Description

WP Engine invites you to test the WP Engine and Flywheel Digital Experience Platforms. WP Engine equips its customers with a suite of agility, performance, intelligence, and integration solutions, so you can build and deploy a range of online experiences from campaign sites to content hubs to e-commerce extensions. Good luck and happy hunting!

Bounties

This is a responsible disclosure program without bounties.

Rules of engagement
Required
Not applicable
max. 5 requests /sec
Not applicable

By participating in this program, you agree to:

  • Respect the Community Code of Conduct
  • Respect the Intigriti Terms and Conditions
  • Respect the scope of the program
  • Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)
  • Utilize an @intigriti.me account for any authenticated interactions with web or desktop applications
  • Avoid testing of any WP Engine or Flywheel customer sites, nominally located on the *.wpengine.com or *.flywheelsites.com subdomains.
Domains

*. advancedcustomfields.com

No bounty
Wildcard

*. bettersearchreplace.com

No bounty
Wildcard

*.deliciousbrains.com

No bounty
Wildcard

*.studiopress.com

No bounty
Wildcard

The studiopress.com, www.studiopress.com, and my.studiopress.com sites are public facing marketing and WordPress theme e-commerce sites. No credentials will be provided. Researchers are free to test functionally that requires authentication with their own accounts. Please note: no reimbursements will be made for money spent to access this part of the application.

*.wpengine.io

No bounty
Wildcard

This is an apex domain used for microservices hosted as subdomains and service-to-service APIs - these are intended to be "internal" services like APIs but have public DNS records and some may be publicly-accessible. To aid in testing, we've provided some initial OSINT for this domain: https://crt.sh/?q=%25wpengine.io

*.wpesvc.net

Wildcard

This is an apex domain used for microservices hosted as subdomains and service-to-service APIs - these are intended to be "internal" services like APIs but have public DNS records and some may be publicly-accessible. To aid in testing, we've provided some initial OSINT for this domain: https://crt.sh/?q=%25wpesvc.net

Severity assessment

This program follows Intigriti's contextual CVSS standard

FAQ

Where can we get credentials for the app?

Credentials for the WP Engine User Portal will be available soon. Researchers may sign up for the Flywheel App using their @intigriti.me account (SMS Verification required).

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.