In March 2026, the Wordfence Bug Bounty Program received 1718 vulnerability submissions from our growing community of security researchers working to improve the overall security posture of the WordPress ecosystem. These submissions are reviewed, triaged, and processed by the Wordfence Threat Intelligence team, with validated vulnerabilities responsibly disclosed to vendors, often through the Wordfence Vulnerability Management Portal – a free service for all WordPress vendors , and protected through the Wordfence Firewall where appropriate. Our mission with the Wordfence Bug Bounty Program is to engage the broader security community in identifying and responsibly disclosing vulnerabilities in WordPress plugins and themes, so we can work with vendors to get them patched before attackers discover them. This collaborative effort enables Wordfence to accelerate patch adoption, provide early protection to millions of websites, and ensure that high-quality vulnerability intelligence reaches the WordPress ecosystem as efficiently as possible. It also ensures that we are able to remediate vulnerabilities before attackers are able to discover them and start exploiting them. That is why we reward researchers for valid submissions, and why we remain committed to processing every report with transparency, accuracy, and urgency. Join the Wordfence Bug Bounty Program Help secure the WordPress ecosystem while earning rewards for your security research. We’re actively seeking skilled researchers to identify vulnerabilities in WordPress plugins and themes, with prompt payments and transparent processes. Start Your Security Research Journey As the most comprehensive and highest-quality WordPress vulnerability program, the Wordfence Bug Bounty Program plays a critical role in helping site owners, developers, and hosting providers stay ahead of emerging threats at all stages of the open source lifecycle. In this report, we highlight key metrics of the Bug Bounty Program from March 2026, recognize the researchers contributing to WordPress security, and provide insight into the vulnerabilities uncovered and addressed. Table of Contents Program Submission Highlights – March 2026 WordPress Software Vulnerability Submission Insights – March 2026 Bounty Insights – March 2026 Top WordPress Security Researchers – March 2026 Current WordPress Bug Bounty Program Promotions Critical WordPress Software Vulnerability Highlights – March 2026 Conclusion If you’re interested in joining the program or learning more about how we responsibly manage disclosures and protect WordPress users, visit the Bug Bounty Program page. WordPress Software Vendors – Sign Up For Free Centralized Management of all Vulnerabilities in Your Software Wordfence provides a completely free vulnerability management portal for WordPress Software vendors to easily track and manage all vulnerabilities submitted to the Wordfence Bug Bounty Program, and added to the Wordfence Intelligence Vulnerability Database. This portal streamlines and enhances the repsonsible disclosure process so you can secure your customers faster. Get Started With the Vendor Portal Today Program Submission Highlights – March 2026 The Wordfence Bug Bounty Program is designed for momentum: rapid triage of critical issues, clear feedback, and fast, fair rewards. Each submission moves through our standardized workflow of validation, vendor coordination, patch verification, and firewall coverage where applicable, so research translates into real-world protection quickly. Real-Time Protection Impact Every vulnerability disclosed through this program is a threat you don’t have to face blindly. Our researchers uncover and report vulnerabilities before they can be exploited, and Wordfence Premium , Care and Response users get protection in real-time through our firewall. Free users are protected in 30 days. Behind the numbers is meaningful impact for site owners. The issues surfaced here inform new firewall rules, strengthen our detection logic, and help vendors ship safer releases. If you’re new to bounty hunting, this is a great place to start: we publish scope clearly, pay promptly, and credit the work that keeps WordPress secure. Total Submissions 1718 +59.4% from last month Active Researchers 321 +51.4% from last month High Threat 56 +133.3% from last month Common & Dangerous 78 +56.0% from last month WAF Rules Released 5 -44.4% from last month Vulnerability Focus Areas High Threat Vulnerabilities: Issues that could result in full site compromise, such as Arbitrary File Uploads or Remote Code Execution. Must be exploitable by unauthenticated or low-level authenticated attackers with software having 25+ active installations. Common & Dangerous: Stored Cross-Site Scripting and SQL Injection vulnerabilities exploitable by unauthenticated or low-level authenticated attackers. Software must have 500+ active installations. Bounty Insights – March 2026 Our research powers real investment back into the community. This section totals bounties and bonuses paid for the month and showcases standout findings. Our philosophy is simple: reward high-quality, responsibly disclosed research that measurably reduces risk for WordPress users. Total Bounties Awarded $62,174 March 2026 Average Bounty Per Submission $195.52 Per validated in-scope submission Highest Single Bounty $3,726 Top researcher reward Top 5 Bounties Awarded Vulnerability Bounty Install Count Perfmatters <= 2.5.9.1 – Authenticated (Subscriber+) Arbitrary File Deletion via ‘delete’ Parameter $3,726.00 200,000 Avada Builder <= 3.15.2 – Authenticated (Subscriber+) Arbitrary File Read via ‘custom_svg’ Shortcode Parameter $3,386.00 968,000 MW WP Form <= 5.1.0 – Unauthenticated Arbitrary File Move via move_temp_file_to_upload_dir $3,105.00 200,000 Breeze Cache <= 2.4.4 – Unauthenticated Arbitrary File Upload via fetch_gravatar_from_remote $2,691.00 400,000 Gravity Forms <= 2.10.0 – Unauthenticated Stored Cross-Site Scripting via Product Option $2,304.00 1,000,000 Want to earn more? Read the scope carefully, target high-threat classes, and include clear reproduction steps with proof of impact. We pay promptly on validated issues, and bonus multipliers may apply during limited-time promotions and challenges. WordPress Software Vulnerability Submission Insights – March 2026 This section breaks down how reports map to our program outcomes. What’s in scope, what isn’t, and where the highest security impact typically sits. We highlight the most common in-scope vulnerability classes and the categories that yielded the largest rewards so researchers can focus their efforts where they matter most. Authentication level and exploit preconditions drive risk and reward through our program. Unauthenticated and low-privilege paths tend to have outsized impact because they scale to more real-world compromise. Use these insights to prioritize your testing strategy and maximize both security value and bounty potential. Total Number of Vulnerabilities Considered In Scope, Out of Scope, Rejected, or Duplicate In Scope Out of Scope Rejected Duplicate 318 306 748 346 Top 10 Most Commonly Submitted In-Scope Vulnerability Types The most frequently submitted vulnerability types highlight current testing focus areas across the researcher community. These patterns often reflect both ease of discovery and prevalence in the WordPress ecosystem. Vulnerability Type Total Submissions Total Rewards Avg. Reward CWE 79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 123 $15,652.00 $127.25 CWE 89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 33 $5,575.00 $168.94 CWE 862: Missing Authorization 27 $5,996.00 $222.07 CWE 22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 11 $11,687.00 $1,062.45 CWE 639: Authorization Bypass Through User-Controlled Key 10 $1,325.00 $132.50 CWE 434: Unrestricted Upload of File with Dangerous Type 9 $5,221.00 $580.11 CWE 918: Server-Side Request Forgery (SSRF) 6 $559.00 $93.17 CWE 269: Improper Privilege Management 5 $2,236.00 $447.20 CWE 863: Incorrect Authorization 5 $274.00 $54.80 CWE 94: Improper Control of Generation of Code (‘Code Injection’) 4 $3,169.00 $792.25 Top 10 Highest Rewarded In-Scope Vulnerability Types While some vulnerabilities appear frequently, others command premium rewards. This breakdown shows which vulnerability classes generated the highest total payouts across all submissions in those categories, indicating both severity and exploitability value. Vulnerability Type Total Rewards Total Submissions Avg. Reward CWE 79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) $15,652.00 122 $127.25 CWE 22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) $11,687.00 11 $1,062.45 CWE 862: Missing Authorization $5,996.00 27 $222.07 CWE 89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) $5,575.00 33 $168.94 CWE 434: Unrestricted Upload of File with Dangerous Type $5,221.00 9 $580.11 CWE 36: Absolute Path Traversal $3,846.00 2 $1,923.00 CWE 94: Improper Control of Generation of Code (‘Code Injection’) $3,169.00 4 $792.25 CWE 269: Improper Privilege Management $2,236.00 5 $447.20 CWE 306: Missing Authentication for Critical Function $1,950.00 1 $1,950.00 CWE 200: Exposure of Sensitive Information to an Unauthorized Actor $1,466.00 2 $733.00 In-Scope Vulnerability Distribution by Authentication Level Authentication requirements directly impact real-world exploitability. Unauthenticated and subscriber-level vulnerabilities typically pose greater risk, reflected in both our prioritization and reward structure. Authentication Level Total Vulnerabilities Avg. Reward Unauthenticated 124 $385.01 Contributor 81 $32.44 Subscriber 57 $342.89 Author 24 $77.85 Custom 8 $196.29 Unauthenticated – UI Required 8 $167.38 Vulnerability Submission Install Count Spread Install counts help us gauge blast radius . Higher install bases can move a finding into higher priority and often correlate with stronger payouts, while smaller-but-critical ecosystems still qualify when the exploitability and impact warrant it. Install Range Total Vulnerabilities Average CVSS Avg. Reward 1,000–49,999 101 7.06 $148.49 100,000–999,999 78 6.59 $440.67 50,000–99,999 59 6.49 $102.79 Off-Repo 38 8.27 $387.37 1,000,000–4,999,999 19 6.19 $426.56 0–499 16 8.68 $43.38 500–999 6 6.97 $39.60 5,000,000+ 2 5.85 $544.00 Top WordPress Security Researchers – March 2026 Security is a team sport, and this leaderboard celebrates the people raising the bar. We recognize contributors by valid in-scope submissions, overall earnings, and average severity to highlight different paths to excellence. Top 5 Researchers based on Volume of In-Scope Submissions Volume leaders demonstrate consistent vulnerability discovery across diverse targets. These researchers excel at systematic testing and maintaining high validation rates. Researcher Total Submissions Avg. Reward Muhammad Yudha – DJ 18 $13.94 Osvaldo Noe Gonzalez Del Rio (Os) 18 $116.11 Dmitrii Ignatyev 13 $190.00 daroo 13 $384.08 h0xilo 12 $619.58 Top 5 Researchers Based on Average CVSS of In-Scope Submissions Quality over quantity defines these researchers who consistently identify high-severity vulnerabilities. Their average CVSS scores reflect expertise in finding critical security gaps. Researcher Average CVSS Total Submissions Avg. Reward Alexis Lafontaine 9.80 1 $65.00 Wannes Verwimp 9.80 1 $488.00 David Brown 9.80 1 $1,950.00 kiemtiendinhau 9.80 1 $683.00 0xd4rk5id3 9.63 6 $440.00 Top 5 Researchers Based On Total Bounties Earned Combining volume with severity, these top earners maximized their impact and rewards through strategic vulnerability research and comprehensive reporting. Researcher Total Earned Total Submissions Avg. Reward h0xilo $7,435.00 12 $619.58 ISMAILSHADOW $5,250.00 2 $2,625.00 daroo $4,993.00 13 $384.08 Rafie Muhammad $4,453.00 2 $2,226.50 bashu $4,379.00 9 $486.56 Researchers Promoted to the Next Tier Congratulations to the following researchers who have unlocked the next tier! Tier promotions reflect sustained performance, precision, and professionalism in disclosure. Advancing unlocks higher caps, faster reviews, and more visibility. If you’re climbing the ranks, focus on high risk vulnerabilities, keep reports crisp, attach working PoCs, and include mitigation notes vendors can ship quickly. Elite Researcher Tier (1337) 0 researchers advanced to elite status No Elite Researcher Promotions No researchers advanced to elite (1337) status this month Resourceful Researcher Tier 0 researchers advanced to resourceful status No Resourceful Researcher Promotions No researchers advanced to resourceful status this month Current WordPress Bug Bounty Program Promotions As part of our Bug Bounty Program, we regularly launch special promotions that boost bounty rewards and expand research scope. These initiatives are designed to reinforce our mission: delivering the highest quality vulnerability intelligence while encouraging researchers to focus on the discoveries that have the greatest positive impact on the WordPress ecosystem. At the same time, we also look for promotions that give researchers opportunities to sharpen their skills, take on new challenges, and continue growing into the best of the best in WordPress security research. We often supplement these with educational material for researchers to learn and apply their skills during these promotions. Below, you’ll find details on all currently active challenges—including timelines and a quick overview of each promotion. No promotions currently running. New to promotions? Start by confirming the software and version range are in scope, validate exploitability on a clean test environment, and submit with clear steps, affected code paths, and impact. Promotions are perfect opportunities for both new and seasoned researchers to maximize earnings while driving faster patch adoption. And remember, you can always check what’s in-scope and out-of-scope by using the Wordfence bounty estimator . Critical WordPress Software Vulnerability Highlights – March 2026 These case studies spotlight high-impact vulnerabilities uncovered through the program, why they matter, and how quickly protection rolled out. We share technical detail to help researchers learn, vendors harden code, and users understand why timely updates aren’t optional. If you maintain a site, update to the patched versions listed and ensure Wordfence is active so you benefit from new firewall coverage as it ships. If you’re a researcher, use these write-ups to inform your hunt: patterns repeat, and past root causes often reappear in adjacent code. 800,000 WordPress Sites Affected by Arbitrary File Read Vulnerability in Smart Slider 3 WordPress Plugin Smart Slider 3 <= 3.5.1.33 – Authenticated (Subscriber+) Arbitrary File Read via actionExportAll Submitted by: Dmitrii Ignatyev Bounty Awarded: $2,208.00 Technical Details: The Smart Slider 3 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.5.1.33 via the ‘actionExportAll’ function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. Read the complete vulnerability analysis 400,000 WordPress Sites Affected by Unauthenticated SQL Injection Vulnerability in Ally WordPress Plugin Ally – Web Accessibility & Usability <= 4.0.3 – Unauthenticated SQL Injection via URL Path Submitted by: Drew Webber (mcdruid) Bounty Awarded: $800.00 Technical Details: The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques. The Remediation module must be active, which requires the plugin to be connected to an Elementor account. Read the complete vulnerability analysis 30,000 WordPress Sites Affected by Authentication Bypass Vulnerability in Tutor LMS Pro WordPress Plugin Tutor LMS Pro <= 3.9.5 – Authentication Bypass via Social Login Submitted by: Phat RiO Bounty Awarded: $1,502.00 Technical Details: The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is due to the plugin failing to verify that the email provided in the authentication request matches the email from the validated OAuth token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by supplying a valid OAuth token from their own account along with the victim’s email address. Read the complete vulnerability analysis Conclusion WordPress thrives when researchers, vendors, hosts, and site owners pull in the same direction. By funding high-quality research, coordinating responsible disclosure, and shipping firewall rules at scale, Wordfence turns findings into protection for millions of sites. If you’re a researcher, join the program and submit your next report. If you’re a site owner, update early and often, and run Wordfence to stay ahead of emerging threats. If you’re a vendor, sign up for the vulnerability management portal to receive real-time notifications when new vulnerabilities are reported in your software. Together, we make the WordPress ecosystem safer. The post Wordfence Bug Bounty Program Monthly Report – March 2026 appeared first on Wordfence .