Reports in automattic program: S.No Title Bounty 1 [bbPress] Stored XSS in any forum post. $0.0 2 WooCommerce: Support Ticket indirect object reference $0.0 3 Follow Button XSS $0.0 4 cloudup Subdomain Takeover That resolves to Desk.com ( CNAME cloudup.desk.com ) $0.0 5 An Automattic employee's GitHub personal access token exposed in Travis CI build logs $0.0 6 CPU utilization 99% on visiting wordpress site url & open redirect found $0.0 7 SSRF and local file disclosure in https://wordpress.com/media/videos/ via FFmpeg HLS processing $0.0 8 XSS Vulnerability in WooCommerce Product Vendors plugin $0.0 9 Timing attack woocommerce, simplify commerce gateway $0.0 10 Object Injection in Woocommerce / Handle PDT Responses from PayPal $0.0 11 Unauthenticated RCE in Vaultpress $0.0 12 woocommerce - prevent_caching() bug / bypass $0.0 13 https://secure.gravatar.com $0.0 14 xss filter bypass [polldaddy] $0.0 15 Invalidate session after password reset on https://polldaddy.com $0.0 16 [app.simplenote.com] Stored XSS via Markdown SVG filter bypass $0.0 17 Persistent Cross-Site Scripting in WooCommerce WordPress plugin $0.0 18 Stored XSS Using Media $0.0 19 Improper markup sanitization. $0.0 20 Lazy Load stored XSS $0.0 21 [Simplenote for Windows] Client RCE via External JavaScript Inclusion leveraging Electron $0.0 22 [public-api.wordpress.com] Stored XSS via Crafted Developer App Description $0.0 23 Crafted frame injection leading to form-based UI redressing. $0.0 24 Improper markup sanitisation in Simplenote Android application. $0.0 25 wpjobmanager - unserialize of user input $0.0 26 Remote Code Execution in Wordpress Desktop $0.0 27 Stored XSS in www.learnboost.com via ZIP codes. $0.0 28 Stored XSS in learnboost.com via the lesson[goals] parameter. $0.0 29 Wordpress.com REST API oauth bypass via Cross Site Flashing $0.0 30 RCE via Print function [Simplenote 1.1.3 - Desktop app] $0.0 31 Multiple File Manipulation bugs in WP Super Cache $0.0 32 [FG-VD-19-022] Wordpress WooCommerce Cross-Site Scripting Vulnerability Notification $0.0 33 No Rate Limit on CrowdSignal Polls when Adding Comment $0.0 34 DOM based XSS in the WooCommerce plugin $0.0 35 WooCommerce: Persistent XSS via customer address (state/county) $0.0 36 Wordpress VIP leaks email of the test a/c $0.0 37 Insufficient DKIM record with RSA 512-bit key used on WordPress.com $0.0 38 Authentication Bypass - Chaining two vulnerabilities leads to account takeover at en.instagram-brand.com $0.0 39 Cross Domain leakage of sensitive information - Leading to Account Takeover at Instagram Brand $0.0 40 Captcha bypass for the most important function - At en.instagram-brand.com $0.0 41 Broken Authentication - Security token gets captured via man in the middle attack $0.0 42 Gaining unlimited bonus points on websites with WooCommerce Points and Rewards $0.0 43 No rate limit on app.crowdsignal.com (Finish quiz) $0.0 44 Disclosure of 152 cookie names via crafted input $0.0 45 Stored Self XSS on https://app.crowdsignal.com (in Photo Insert App) + Stored XSS on https://your-subdomain.survey.fm $0.0 46 Stored XSS vulnerability in comments on *.wordpress.com $0.0 47 [IDOR] Attacker user can Approve/Decline AFK on the behalf of other users $0.0 48 Arbitrary File Download as Shopmanager $0.0 49 Stored XSS in Jetpack's Simple Payment Module by Contributors / Authors $0.0 50 WooCommerce Blacklist in 'map_meta_cap' leads to Privilege Escalation of Shopmanagers $0.0 51 Authenticated Code Execution through Phar deserialization in CSV Importer as Shop manager in WooCommerce $0.0 52 Follow by email allows for following by unverified emails $0.0 53 Theme Assets uploader allows HTML content $0.0 54 Stored XSS in wordpress.com $0.0 55 Modify account details by exploiting clickjacking vulnerability on refer.wordpress.com $0.0 56 Denial of service to WP-JSON API by cache poisoning the CORS allow origin header $0.0 57 Stored XSS in assets.txmblr.com $0.0 58 [tumblr.com] 69< Firefox Only XSS Reflected $0.0 59 DOM-Based XSS in tumblr.com $0.0 60 Denial-of- service By Cache Poisoning The Cross-Origin Resource Sharing Misconfiguration Allow Origin Header $0.0 61 [api.tumblr.com] Exploiting clickjacking vulnerability to trigger self DOM-based XSS $0.0 62 Rate Limit Misconfiguration on tumblr login . $0.0 63 Stored XSS on app.crowdsignal.com + your-subdomain.survey.fm via Embed Media $0.0 64 Stored XSS on https://app.crowdsignal.com/surveys/[Survey-Id]/question - Bypass $0.0 65 IDOR leads to Edit Anyone's Blogs / Websites $0.0 66 Site-wide CSRF at Atavist $0.0 67 IDOR when editing email leads to Account Takeover on Atavist $0.0 68 Captcha checker "pd-captcha_form_SURVEYID" cookie is accepting any value $0.0 69 Can buy Atavist Magazine subscription for free $0.0 70 Reflected XSS on a Atavist theme at external_import.php $0.0 71 Reflected XSS at /category/ on a Atavis theme $0.0 72 Reflected XSS on a Atavist theme $0.0 73 IDOR at 'media_code' when addings media to questions $0.0 74 Users can bypass page restrictions via Export feature at "Share" feature in CrowdSignal $0.0 75 IDOR when moving contents at CrowdSignal $0.0 76 No Email Checking at Invitation Confirmation Link leads to Account Takeover without User Interaction at CrowdSignal $0.0 77 IDOR when editing users leads to Account Takeover without User Interaction at CrowdSignal $0.0 78 No Rate Limit when accessing "Password protection" enabled surveys leads to bypassing passwords via "pd-pass_surveyid" cookie $0.0 79 Permanent DoS with one click. $0.0 80 [api.tumblr.com] Denial of Service by cookies manipulation $0.0 81 Email Verification bypass on signup $0.0 82 Able to comment/view in others support ticket at https://en.instagram-brand.com/requests/dashboard $0.0 83 Sql injection on docs.atavist.com $0.0 84 GET /api/v2/url_info endpoint is vulnerable to Blind SSRF $0.0 85 XSS in Email Input [intensedebate.com] $0.0 86 [tumblr.com] CSRF in /svc/user/filtered_content $0.0 87 Tab nabbing via window.opener.location (target "_blank") $0.0 88 SQL Injection Union Based $0.0 89 [intensedebate.com] SQL Injection Time Based On /js/commentAction/ $0.0 90 [intensedebate.com] SQL Injection Time Based on /changeReplaceOpt.php $0.0 91 SQL Injection intensedebate.com $0.0 92 [intensedebate.com] XSS Reflected POST-Based $0.0 93 [intensedebate.com] No Rate Limit On The report Functionality Lead To Delete Any Comment When it is enabled $0.0 94 [intensedebate.com] XSS Reflected POST-Based on update/tumblr2/{$id} $0.0 95 Permanent DoS at https://happy.tools/ when inviting a user $0.0 96 Reflected XSS in https://www.intensedebate.com/js/getCommentLink.php $0.0 97 Unauthenticated access to webmail at maildev.happytools.dev leading to compromised wordpress site api.happytools.dev [RCE] $0.0 98 DOM-Based XSS in tumblr.com $0.0 99 [intensedebate.com] Open Redirect $0.0 100 [sub.wordpress.com] - XSS when adjust block Poll - Confirmation Message - On submission:Redirect to another webpage - Redirect address:[xss_payload] $0.0 101 Stored XSS in Intense Debate comment system $0.0 102 Non-changing "_idnonce" value leads to CSRF on accounts at https://intensedebate.com for account takeover $0.0 103 Stored XSS in wordpress.com $0.0 104 information disclosure lead to disclose users private notes $0.0 105 Ability to subscribe to inactive Post+ creators $0.0 106 SSRF & Blind XSS in Gravatar email $0.0 107 De-anonymize anonymous tips through the Tumblr blog network $0.0 108 Stored XSS on the "www.intensedebate.com/extras-widgets" url at "Recent comments by" module with malicious blog url $0.0 109 Reflected XSS due to vulnerable version of sockjs $0.0 110 Site information's Display Name section vulnerable for XSS attacks and HTML Injections. $0.0 111 Sensei LMS IDOR to send message $0.0 112 Unauthenticated Private Messages DIsclosure via wordpress Rest API $0.0 113 XSS and HTML Injection on the pressable.com search box $0.0 114 IDOR able to buy a plan with lesser fee $0.0 115 IDOR in API applications (able to see any API token, leads to account takeover) $0.0 116 Stored XSS in intensedebate.com via the Comments RSS $0.0 117 Archived / Deleted / Private Poll Can Be Viewed by Another Users [Crowdsignal WordPress plugins] $0.0 118 Akismet API keys are exposed by authentication method $0.0 119 Stored XSS on app.crowdsignal.com your-subdomain.crowdsignal.net via Thank You Header $0.0 120 Stored XSS on wordpress.com $0.0 121 Stored XSS on wordpress.com $0.0 122 Entering passwords on the Share Login Page can lead to a brute-force attack $0.0 123 reflected xss in https://wordpress.com/start/account/user $0.0 124 Authentication bypass on JetPack SSO manager - Allows to access the administration panel of wordpress without user interaction $0.0 125 DOM XSS on multiple Automattic domains through postMessages $0.0 126 Authentication & Registration Bypass in Newspack Extended Access $0.0 127 Authentication & Registration Bypass in Newspack Extended Access $0.0