Where do I report security issues?

If you are here to report any sort of security issue with a site hosted on WordPress.com, then please submit a report at the Automattic HackerOne page. If the issue you’re trying to report is on WordPress.com and is not a security issue, then please use their support forums instead.

If you’re having an issue with your own self-hosted WordPress.org site that is not a security issue, then please use the WordPress.org support forums.

For security issues with WordPress plugins, follow the information on Reporting Plugin Security Issues.

For security issues with the self-hosted version of WordPress, submit a report at the WordPress HackerOne page. Include as much detail as you can. Please always use HackerOne instead of Core Trac, even if the vulnerability is only in trunk, or a beta/RC release, because there are some sites that run those in production.

In all cases, you should not share the details with anyone else until after the fix for the bug has been officially released to the public.