Zerodium offers up to $300,000 for WordPress vulnerabilities

Prominent vulnerability broker Zerodium says it is temporarily tripling payouts for exploits for WordPress vulnerabilities that enable remote code execution on the latest versions of the CMS.

The company now assesses such vulnerabilities and exploits for them at $300,000 (versus the usual $100,000).

We’re temporarily increasing our payouts for WordPress RCEs to $300,000 per exploit (usually $100K). The exploit must work with latest WordPress, default install, no third-party plugins, no auth, no user interaction! If you have this gem, contact us: https://submit.zerodium.com.Zerodium representatives wrote on their Twitter account.

It is known that the increase in payments will be temporary, but Zerodium has not yet disclosed either the reason for this decision, or the date of the end of this “campaign”.

As with other similar exploits, the WordPress exploit should work on a clean CMS installation with default configuration, without requiring authentication or user interaction for the attack. That is, exploiting vulnerabilities in third-party plugins, no matter how popular and widespread they are, will not work.

Let me remind you that attacks on WordPress plugins are becoming more widespread. I wrote that In the File Manager plugin has been discovered a dangerous vulnerability, which is used by over 700,000 WordPress-based resources and which allows executing commands and malicious scripts on vulnerable sites.

May be also necessary to recall that Wordfence discovered a massive attack on WordPress sites. Attackers are actively looking for WordPress sites that use themes with the Epsilon Framework, which can be vulnerable to a number of function injection problems, and which can ultimately lead to a complete compromise of the resource.

It is worth noting that Zerodium offers the highest payouts for RCE exploits targeting Windows ($1,000,000) and exploits that can give an attacker full control over mobile devices ($2,500,000 for Android and $2,000,000 for iOS).

Let me also remind you that on Twitter, a well-known vulnerability broker, Zerodium, reported that the company would not buy new exploits for vulnerabilities in iOS.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.