Description

WP Engine invites you to test the WP Engine and Flywheel Digital Experience Platforms. WP Engine equips its customers with a suite of agility, performance, intelligence, and integration solutions, so you can build and deploy a range of online experiences from campaign sites to content hubs to e-commerce extensions. Good luck and happy hunting!

Bounties

Responsible disclosure

Rules of engagement
Required
Not applicable
max. 5 requests/sec
Not applicable

By participating in this program, you agree to:

  • Respect the Community Code of Conduct
  • Respect the Intigriti Terms and Conditions
  • Respect the scope of the program
  • Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)
  • Utilize an @intigriti.me account for any authenticated interactions with web or desktop applications
  • Avoid testing of any WP Engine or Flywheel customer sites, nominally located on the *.wpengine.com or *.flywheelsites.com subdomains.
Domains

*. advancedcustomfields.com

No Bounty
URL

*. bettersearchreplace.com

No Bounty
URL

*.deliciousbrains.com

No Bounty
URL

*.studiopress.com

No Bounty
URL

The studiopress.com, www.studiopress.com, and my.studiopress.com sites are public facing marketing and WordPress theme e-commerce sites. No credentials will be provided. Researchers are free to test functionally that requires authentication with their own accounts. Please note: no reimbursements will be made for money spent to access this part of the application.

*.wpengine.io

No Bounty
URL

This is an apex domain used for microservices hosted as subdomains and service-to-service APIs - these are intended to be "internal" services like APIs but have public DNS records and some may be publicly-accessible. To aid in testing, we've provided some initial OSINT for this domain: https://crt.sh/?q=%25wpengine.io

*.wpesvc.net

No Bounty
URL

This is an apex domain used for microservices hosted as subdomains and service-to-service APIs - these are intended to be "internal" services like APIs but have public DNS records and some may be publicly-accessible. To aid in testing, we've provided some initial OSINT for this domain: https://crt.sh/?q=%25wpesvc.net

app.getflywheel.com

No Bounty
URL

This is the primary site for researchers to register and test both the Flywheel App as well as the Flywheel Platform. We will not provide credentials or bypass verification controls (i.e, a researcher will need to either provide a valid phone number or credit card to have a live site), but a researcher may register a demo site that matches the platform's functionality without verification. Please use your Intigriti credentials to register. Please note that any issues regarding an individual WordPress installation on the Flywheel platform, outside of plugins owned by WP Engine/Flywheel, will be considered out of scope as we do not monitor or manage customer content. We are, however, very interested in issues that may compromise customer isolation on the platform or cause data to be leaked from either a host or an unrelated customer site.

getflywheel.com

No Bounty
URL

This site is the landing page for Flywheel-branded services. Most of this data is static, but there are a number of dynamic fields and functionalities that are available to be tested. Support, contact forms, and chat functionality are out-of-scope - specifically, the Sales Questions functionality or https://getflywheel.com/schedule-a-demo/. No testing should be done against these targets or any 3rd party services. Please do not contact Live Chat agents.

my.wpengine.com

No Bounty
URL

The User Portal for WP Engine. Customers manage their WordPress sites, addons, and billing details through this portal. No credentials will be provided. Researchers are free to test functionally that requires authentication with their own accounts. Please note: no reimbursements will be made for money spent to access this part of the application.

spressforumstg.wpengine.com

No Bounty
URL

the staging environment for the StudioPress community forum, built on WordPress. Researchers are welcome to register an account using their @intigriti.me email address, but should refrain from interacting with the community, making public posts, or performing automated testing which may cause disruption. Do not attempt to gain access to any user accounts not under your control.

studiopress.blog

No Bounty
URL

This is a public-facing marketing site built on WordPress. Most of the content on this site consists of static blog posts.

wpengine.com

No Bounty
URL

This the landing page for the main WP Engine website. Most of this data is static, but there are a number of dynamic fields and functionalities that are available to be tested. Support, contact forms, and chat functionality are out-of-scope - specifically, the Sales Questions functionality and wpengine.com/contact/. No testing should be done against these targets or any 3rd party services.

In scope

We are happy to announce our first bug bounty program on the Intigriti platform! We've done our best to clean most of our known issues and now would like to request your help to spot the ones we missed! We are specifically looking for

  • Exposure of sensitive data in the WP Engine User Portal, Flywheel App, as well as on the associated platforms
  • Horizontal / vertical privilege escalation
  • SQLi
  • Code execution on internal hosts or services
  • SSRF

Any other issues that have a demonstrated security impact, aside from those in the Out of scope section below, are eligible for submission.

Out of scope

Customer Support Interactions

Out of scope domains

  • Any domain that is not listed in the Domains section, is out of scope for this program

Application

  • Pre-auth account takeover / oauth squatting
  • Self-XSS that cannot be used to exploit other users
  • Verbose messages/files/directory listings without disclosing any sensitive information
  • CORS misconfiguration on non-sensitive endpoints
  • Missing cookie flags
  • Missing security headers
  • Cross-site Request Forgery with no or low impact
  • Presence of autocomplete attribute on web forms
  • Reverse tabnabbing
  • Bypassing rate-limits or the non-existence of rate-limits.
  • Best practices violations (password complexity, expiration, re-use, etc.)
  • Clickjacking on pages with no sensitive actions
  • CSV Injection
  • Host Header Injection (absent any actual demonstrated security impact)
  • Sessions not being invalidated (logout, enabling 2FA, ..)
  • Hyperlink injection/takeovers
  • Cross-domain referer leakage
  • Anything related to email spoofing, SPF, DMARC or DKIM
  • Content injection
  • Username / email enumeration
  • E-mail bombing
  • HTTP Request smuggling without any proven impact
  • Homograph attacks
  • XMLRPC enabled
  • Banner grabbing / Version disclosure
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability
  • Weak SSL configurations and SSL/TLS scan reports
  • Not stripping metadata of images
  • Disclosing API keys without proven impact
  • Same-site scripting
  • Subdomain takeover without taken over the subdomain
  • Arbitrary file upload without proof of the existence of the uploaded file

General

  • In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity
  • Spam, social engineering and physical intrusion
  • DoS/DDoS attacks or brute force attacks
  • Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted
  • Attacks requiring physical access to a victim’s computer/device, man in the middle or compromised user accounts
  • Recently discovered zero-day vulnerabilities found in in-scope assets within 7 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty.
  • Reports that state that software is out of date/vulnerable without a proof-of-concept
Severity assessment

This program follows Intigriti's contextual CVSS standard

FAQ

Where can we get credentials for the app?

Credentials for the WP Engine User Portal will be available soon. Researchers may sign up for the Flywheel App using their @intigriti.me account (SMS Verification required).

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Researchers
last contributors
logo
logo
logo
logo
logo
logo
leaderboard
logo
logo
logo
logo
logo
logo
Overall stats
submissions received
N/A
average payout
N/A
accepted submissions
29
total payouts
N/A
Last 90 day response times
avg. time first response
< 24 hours
avg. time to decide
< 1 week
avg. time to triage
< 2 days
Activity
3/22
WP Engine
closed a submission
3/22
WP Engine
closed a submission
3/22
WP Engine
closed a submission
3/22
WP Engine
closed a submission
3/22
WP Engine
closed a submission
3/21
WP Engine
accepted a submission
3/21
logo
created a submission
3/21
logo
created a submission
3/21
logo
created a submission
3/20
logo
created a submission