Reporting Plugin Security Issues

If you find a plugin with a security issue, please do not post about it publicly anywhere. Even if there’s a report filed on one of the official security tracking sites, bringing more awareness to the security issue tends to increase people being hacked, and rarely speeds up the fixing.

Please email plugins@wordpress.org with a clear and concise description of the issue. It greatly helps if you can provide us with how you verified this is an exploit (links to the plugin listing on sites like secunia.com are perfect).

In the case of serious exploits, please keep in mind responsible and reasonable disclosure. Every attempt to contact the developer directly should be made before you reported the plugin to us (though we understand this can be difficult – check in the source code of the plugin first, many developers list their emails).

Since our policy is to close the plugin (preventing new downloads) until it’s fixed, you may not be alerted of a fix until the plugin is updated.

If you provided a link to your report, please do not delete it! We will pass it on directly to the developers of the plugin.