PluginProbe ʕ •ᴥ•ʔ
WP STAGING – WordPress Backup, Restore, Migration & Clone / 4.1.1
WP STAGING – WordPress Backup, Restore, Migration & Clone v4.1.1
4.9.1 4.9.0 4.8.1 trunk 3.0.0 3.0.1 3.0.2 3.0.3 3.0.4 3.0.5 3.0.6 3.1.0 3.1.1 3.1.2 3.1.3 3.1.4 3.10.0 3.2.0 3.3.1 3.3.2 3.3.3 3.4.1 3.4.3 3.5.0 3.6.0 3.7.1 3.8.0 3.8.1 3.8.2 3.8.3 3.8.4 3.8.5 3.8.6 3.8.7 3.9.0 3.9.1 3.9.2 3.9.3 3.9.4 4.0.0 4.1.0 4.1.1 4.1.2 4.1.3 4.1.4 4.2.0 4.2.1 4.3.0 4.3.1 4.3.2 4.4.0 4.5.0 4.6.0 4.7.0 4.7.1 4.7.2 4.7.3 4.8.0
wp-staging / SECURITY.md
wp-staging Last commit date
Backend 1 year ago Backup 1 year ago Basic 1 year ago Core 1 year ago Framework 1 year ago Frontend 1 year ago Notifications 1 year ago Staging 1 year ago assets 1 year ago languages 1 year ago resources 1 year ago vendor_wpstg 1 year ago views 1 year ago CONTRIBUTING.md 1 year ago Deactivate.php 2 years ago README.md 1 year ago SECURITY.md 2 years ago autoloader.php 3 years ago bootstrap.php 1 year ago constantsFree.php 1 year ago freeBootstrap.php 2 years ago install.php 1 year ago opcacheBootstrap.php 1 year ago readme.txt 1 year ago runtimeRequirements.php 1 year ago uninstall.php 1 year ago wp-staging-error-handler.php 1 year ago wp-staging.php 1 year ago
SECURITY.md
88 lines
1 ## Reporting a Vulnerability
2
3 WP Staging, being a major backup plugin in the WordPress environment,
4 prioritizes its security immensely. Acknowledging that complete coverage of all
5 security aspects is challenging, we encourage our users and the security
6 community to directly communicate any security-related discoveries to us.
7 This article will guide you on submitting your reports,
8 the applicable guidelines, and the rewards you can expect for your contributions.
9
10 You can find the latest version of this this document at
11 [](https://wp-staging.com/submit-a-security-report-for-wp-staging/https://wp-staging.com/submit-a-security-report-for-wp-staging/](https://wp-staging.com/submit-a-security-report-for-wp-staging/](https://wp-staging.com/submit-a-security-report-for-wp-staging/)
12
13 | Severity | Reward |
14 | ------------ | ----------|
15 | Critical | $800 |
16 | High | $400 |
17 | Medium | $200 |
18 | Low | $100 |
19 | Informative | - |
20
21 The severity is based on the [](https://www.first.org/cvss/calculator/3.0CVSS (Common Vulnerability Scoring System)](https://www.first.org/cvss/calculator/3.0](https://www.first.org/cvss/calculator/3.0).
22 When submitting your security report, make sure to include a calculation of the CVSS.
23 The reward table provides general guidelines, and all final decisions are at the discretion of WP Staging.
24
25 ## The premises / scope of this program
26
27 The scope of this reward program is the latest version of our plugins. Specifically:
28
29 - WP Staging free version
30 - WP Staging Pro version
31
32 The scope of this program does not extend to any other products or services related to WP Staging,
33 including the WP Staging website and customer portal. However, if you do come across a significant
34 security issue within these areas, we strongly encourage you to inform us.
35
36 ## Issues that are out of scope
37
38 - WP Staging version number disclosure.
39 - Comma Separated Values (CSV) injection without demonstrating a vulnerability.
40 - Missing best practices in SSL/TLS configuration.
41 - Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
42 - Theoretical vulnerabilities where you can’t demonstrate a significant security impact with a Proof of Concept.
43 - Users with administrator or editor privileges can post arbitrary JavaScript.
44 - Output from automated scans – please manually verify issues and include a valid Proof of Concept.
45 - Not following security best practices – without a working Proof of Concept.
46
47 ## How to get a copy of our plugins for testing
48
49 You can get WP Staging free version from wordpress.org at
50 https://wordpress.org/plugins/wp-staging/
51
52 If you want to get WP Staging Pro for security testing, please contact us at support [at] wp-staging.com, providing a plan what you are going to do.
53
54 ## Conditions and rules
55
56 Ensure your reports are detailed and include step-by-step procedures that can be easily followed. Reports that lack sufficient detail for issue reproduction will not qualify for a reward.
57
58 Each report should focus on a single vulnerability, unless demonstrating the impact requires chaining multiple vulnerabilities.
59
60 In cases of duplicate submissions, a reward will be given only to the first received report that can be fully reproduced.
61
62 If multiple vulnerabilities stem from a single root cause, they may be considered as one for the purposes of reward eligibility.
63
64 When conducting tests that might affect systems or services not owned by you, the tester, it is crucial to prioritize privacy, data integrity, and service continuity. Avoid any actions that might compromise these aspects. Interactions should be limited to accounts you own or those where you have received explicit consent from the account holder.
65
66 ## Disclosure Policy
67
68 Please do not discuss any vulnerabilities (even resolved ones) without express consent.
69
70 ## Submit Your report
71
72 If you identify a security concern that complies with the guidelines and scope of this project, kindly forward your findings to us at support @ wp-staging.com. In your email, please ensure you cover the following points:
73
74 - Your assessment of the CVSS score, utilizing the [](https://www.first.org/cvss/calculator/3.0provided calculator](https://www.first.org/cvss/calculator/3.0](https://www.first.org/cvss/calculator/3.0).
75 - An explanation of the potential impact of the problem.
76 - A comprehensive walkthrough detailing the steps to replicate the issue.
77 - The email address associated with your WP Staging account that you used for registration.
78
79 ## After Your Report
80
81 Our team is committed to addressing security reports with the utmost diligence and will aim to achieve the following response goals:
82
83 - Initial response time (after receiving the report) – within 3 business days
84 - Time to assess and categorize the report (from the time of submission) – within 10 business days
85 - Time to determine and issue a bounty (following the assessment phase) – within 10 business days
86
87 Throughout this process, we will ensure that you are regularly updated on our progress.
88