If you discover a security issue with a plugin listed in the ClassicPress Plugin Directory, we encourage responsible and reasonable disclosure of the security issue. Therefore, please do not publicly release details of the issue anywhere, as this can lead to an increase in people being hacked and rarely speeds up resolution of the issue.
The first step in reporting a security issue with a plugin is to contact the developer via their standard support channels or by sending a direct message to them on the forum. In your report, please include the following:
- a clear and concise description of the security issue;
- a link to the specific plugin in the ClassicPress Plugin Directory; and
- details of who validated the security issue.
It is also recommended to include links to any public disclosures on third party sites.
If you do not receive an acknowledgement from the developer in 72 hours, the second step in reporting a security issue is to email the details listed above to [email protected].
The Plugin Directory moderators will attempt to make contact with the plugin developer to get the issue resolved. The plugin may be closed to prevent new downloads until the issue is resolved. You might not receive any notifications of progress until a fix has been released.