Description

WP Engine invites you to test the WP Engine and Flywheel Digital Experience Platforms. WP Engine equips its customers with a suite of agility, performance, intelligence, and integration solutions, so you can build and deploy a range of online experiences from campaign sites to content hubs to e-commerce extensions. Good luck and happy hunting!

Bounties

This is a responsible disclosure program without bounties.

Rules of engagement
Required
Not applicable
max. 5 requests/sec
Not applicable

By participating in this program, you agree to:

  • Respect the Community Code of Conduct
  • Respect the Intigriti Terms and Conditions
  • Respect the scope of the program
  • Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)
  • Utilize an @intigriti.me account for any authenticated interactions with web or desktop applications
  • Avoid testing of any WP Engine or Flywheel customer sites, nominally located on the *.wpengine.com or *.flywheelsites.com subdomains.
Domains

*. advancedcustomfields.com

No bounty
URL

*. bettersearchreplace.com

No bounty
URL

*.deliciousbrains.com

No bounty
URL

*.studiopress.com

No bounty
URL

The studiopress.com, www.studiopress.com, and my.studiopress.com sites are public facing marketing and WordPress theme e-commerce sites. No credentials will be provided. Researchers are free to test functionally that requires authentication with their own accounts. Please note: no reimbursements will be made for money spent to access this part of the application.

*.wpengine.io

No bounty
URL

This is an apex domain used for microservices hosted as subdomains and service-to-service APIs - these are intended to be "internal" services like APIs but have public DNS records and some may be publicly-accessible. To aid in testing, we've provided some initial OSINT for this domain: https://crt.sh/?q=%25wpengine.io

*.wpesvc.net

No bounty
URL

This is an apex domain used for microservices hosted as subdomains and service-to-service APIs - these are intended to be "internal" services like APIs but have public DNS records and some may be publicly-accessible. To aid in testing, we've provided some initial OSINT for this domain: https://crt.sh/?q=%25wpesvc.net

app.getflywheel.com

No bounty
URL

This is the primary site for researchers to register and test both the Flywheel App as well as the Flywheel Platform. We will not provide credentials or bypass verification controls (i.e, a researcher will need to either provide a valid phone number or credit card to have a live site), but a researcher may register a demo site that matches the platform's functionality without verification. Please use your Intigriti credentials to register. Please note that any issues regarding an individual WordPress installation on the Flywheel platform, outside of plugins owned by WP Engine/Flywheel, will be considered out of scope as we do not monitor or manage customer content. We are, however, very interested in issues that may compromise customer isolation on the platform or cause data to be leaked from either a host or an unrelated customer site.

getflywheel.com

No bounty
URL

This site is the landing page for Flywheel-branded services. Most of this data is static, but there are a number of dynamic fields and functionalities that are available to be tested. Support, contact forms, and chat functionality are out-of-scope - specifically, the Sales Questions functionality or https://getflywheel.com/schedule-a-demo/. No testing should be done against these targets or any 3rd party services. Please do not contact Live Chat agents.

my.wpengine.com

No bounty
URL

The User Portal for WP Engine. Customers manage their WordPress sites, addons, and billing details through this portal. No credentials will be provided. Researchers are free to test functionally that requires authentication with their own accounts. Please note: no reimbursements will be made for money spent to access this part of the application.

spressforumstg.wpengine.com

No bounty
URL

the staging environment for the StudioPress community forum, built on WordPress. Researchers are welcome to register an account using their @intigriti.me email address, but should refrain from interacting with the community, making public posts, or performing automated testing which may cause disruption. Do not attempt to gain access to any user accounts not under your control.

studiopress.blog

No bounty
URL

This is a public-facing marketing site built on WordPress. Most of the content on this site consists of static blog posts.

WP Engine-developed WordPress Plugins and Themes

No bounty
Other

We accept any reports of vulnerabilities in plugins or themes managed or developed by WP Engine, with the exception of any application-level vulnerabilities in the Out of Scope section below. These free versions closely mirror their paid counterparts, so any vulnerabilities discovered should be applicable to both the paid or free plugins.

We also accept reports for the following Delicious Brains plugins:
https://wordpress.org/plugins/advanced-custom-fields

wpengine.com

No bounty
URL

This the landing page for the main WP Engine website. Most of this data is static, but there are a number of dynamic fields and functionalities that are available to be tested. Support, contact forms, and chat functionality are out-of-scope - specifically, the Sales Questions functionality and wpengine.com/contact/. No testing should be done against these targets or any 3rd party services.

https://getflywheel.com/schedule-a-demo/

Out of scope
URL

https://wpengine.com/contact/

Out of scope
URL
In scope

We are happy to announce our first bug bounty program on the Intigriti platform! We've done our best to clean most of our known issues and now would like to request your help to spot the ones we missed! We are specifically looking for

  • Exposure of sensitive data in the WP Engine User Portal, Flywheel App, as well as on the associated platforms
  • Horizontal / vertical privilege escalation
  • SQLi
  • Code execution on internal hosts or services
  • SSRF

Any other issues that have a demonstrated security impact, aside from those in the Out of scope section below, are eligible for submission.

Out of scope

Customer Support Interactions

Domains

  • Any domain that is not listed in the Domains section, is out of scope for this program

Application

  • API key disclosure without proven business impact
  • Wordpress usernames disclosure
  • Pre-Auth Account takeover/OAuth squatting
  • Self-XSS that cannot be used to exploit other users
  • Verbose messages/files/directory listings without disclosing any sensitive information
  • CORS misconfiguration on non-sensitive endpoints
  • Missing cookie flags
  • Missing security headers
  • Cross-site Request Forgery with no or low impact
  • Presence of autocomplete attribute on web forms
  • Reverse tabnabbing
  • Bypassing rate-limits or the non-existence of rate-limits.
  • Best practices violations (password complexity, expiration, re-use, etc.)
  • Clickjacking without proven impact/unrealistic user interaction
  • CSV Injection
  • Sessions not being invalidated (logout, enabling 2FA, etc.)
  • Tokens leaked to third parties
  • Anything related to email spoofing, SPF, DMARC or DKIM
  • Content injection without being able to modify the HTML
  • Username/email enumeration
  • Email bombing
  • HTTP Request smuggling without any proven impact
  • Homograph attacks
  • XMLRPC enabled
  • Banner grabbing/Version disclosure
  • Not stripping metadata of files
  • Same-site scripting
  • Subdomain takeover without taking over the subdomain
  • Arbitrary file upload without proof of the existence of the uploaded file
  • Blind SSRF without proven business impact (pingbacks are not sufficient)
  • Disclosed/misconfigured Google Maps API keys
  • Host header injection without proven business impact

General

  • In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
  • Spam, social engineering and physical intrusion
  • DoS/DDoS attacks or brute force attacks
  • Vulnerabilities that only work on software that no longer receive security updates
  • Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
  • Recently discovered zero-day vulnerabilities found in in-scope assets within 7 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
  • Reports that state that software is out of date/vulnerable without a proof-of-concept
Severity assessment

This program follows Intigriti's contextual CVSS standard

FAQ

Where can we get credentials for the app?

Credentials for the WP Engine User Portal will be available soon. Researchers may sign up for the Flywheel App using their @intigriti.me account (SMS Verification required).

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Researchers
last contributors
logo
logo
logo
logo
logo
logo
leaderboard
logo
logo
logo
logo
logo
logo
Overall stats
submissions received
N/A
average payout
N/A
accepted submissions
35
total payouts
N/A
Last 90 day response times
avg. time first response
< 2 days
avg. time to decide
< 2 days
avg. time to triage
< 2 days
Activity
2/22
WP Engine
closed a submission
2/21
logo
created a submission
2/21
WP Engine
closed a submission
2/19
logo
created a submission
2/7
WP Engine
changed the out of scope
1/25
WP Engine
closed a submission
1/24
logo
created a submission
1/22
WP Engine
closed a submission
1/19
logo
created a submission
1/19
WP Engine
accepted a submission