Forum Thread: Should I Tell Wordpress About a 0day?


Today I was checking out Wordpress code, and I found a vulnerability. A Priveledge Escalation 0day.... I don't know what to do. Should I turn it in?

Join the Next Reality AR Community

Get the latest in AR — delivered straight to your inbox.

33 Responses

If it is in fact a vulnerability (and not a false-positive), you should most definitely turn it in. I don't know what kind of bug bounty program Wordpress does, but it should qualify.

No...publish it or sell it.

Publishing it is not blackhat.

Publishing as in telling Wordpress about it? That's not what it sounded like. Again, mis-communication.

No...publish it here on Null Byte.

Publish the 0 day.


I never thought you wanted Null-Byte to be a database of exploits. I have a couple to post if you are interested. I've worked with the developers on some so there not 0-day anymore (but still plunty sites not updated), others the developers just ignored the issue.

hi sir OTW just got in few min am new and yea a wordpress oday publish it here on nullbyte and apprieciate u guyz alot from OTW DOWn to ghost u guys are great kudos one word nullbyte is my textbook lol cant do without it a day being a student for d past six month

I thought of posting it here, but I am skeptical.

You are skeptical? I am in complete doubt... This wouldn't happen to be the 0day from last week that got patched 3 hours later by Wordpress?

No. I am skeptical about that if I publish a 0day, that can be used to perpetrate multiple Wordpress websites, I can get in trouble. I will report the Wordpress 0day, then I will post it here, afterwards, you can use it on any website you want and hope they haven't updated.

Isn't that quite counter-intuitive...?

If I were you I would report it to wordpress, then wait. If they don' get back to you, publish it publicly to raise awareness and force them to patch it.

Publish or sell.
We are all right :P

I contacted them yesterday, I am waiting for reply.. If they don't reply, I'm publishing it.

Well let's all hope that Wordpress doesn't respond.

Publish it to googles 0day tracking, contact wordpress (if its legit and a true unknown flaw you could end up likely getting paid for finding it see as how big of an impact on the web wordpress seems to have right now.

He has nothing to publish. He has 0 0days! Tell me about that RFI Guide again...

Lol. I love how you reply to something you know nothing about. The RFI is something simple I did as my 1st tutorial. And, I have 3 0days. All found by I and my team. Thanks.

What team? You are just a script kiddie stealing tutorials from other websites. I can give the exact link to the tutorial you stole.

'His RFI tutorial was copied from Security Exploded's site.' = Deleted
Of course you do.

Biggest crap I've ever heard. I didn't delete anything, nor copy pasted.

Oh, really? Then why did the mods delete it after I found the EXACT same tutorial on Security Xploded?

LoL. Show me the link, please.

That URL is diffrent from mine. I read it. What did mine have that one had? Don't tell me you got it deleted because the URLs for the examples looked the same.

Nope, the content was the same. Read it and weep. You just changed the URLs and added some comments.


Let's stop this bickering. I looked at that URL and it was identical to your article. You plagiarized it. That's why I deleted it. If it happens again, I'll delete all your posts.


Arguing doesn't really solve anything. All it does is depreciate the value of our community; the plagiarism was discovered and dealt with.

I suggest we just end it here and move on.


Share Your Thoughts

  • Hot
  • Active