WP Engine invites you to test the WP Engine and Flywheel Digital Experience Platforms. WP Engine equips its customers with a suite of agility, performance, intelligence, and integration solutions, so you can build and deploy a range of online experiences from campaign sites to content hubs to e-commerce extensions. Good luck and happy hunting!
This is a responsible disclosure program without bounties.
*. advancedcustomfields.com
*. bettersearchreplace.com
*.deliciousbrains.com
*.studiopress.com
The studiopress.com, www.studiopress.com, and my.studiopress.com sites are public facing marketing and WordPress theme e-commerce sites. No credentials will be provided. Researchers are free to test functionally that requires authentication with their own accounts. Please note: no reimbursements will be made for money spent to access this part of the application.
*.wpengine.io
This is an apex domain used for microservices hosted as subdomains and service-to-service APIs - these are intended to be "internal" services like APIs but have public DNS records and some may be publicly-accessible. To aid in testing, we've provided some initial OSINT for this domain: https://crt.sh/?q=%25wpengine.io
*.wpesvc.net
This is an apex domain used for microservices hosted as subdomains and service-to-service APIs - these are intended to be "internal" services like APIs but have public DNS records and some may be publicly-accessible. To aid in testing, we've provided some initial OSINT for this domain: https://crt.sh/?q=%25wpesvc.net
app.getflywheel.com
This is the primary site for researchers to register and test both the Flywheel App as well as the Flywheel Platform. We will not provide credentials or bypass verification controls (i.e, a researcher will need to either provide a valid phone number or credit card to have a live site), but a researcher may register a demo site that matches the platform's functionality without verification. Please use your Intigriti credentials to register. Please note that any issues regarding an individual WordPress installation on the Flywheel platform, outside of plugins owned by WP Engine/Flywheel, will be considered out of scope as we do not monitor or manage customer content. We are, however, very interested in issues that may compromise customer isolation on the platform or cause data to be leaked from either a host or an unrelated customer site.
getflywheel.com
This site is the landing page for Flywheel-branded services. Most of this data is static, but there are a number of dynamic fields and functionalities that are available to be tested. Support, contact forms, and chat functionality are out-of-scope - specifically, the Sales Questions functionality or https://getflywheel.com/schedule-a-demo/. No testing should be done against these targets or any 3rd party services. Please do not contact Live Chat agents.
my.wpengine.com
The User Portal for WP Engine. Customers manage their WordPress sites, addons, and billing details through this portal. No credentials will be provided. Researchers are free to test functionally that requires authentication with their own accounts. Please note: no reimbursements will be made for money spent to access this part of the application.
spressforumstg.wpengine.com
the staging environment for the StudioPress community forum, built on WordPress. Researchers are welcome to register an account using their @intigriti.me email address, but should refrain from interacting with the community, making public posts, or performing automated testing which may cause disruption. Do not attempt to gain access to any user accounts not under your control.
studiopress.blog
This is a public-facing marketing site built on WordPress. Most of the content on this site consists of static blog posts.
WP Engine-developed WordPress Plugins and Themes
We accept any reports of vulnerabilities in plugins or themes managed or developed by WP Engine, with the exception of any application-level vulnerabilities in the Out of Scope section below. These free versions closely mirror their paid counterparts, so any vulnerabilities discovered should be applicable to both the paid or free plugins.
We also accept reports for the following Delicious Brains plugins:
https://wordpress.org/plugins/advanced-custom-fields
wpengine.com
This the landing page for the main WP Engine website. Most of this data is static, but there are a number of dynamic fields and functionalities that are available to be tested. Support, contact forms, and chat functionality are out-of-scope - specifically, the Sales Questions functionality and wpengine.com/contact/. No testing should be done against these targets or any 3rd party services.
We are happy to announce our first bug bounty program on the Intigriti platform! We've done our best to clean most of our known issues and now would like to request your help to spot the ones we missed! We are specifically looking for
Any other issues that have a demonstrated security impact, aside from those in the Out of scope section below, are eligible for submission.
This program follows Intigriti's contextual CVSS standard
Credentials for the WP Engine User Portal will be available soon. Researchers may sign up for the Flywheel App using their @intigriti.me account (SMS Verification required).
For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.
It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.
