Security

WP Staging takes its security seriously. We will do everything in our power to ensure that our users are safe.

This page is intended to provide information about how to report security issues with us, and how they are handled. Additionally, it provides details about reported security issues we have handled in the past.

Reporting a vulnerability

So, you have found a security vulnerability in WP Staging? Please, be sure to responsibly disclose it to us by reporting a vulnerability using GitHub’s Security Advisory.

DO NOT MAKE A PUBLIC ISSUES FOR SECURITY VULNERABILITIES!

We are mostly interested in reports by actual WP Staging users that are familiar with the software, but all high quality contributions are welcome. Please do your best to describe a clear and realistic impact for your report.

For the sake of the security of our users, please 🙏 do not make vulnerabilities public without notifying us and giving us at least 90 days to release a fixed version. We will do our best to respond to your report within 7 days and also to keep you informed of the progress of our efforts to resolve the issue. We may not be able to respond as quickly as you would like due to other responsibilities.

If you are going to write about WP Staging’s security, please get in touch, so we can ensure that all claims are correct.

NON-QUALIFYING VULNERABILITIES

We will not accept reports of vulnerabilities of the following types:

  • Reports from automated tools or scanners.
  • Theoretical attacks without proof of exploitability.
  • Attacks that are the result of a third-party application or library (these should instead be reported to the library maintainers).
  • Social engineering.
  • Attacks that require the user to have access to the host system where WP Staging is installed on.
  • Attacks involving physical access to a user’s device, or involving a device or network that’s already seriously compromised (like, man-in-the-middle).
  • Attacks that require the user to install a malicious other software, like a third-party integration, add-on, or plugin.
  • Attacks that the user can only perform against their own setup.
  • Privilege escalation attacks for logged in users. WP Staging assumes every user is trusted and does not enforce user privileges. It assumes every logged in user has the same access as an owner account.

SUPPORTED VERSIONS

We only accept reports against the latest stable & official versions of WP Staging or any versions beyond that are currently in development or beta test. The latest version can be found on our GitHub releases page.

We do not accept reports against forks of WP Staging.

SEVERITY SCORING

If you are familiar with CVSS3.1, please provide the vulnerability score in your report in the shape of a vector string. There’s a calculator that can be helpful. If you are unsure how or unable to score a vulnerability, state that in your report, and we will look into it.

If you intend to provide a score, please familiarize yourself with CVSS first (we strongly recommend reading the Specification and Scoring Guide), as we will not accept reports that use it incorrectly.

PUBLIC DISCLOSURE & CVE ASSIGNMENT

We will publish GitHub Security Advisories and through those, will also request CVEs, for valid vulnerabilities that meet the following criteria:

  • The vulnerability is in WP Staging itself, not a third-party library.
  • The vulnerability is not already known to us.
  • The vulnerability is not already known to the public.
  • CVEs will only be requested for vulnerabilities with a severity of medium or higher.

BOUNTIES

As an open source project, WP Staging cannot offer bounties for security vulnerabilities. However, if so desired, we of course will credit the discoverer of a vulnerability.

Past advisories

The following is a list of past security advisories that have been published by the WP Staging project.

2023-11-15: Possible access to the WP Staging cache folder while backup creation.
Severity: High
Detailed information: A malicious user could access sensitive data if they access the WP staging cache folder at the exact time an automatic backup is created. While this does not expose any database credentials, an attacker could gain access to hashed user credentials. We are not aware of this issue being abused to date.
Discovered by: Dmitrii Ignatyev from cleantalk.org
Fixed in: WP Staging 5.1.3 and 3.1.3 released on November 16, 2023