Automattic


102 total issues disclosed

$20,749 total paid publicly


Most disclosed (18 disclosures) — Cross-site Scripting (XSS) - Generic

View disclosed reports



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
Ability to subscribe to inactive Post+ creators Business Logic Errors ajoekerr Low 2021-10-05
Reflected XSS in https://www.intensedebate.com/js/getCommentLink.php Cross-site Scripting (XSS) - Reflected sudi Medium 2021-01-30
[intensedebate.com] SQL Injection Time Based On /js/commentAction/ SQL Injection fuzzme Critical 2021-01-01
SQL Injection Union Based None supplied fuzzme Critical 2021-01-01
Sql injection on docs.atavist.com SQL Injection lu3ky-13 High 2020-12-08
[api.tumblr.com] Denial of Service by cookies manipulation Denial of Service fuzzme Medium 2020-11-29
Permanent DoS with one click. Denial of Service cyanpiny Medium 2020-11-19
IDOR when editing users leads to Account Takeover without User Interaction at CrowdSignal Insecure Direct Object Reference (IDOR) bugra Critical 2020-11-18
IDOR when moving contents at CrowdSignal Insecure Direct Object Reference (IDOR) bugra High 2020-11-18
IDOR leads to Edit Anyone's Blogs / Websites Insecure Direct Object Reference (IDOR) mygf High 2020-11-18
Stored XSS on app.crowdsignal.com + your-subdomain.survey.fm via Embed Media Cross-site Scripting (XSS) - Stored mygf Medium 2020-11-18
Stored XSS on https://app.crowdsignal.com/surveys/[Survey-Id]/question - Bypass Cross-site Scripting (XSS) - Stored mygf High 2020-11-18
No Email Checking at Invitation Confirmation Link leads to Account Takeover without User Interaction at CrowdSignal Improper Access Control - Generic bugra Critical 2020-11-18
Site-wide CSRF at Atavist None supplied bugra High 2020-11-18
No Rate Limit when accessing "Password protection" enabled surveys leads to bypassing passwords via "pd-pass_surveyid" cookie Business Logic Errors bugra Low 2020-11-18
Can buy Atavist Magazine subscription for free Improper Access Control - Generic bugra High 2020-11-18
Captcha checker "pd-captcha_form_SURVEYID" cookie is accepting any value Improper Access Control - Generic bugra Medium 2020-11-18
IDOR when editing email leads to Account Takeover on Atavist Insecure Direct Object Reference (IDOR) bugra Critical 2020-11-18
Reflected XSS on a Atavist theme Cross-site Scripting (XSS) - Reflected bugra Medium 2020-11-18
Reflected XSS at /category/ on a Atavis theme Cross-site Scripting (XSS) - Reflected bugra Medium 2020-11-18
Reflected XSS on a Atavist theme at external_import.php Cross-site Scripting (XSS) - Reflected bugra High 2020-11-18
Users can bypass page restrictions via Export feature at "Share" feature in CrowdSignal None supplied bugra Medium 2020-11-18
IDOR at 'media_code' when addings media to questions Insecure Direct Object Reference (IDOR) bugra Medium 2020-11-18
Rate Limit Misconfiguration on tumblr login . Improper Authentication - Generic u0pattern No rating 2020-11-13
[api.tumblr.com] Exploiting clickjacking vulnerability to trigger self DOM-based XSS UI Redressing (Clickjacking) fuzzme Low 2020-10-09
Denial-of- service By Cache Poisoning The Cross-Origin Resource Sharing Misconfiguration Allow Origin Header Denial of Service hannanhaseeb Medium 2020-08-14
DOM-Based XSS in tumblr.com Cross-site Scripting (XSS) - DOM keer0k Medium 2020-07-27
[tumblr.com] 69< Firefox Only XSS Reflected Cross-site Scripting (XSS) - Reflected fuzzme Medium 2020-07-09
Denial of service to WP-JSON API by cache poisoning the CORS allow origin header Denial of Service nathand Medium 2020-04-16
Stored XSS in wordpress.com Cross-site Scripting (XSS) - Stored adhamsadaqah High 2020-02-17
WooCommerce Blacklist in 'map_meta_cap' leads to Privilege Escalation of Shopmanagers Privilege Escalation simonscannell High 2019-12-19
Authenticated Code Execution through Phar deserialization in CSV Importer as Shop manager in WooCommerce Deserialization of Untrusted Data simonscannell High 2019-12-19
Stored XSS in Jetpack's Simple Payment Module by Contributors / Authors Cross-site Scripting (XSS) - Stored simonscannell Medium 2019-12-19
[IDOR] Attacker user can Approve/Decline AFK on the behalf of other users Insecure Direct Object Reference (IDOR) hodkasia_sachin No rating 2019-12-01
Stored Self XSS on https://app.crowdsignal.com (in Photo Insert App) + Stored XSS on https://*your-subdomain*.survey.fm Cross-site Scripting (XSS) - Stored mygf High 2019-10-21
Stored XSS vulnerability in comments on *.wordpress.com Cross-site Scripting (XSS) - Stored poutine_hero Medium 2019-10-21
Broken Authentication - Security token gets captured via man in the middle attack Improper Authentication - Generic dermeister High 2019-06-22
Multiple File Manipulation bugs in WP Super Cache None supplied paulos_ No rating 2018-10-29
RCE via Print function [Simplenote 1.1.3 - Desktop app] Code Injection luigigubello High 2018-07-26
Wordpress.com REST API oauth bypass via Cross Site Flashing Cross-Site Request Forgery (CSRF) opnsec Medium 2018-04-26
Stored XSS in learnboost.com via the lesson[goals] parameter. Cross-site Scripting (XSS) - Stored edoverflow No rating 2018-04-22
Stored XSS in www.learnboost.com via ZIP codes. Cross-site Scripting (XSS) - Stored edoverflow No rating 2018-04-22
Remote Code Execution in Wordpress Desktop Code Injection mattaustin Critical 2018-04-15
wpjobmanager - unserialize of user input None supplied b258ea62bf297b02afa9854 Medium 2018-03-03
Improper markup sanitisation in Simplenote Android application. UI Redressing (Clickjacking) edoverflow No rating 2018-02-13
Crafted frame injection leading to form-based UI redressing. UI Redressing (Clickjacking) edoverflow No rating 2017-12-31
[public-api.wordpress.com] Stored XSS via Crafted Developer App Description Cross-site Scripting (XSS) - Stored ysx Medium 2017-12-01
[Simplenote for Windows] Client RCE via External JavaScript Inclusion leveraging Electron Code Injection ysx High 2017-12-01
Lazy Load stored XSS Cross-site Scripting (XSS) - Generic jouko No rating 2017-12-01
Improper markup sanitization. UI Redressing (Clickjacking) edoverflow No rating 2017-12-01
Stored XSS Using Media Cross-site Scripting (XSS) - Stored dyoon Medium 2017-11-26
Persistent Cross-Site Scripting in WooCommerce WordPress plugin Cross-site Scripting (XSS) - Generic dutchgraa No rating 2017-11-16
[app.simplenote.com] Stored XSS via Markdown SVG filter bypass Cross-site Scripting (XSS) - Stored ysx Medium 2017-11-12
Invalidate session after password reset on https://polldaddy.com Insufficient Session Expiration nullsaint No rating 2017-11-09
xss filter bypass [polldaddy] Cross-site Scripting (XSS) - Generic paresh_parmar No rating 2017-10-01
https://secure.gravatar.com None supplied isaeva Medium 2017-09-17
woocommerce - prevent_caching() bug / bypass None supplied b258ea62bf297b02afa9854 Medium 2017-09-16
Unauthenticated RCE in Vaultpress None supplied b258ea62bf297b02afa9854 Critical 2017-09-15
Object Injection in Woocommerce / Handle PDT Responses from PayPal None supplied b258ea62bf297b02afa9854 Medium 2017-09-11
Timing attack woocommerce, simplify commerce gateway None supplied b258ea62bf297b02afa9854 Medium 2017-09-11
XSS Vulnerability in WooCommerce Product Vendors plugin Cross-site Scripting (XSS) - Reflected ramuelgall Low 2017-08-22
SSRF and local file disclosure in https://wordpress.com/media/videos/ via FFmpeg HLS processing Information Disclosure neex No rating 2017-07-29
CPU utilization 99% on visiting wordpress site url & open redirect found Open Redirect csanuragjain No rating 2017-07-23
An Automattic employee's GitHub personal access token exposed in Travis CI build logs Information Exposure Through an Error Message sainaen Medium 2017-06-06
cloudup Subdomain Takeover That resolves to Desk.com ( CNAME cloudup.desk.com ) Violation of Secure Design Principles babayaga_ Medium 2017-02-02
Follow Button XSS Cross-site Scripting (XSS) - Generic bobrov No rating 2016-10-28
WooCommerce: Support Ticket indirect object reference Cross-Site Request Forgery (CSRF) paresh_parmar No rating 2016-09-02
[bbPress] Stored XSS in any forum post. Cross-site Scripting (XSS) - Generic psych0tr1a No rating 2016-09-01
WordPress core stored XSS via attachment file name Cross-site Scripting (XSS) - Generic jouko No rating 2016-08-06
WordPress Flash XSS in *flashmediaelement.swf* Cross-site Scripting (XSS) - Generic cure53 No rating 2016-07-10
WordPress SOME bug in plupload.flash.swf leading to RCE Code Injection cure53 No rating 2016-07-10
XSS on codex.wordpress.org Cross-site Scripting (XSS) - Generic spam404 No rating 2016-06-19
Remove anyone's pic gravtar Improper Authentication - Generic akshyy No rating 2016-06-05
Akismet Several CSRF vulnerabilities Cross-Site Request Forgery (CSRF) eboda No rating 2016-05-28
XSS on www.wordpress.com Cross-site Scripting (XSS) - Generic spam404 No rating 2016-04-28
Possible Timing Side-Channel in XMLRPC Verification Cryptographic Issues - Generic voodookobra No rating 2016-03-17
Internal GET SSRF via CSRF with Press This scan feature Cross-Site Request Forgery (CSRF) skansing No rating 2016-03-04
XSS at www.woothemes.com Cross-site Scripting (XSS) - Generic valievkarim No rating 2016-02-19
XSS at wordpress.com Cross-site Scripting (XSS) - Generic valievkarim No rating 2016-02-18
CSV Injection in polldaddy.com None supplied strukt No rating 2015-11-20
XSS in WordPress Cross-site Scripting (XSS) - Generic blinkms No rating 2015-10-16
Verification code issues for Two-Step Authentication Improper Authentication - Generic maverickrocky02 No rating 2015-09-20
User Enumeration and Guessable User Account Attack on WORDPRESS None supplied coolboss No rating 2014-09-13
XSS on gravatar Cross-site Scripting (XSS) - Generic simon90 No rating 2014-09-07
Missing HSTS header in https://public-api.wordpress.com Cryptographic Issues - Generic mohaab007 No rating 2014-08-28
Missing HSTS header in https://app.simplenote.com Cryptographic Issues - Generic mohaab007 No rating 2014-08-17
Top 10 2013-A2-Broken Authentication and Session Management - wordpress.com Improper Authentication - Generic mohaab007 No rating 2014-08-17
privilege escalation Improper Authentication - Generic niks No rating 2014-08-10
xss in simperium.com Cross-site Scripting (XSS) - Generic derknet No rating 2014-08-10
Open Redirect in WordPress Feed Statistics {Affected All Versions} Open Redirect mtk No rating 2014-08-07
information disclosure Information Disclosure niks No rating 2014-07-16
Process of changing email address and password does not asks old Password. Improper Authentication - Generic siddiki No rating 2014-07-11
xss in app.simplenote.com Cross-site Scripting (XSS) - Generic derknet No rating 2014-07-08
HTML form without CSRF protection Cross-Site Request Forgery (CSRF) 0xsaikiran No rating 2014-07-08
https://polldaddy.com storage.swf XSS Cross-site Scripting (XSS) - Generic smiegles No rating 2014-07-08
logout csrf app.simplenote.com/logout Cross-Site Request Forgery (CSRF) derknet No rating 2014-07-08
http://jetpack.me/ Self XSS Cross-site Scripting (XSS) - Generic smiegles No rating 2014-07-08
genericons.com - DOM based XSS. Cross-site Scripting (XSS) - Generic smiegles No rating 2014-07-08
Serving Transitions From: HTTP Protocol (not secure) Information Disclosure kmh127001 No rating 2014-06-04
Session Cookie without Secure flag set None supplied 0xsaikiran No rating 2014-05-21
Session Cookie without Secure flag set None supplied 0xsaikiran No rating 2014-05-21
Simplenote Silverlight cross-domain policy misconfiguration Cross-Site Request Forgery (CSRF) melvin No rating 2014-05-17