We take the security of this project seriously. If you believe you have found a vulnerability, follow the coordinated disclosure process below.
- Email: [email protected]
- Subject Line:
SECURITY: <brief summary> - Include (as applicable):
- Affected file(s) / section(s)
- Description of the issue & impact
- Steps to reproduce (minimal proof-of-concept if possible)
- Any suggested remediation ideas
- Whether the issue has been disclosed elsewhere
Please DO NOT open a public GitHub issue for potential vulnerabilities.
| Phase | Target Time |
|---|---|
| Acknowledgement | ≤ 3 business days |
| Initial assessment | ≤ 5 business days |
| Remediation plan | Typically within 10 business days (complexity dependent) |
| Advisory / changelog update | At fix release |
In-scope issues include (non-exhaustive):
- Sensitive data exposure through documentation or scripts
- Unsafe code examples promoting injection / XSS / CSRF / SSRF / privilege escalation
- Incorrect guidance that weakens WordPress hardening (e.g., advising disabling core protections)
- Supply chain risks in automation (script execution of untrusted input)
Out-of-scope examples:
- Typos, broken non-security links
- UI/UX polish issues with no security implication
- Vulnerabilities in third-party platforms referenced (report upstream)
If you can suggest a safe interim mitigation, include it. Avoid recommending insecure workarounds (e.g., disabling sanitisation) unless strictly necessary and clearly caveated.
We prefer coordinated disclosure. We will notify you when a fix is prepared and may request retest confirmation. Public acknowledgement is optional—let us know if you would like credit.
- WordPress Security: https://developer.wordpress.org/security
- WordPress Coding Standards: https://developer.wordpress.org/coding-standards/wordpress-coding-standards/
- Project secure coding instructions:
.github/instructions/security-and-owasp.instructions.md
- Principle of least privilege
- Input sanitisation on ingress, context-specific escaping on egress
- Nonce + capability checks for state-changing operations (where code examples exist)
- Avoidance of unsafe deserialisation patterns
Security-relevant changes are noted under the Security section in CHANGELOG.md (Keep a Changelog format). If impact warrants, a separate advisory / GitHub Security Advisory may be issued.
Thank you for helping keep the ecosystem safer.