CVE Timeline
- Report submitted: 2nd August, 2025
- Report validated: 4th August, 2025
- CVE Assigned: Sept 22, 2025
Public Disclosure
This was one of my first CVE and I can't express with words how it felt when I finally reached the day I was expecting since many years
Steps to Reproduce
- Download the source code of latest version
- Go to file ……..php
- Search for the juicy stuff.
Visual Studio Code Search
It depends on triager, most of the time they will ask you to provide PoC, a small python script to reproduce it automatically, and it impacts exactly what ? Confidentiality of what ? Availability of what ? Integrity of exactly which component ? And also need to proof professionally how it impacts someone who uses this vulnerable plugin.
Because 95% of the time they are demo keys, expired keys, not production keys etc….
Other CNA like wordfence, won't accept it. And you need to read the rules & guidelines carefully, because it's always updated regularly or scope narrow down.
Yes this is expected in general and I don't complain any! They asked me to contact to vendor directly myself , but I won't report it because most of them have no clue what is ethical security research & disclosure. They think I am …….
I did, and i can… to give the poc directly but actually it's not directly within the scope.. meaning I am not fetching data from a site using this plugin, but from this wordpress developer's account where indirectly the sites using this plugin has data in it. I hoped you get what i want to say here.
So i always make script in such a way so that I only fetch or exfil data from dev account and not modify or delete something. I report as only affecting confidentiality, later the developer or plugin vendor will come and they themselves will say how it will affect I & A. And in those cases the severity gets a higher one.
Shoutout to top CNA like Patchstack who understood that it's a valid vulnerability even though it wasn't generally considered for a CVE in general or in rare cases only based on context and impact.
CVE Assigned
August 2025 Top 10 CVE Hunter
Only Indian in the leaderboard for that month (among disclosed ones) This felt like a true international competition :
Total reports for that month: 26 (means total 26 CVEs) Total Points accumulated: 138+ Bounty eligible? : YES
This month I truly re-gained trust in compounding effect. Many years not a single CVE, now within 20 days 26 CVE
No one gave me any opportunity, no one guided me, no one helped me. Still sitting in the leaderboard feels next level high dopamine hit 🤘 after facing many defeats.
💲 Bounty finalized: $466.25
Bounty Received : Mid of September
Earlier I was a little depressed as I have been trying from March 2025. Making myself comfortable with new CVE hunting mindset and the Wordpress ecosystem itself took around 6 months :)
Understanding the system architecture is always important. There is no syllabus in bug bounty …. hehe … hehe…😁😁 A big ocean!
Patchstack is one of the best CNA because they even paid the extra 466.25–450 = $16.25 to take care of the transaction fees and etc….
Bug bounty via Source Code Review ? 0 day ? CVE ?
This was long back in Aug 2025. Below is my current (March) ranking.
From unemployed to Top 40 CVE Hunter (WP Ecosystem) Internationally
Total CVEs owned: 213 (only disclosed ones) Undisclosed: 50+ approx
Have few high severity ones as well, but I forgot which were those PTO. Still it cannot be like the first CVE accomplishment feeling😁
Myths are meant to be broken. This is the real hacking 🤘
Can you use AI ? Yes, but only if you have the knowledge to triage and eliminate 99% hallucinated results. Instead of reviewing these, I do manual and deep to understand business context of the software.
Good luck .... will meet again in another article How i went from nobody to somebody in another cybersecurity niche hopefully in future 🤗
📧 Would you like to get your WordPress Plugin/Theme codebase audited from me ?
Ping me at: LegionHunter1337[@]proton[.]me