Some useful resources for hacking WordPress and it's plugins and themes.
If you're passionate about finding and reporting WordPress vulnerabilities, consider joining these bug bounty programs: Wordfence and Patchstack. Signing up through my Wordfence link gives me a small bonus when you report 5 vulns, helping support my work on tools and resources for the community. Thank you!
I have written a plugin designed to help dynamic analysis and hacking of WordPress plugins and themes, this can be found in the plugin branch in this repo.
The reports directory contains a selection of my publicly disclosed vulnerability reports that were disclosed to bug bounty programs. I've tried to get a good cross-section of different vulnerability types.
| CVE | Bounty | Vulnerability | 📄 Report 🐍 Python PoC 🔗 Blog |
|---|---|---|---|
| CVE-2024-30509 | 11.25 AXP | SellKit Subscriber+ Arbitrary File Download | 📄 🐍 |
| CVE-2024-3242 | $469 | Brizy Contributor+ Arbitrary File Upload | 📄 🐍 |
| CVE-2024-4361 | $325 | SiteOrigin Contributor+ XSS | 📄 |
| CVE-2024-22144 | 270 AXP | GoTMLS Unauthenticated RCE | 📄 🐍 🔗 |
| CVE-2024-6386 | $1639 | WPML Contributor+ SSTI to RCE | 📄 🔗 |
| CVE-2024-4637 | $434 | Slider Revolution Contributor+ XSS | 📄 🐍 |
| CVE-2024-5153 | $361 | Starlar Elementor Addons Arbitrary Folder Deletion | 📄 🐍 |
| CVE-2024-52376 | 60 AXP | Boat Rental System Unauthenticated Arbitrary File Upload | 📄 🐍 |
| CVE-2024-50477 | 58.8 AXP | Stacks Mobile App Unauthenticated Privileged Escalation | 📄 |
| CVE-2025-0366 | $782 | Jupiterx Core Contributor+ SVG to RCE | 📄 🐍 🔗 |
These 📄 reports are in their original formats when originally submitted. Any mistakes are mine, for prettier versions please see the ones that have linked blog posts 🔗. Where I created a Python proof-of-concept script you will find it in the folder or directly by clicking on 🐍.
Feel free to reuse my Python code to help write you own PoCs, in future I may turn some of the functions into an easy-to-use library.
If you love what I'm doing with wordpress-hacking or my other projects, please feel free to contribute without spending money by creating issues, PRs, or just messaging me to let you know you use it. And of course, you can directly sponsor this project on GitHub or buy me a coffee ☕! Thank you for your support – it means the world to me and the open source community!
