A CNA is an organization that has the authority to assign CVE IDs to vulnerabilities for a defined scope. Wordfence is authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CNA or CVE Numbering Authority. This means that Wordfence can now assign CVE IDs for new vulnerabilities in WordPress Core, WordPress Plugins, and WordPress Themes.
Reporting vulnerabilities to Wordfence for CVE assignment
As a CNA, Wordfence can assign CVE IDs to WordPress Plugins, Themes, and Core Vulnerabilities. This is an important step for Wordfence to further its goal of helping to protect the community of WordPress site owners and developers and the millions of website users that access WordPress every day.
CVE is an international, community-based effort and relies on the community to discover vulnerabilities. The vulnerabilities are discovered then assigned and published to the CVE List. The mission of the Common Vulnerabilities and Exposures (CVE) Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog.
To report a vulnerability to Wordfence for a WordPress plugin, WordPress theme, or WordPress core, users should reach out to [email protected] with the vulnerability information. The information must include a description of the vulnerability, a proof of concept, the name of software component affected, or the part of WordPress core, the version numbers affected, as well as the names of individuals you would like credit for the discovery.
The Wordfence Threat Intelligence team will review the findings and report back within 1-3 business days with a CVE ID assignment or request additional information.