How to report a theme
If you find a theme with a security issue, please do not post about it publicly anywhere. Even if there’s a report filed on one of the official security tracking sites, bringing more awareness to the security issue tends to increase people being hacked, and rarely speeds up the fixing.
To report a theme that is in the WordPress.org theme directory, please go to the theme’s directory listing (For example, https://wordpress.org/themes/twentytwentythree/) and use the “Report this theme” button in the sidebar, and complete the form.
You can also send reports of security issues to themes@wordpress.org. Include the following:
- a clear and concise description of the issue
- a link to the specific theme
- whether or not you have validated the security issue yourself
- optional – links to any public disclosures on 3rd party sites
For developers
What to do when you receive a request to update your theme
If your theme has been reported and the Themes Team decides that action needs to be taken, you will receive an email from the Themes Team with information and instructions.
– You may be asked to solve an issue within a specific time frame. This depends on the severity of the issue.
– The Themes Team may need to suspend your theme to prevent new downloads until the issue is resolved.
You must reply to the email if you have any questions, need more information, or need more time.
Test your theme update carefully and submit it through the upload form on the theme directory page.
Learn more about how the Themes team works with theme suspensions and delisting.
Resources
To learn more about theme security, please see the Security chapter of the common APIs handbook.