on directly to the developers of the plugin.