I discovered a critical authentication bypass vulnerability in a WordPress plugin with 700,000+ active installations. Complete admin account takeover with no requirements. I reported it exclusively to Wordfence during a bonus period when this vulnerability type was worth $16,000, maintained confidentiality for weeks, and followed every rule in their bug bounty program.

They validated it. Assigned CVE-2025–12127. Called it "fantastic research." Then paid me $0.

Here's how they violated their own terms to do it.

What Happened

After validating my report, Wordfence started having "internal discussions" about whether the vulnerability was in the plugin or an external API the plugin used. After 19 days of waiting, they told me they were considering their "web services" exclusion clause.

When I pushed back, Wordfence explicitly told me:

"We do have a clause in section 2.b.iv for web services associated with a plugin or theme being out-of-scope, but we will not treat this as out-of-scope."

Wordfence praised my "fantastic research" and asked for patience while they waited for the vendor's fix.

I waited. I maintained confidentiality. I did everything they asked.

Then they marked it "Out of Scope" anyway.

The $16,000 That Disappeared

Here's what makes this even worse: I submitted this vulnerability during one of Wordfence's promotional bonus periods. Authentication Bypass to Admin vulnerabilities in high-installation plugins were eligible for enhanced rewards — up to $16,000 for this exact type and impact level.

I timed my submission specifically to take advantage of this bonus period. This wasn't just about earning a standard bounty — this was a potential $16,000 payout that Wordfence was actively promoting to incentivize researchers.

So let's be clear about what happened: Wordfence ran a promotion offering up to $16k for exactly the type of vulnerability I found, I delivered exactly what they asked for during the promotional period, they validated it and assigned a CVE, then they found a way to pay me nothing.

The Critical Fact: The Vulnerability Was In The Plugin

The plugin's authentication logic relied on a single integer returned by an API call. No validation. No verification. Just trust whatever number comes back and grant admin access accordingly.

That's not an API vulnerability. That's a plugin vulnerability. The flawed design decision was made by the plugin developers. The vulnerable code was in the plugin. The security failure was in the plugin.

Why Section 2.b.iv Doesn't Apply (And They Know It)

Let me quote their terms exactly:

"Any web service associated with a WordPress plugin or theme that is not run locally (such as an API running on a plugin vendor's website) is considered out of scope."

This clause is clearly designed to exclude vulnerabilities IN THE WEB SERVICE ITSELF — bugs in the vendor's API endpoint, server configuration, or backend infrastructure.

It was never intended to exclude plugin vulnerabilities just because the plugin happens to make an API call.

What Their Terms Actually Say

Their terms explicitly list "Authentication Bypass to Admin" as IN-SCOPE under Section 2.A.i (High Threat Vulnerabilities) for plugins with 25+ installations.

My vulnerability:

  • Was Authentication Bypass to Admin ✓
  • Plugin had 700,000+ installations ✓
  • Exploitable without authentication ✓
  • Validated by Wordfence ✓
  • Assigned CVE-2025–12127 ✓

According to their published terms, this should have been paid. Period.

The Broken Promise

Even if there were ambiguity (there wasn't), Wordfence explicitly promised: "we will not treat this as out-of-scope."

That wasn't a casual comment. That was a direct commitment made to keep me in their process while I maintained confidentiality and couldn't submit elsewhere.

Then they broke that promise.

Why This Matters

This isn't about the money alone. It's about:

Bait and Switch: They validated it, assigned a CVE, praised it, promised it was in-scope, then changed their mind.

Weaponized Confidentiality: Their terms required I submit ONLY to them and maintain confidentiality. I did. This prevented me from going to other bug bounty platforms. They used this to trap me in their process while finding reasons not to pay.

Arbitrary Enforcement: They're stretching a clause beyond any reasonable interpretation to deny payment on a clearly in-scope vulnerability that's explicitly listed in their terms.

Violation of Their Own Terms: According to their published scope, my vulnerability qualified. They just decided not to honor it.

What I Lost

  • The bounty I should have received
  • Weeks of time maintaining confidentiality
  • The opportunity to submit to other platforms
  • Trust in Wordfence's program

What the WordPress community got: 700,000 websites protected from complete compromise. For free.

For Other Researchers

Don't make my mistake. Wordfence's program has fatal flaws:

  • Their published terms mean nothing — they'll retroactively reinterpret them
  • Their promises mean nothing — "we will not treat this as out-of-scope" was a lie
  • Any external API call involved in a vulnerability gives them an excuse to deny payment

Find bug bounty programs that actually honor their commitments and apply their terms consistently.

The Bottom Line

I reported an Authentication Bypass to Admin vulnerability — explicitly listed as in-scope in their terms — affecting 700,000 websites during a $16,000 bonus period. Wordfence validated it, assigned it a CVE, promised it wouldn't be out of scope, then marked it out of scope anyway using a clause that clearly doesn't apply.

They violated their own terms. They broke their explicit promise. And they left me with nothing after I protected nearly a million websites.

Bug bounty programs only work with trust. Wordfence destroyed that trust.