Splashing around in the shallow end: My adventure into Bug Bounty Hunting
tldr; Reported ~300 vulns in WordPress plugins and themes, made about ~$27k. Have made some of my write-ups public and am working on a WordPress hacking workshop as an introduction to bug bounty.
Intro
I’ve been interested in bug bounty hunting for a long time but never thought I’d be able to actually do it. I am weirdly passionate about source code review and I enjoy playing CTFs and developing exploits, but most bug bounty programs seem to require a black-box or closed-source skillset, right?
Nope! At the end of last year, my friend GoatSniff pointed out that there are two companies, Patchstack and Wordfence, that pay bounties for vulnerabilities in WordPress plugins and themes. WordPress extensions are pretty infamous for how easy it is to find vulnerabilities in them. With my background in Application Security, I decided to try hunting for bugs based on common developer mistakes, optimistic that I could find a few things.
Now that the first half of the year is over, I wanted to share some of my successes and talk about my methodology a little bit. So here it is, my adventure splashing around in the shallow end of bug bounty hunting.
Starting off was tough. It’s easy to get overwhelmed by the sheer number of WordPress plugins (~8,300) and themes (~930) with more than 1,000 installs. These are generally the minimum to be in-scope for bug bounty programs. Additionally, many private plugins are also in scope, even though they are not hosted on WordPress.org.
I started off jumping between lots of different plugins and themes, thinking there was nothing left to find and that someone else had already discovered all the good bugs. After a while of frustrating bouncing around, I stumbled upon one plugin with some really suspicious-looking code that I just couldn’t look at away from. So I took some time and did a deep dive to understand wtf was going on and how it functioned. This resulted in my first bug: a really complicated exploit chain that eventually led to remote code execution (RCE). The exploit took a few days to write, but thankfully most vulnerabilities are no where near this difficult to develop!
After that, I didn’t find another bug for about a month. I thought I had peaked and I was unlikely to find much more. But I started spending time learning about WordPress functions and as I gained more experience, I started finding more and more vulnerabilities. Now it’s a few months later and I’ve reported a crazy amount and have an ever-increasing list of leads to follow up on.
Results: 2024 Half 1 (Jan - June)
So how have I done this year so far?
- $23,000 Wordfence (~180 reports)
- $3,000 Patchstack (~100 reports)
- $1,000 External Programs (4 reports)
Which totals to $27,000 π₯³ That’s pretty decent, but it averages to only about $90 per report. However, that number is skewed downwards due to a large number of low-effort, low-reward reports which I found using some custom automation. I plan to release some blog posts and maybe some tooling on this in the future.
Also it didn’t quite qualify for my half 1 results but WPScan (owned by automattic) have just (re)launched their WordPress plugins and themes bug bounty program as invite-only. Their bounty payouts are more competitive but their requirements are >50k install and stored-XSS or higher impact. Shortly after signing up I was lucky enough to find a qualifying vulnerability and was the first person to be awarded a bounty! Unfortunately their t&cs forbid talking about the bounty amounts πΈ
Methodology: Hunt, Hack, Cash, Repeat
As you can see I’ve been quite successful in finding vulnerabilities in WordPress plugins and themes. I’ve had a few people message to ask about my methodology, and I talked about it a little bit in my interview with Patchstack but the long and short of it is:
- Hunt - Think up some vulnerable code and find it
- Hack - Exploit the code, write it up
- Cash - Get paid
- Repeat - Automate the shit out of it
I started writing this out in more detail here, but it got waaaay to long, so I’ve decided to split it into it’s own blog post. Coming soonβ’
Public Write-ups
If you’d like to see how I write stuff up, good news! I’ve released a selection of reports from my publicly disclosed vulnerabilities and put them on GitHub, along with some other WordPress hacking resources:
Please let me know if you find these useful and would like more of them! You can hit me up on twitter or find me on discord.
Summary
While it still feels like I’m splashing around in the shallow end compared to the big hitters reporting their massive bug bounty payouts on social media, I’m super proud of what I’ve achieved. I hope to motivate others to start their own adventures in bug bounty hunting.
Speaking of which, I’ll be running a WordPress hacking workshop at BSides Bristol, and hopefully at some other conferences too! Here’s the summary:
Peace!