Please do not report security vulnerabilities through public GitHub issues.
If you discover a security vulnerability within GatherPress, please send an email to plugin@gatherpress.org. All security vulnerabilities will be promptly addressed.
When reporting a vulnerability, please include:
- Type of issue (e.g., SQL injection, XSS, authentication bypass, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Initial Response: Within 48 hours, we will acknowledge receipt of your vulnerability report
- Status Update: Within 7 days, we will send a more detailed response indicating the next steps
- Fix Timeline: We aim to release a security patch within 30 days of the initial report, depending on complexity
- Disclosure: We follow responsible disclosure practices and will coordinate with you on the disclosure timeline
- Security updates are released as soon as possible after a vulnerability is confirmed
- Critical vulnerabilities receive immediate attention and emergency releases
- Security releases will be clearly marked in release notes
- Users will be notified through the WordPress.org plugin repository update system
When using GatherPress, we recommend:
- Keep Updated: Always run the latest version of GatherPress
- WordPress Core: Keep WordPress core updated to the latest version
- PHP Version: Use a supported PHP version (7.4 or higher recommended)
- Access Control: Limit administrative access to trusted users only
- Backups: Maintain regular backups of your WordPress site
- HTTPS: Always use HTTPS for production sites
- File Permissions: Follow WordPress recommended file permission settings
GatherPress follows WordPress coding standards for:
- Input sanitization using WordPress sanitization functions
- Output escaping for all user-generated content
- Prepared statements for all database queries
- Nonce verification for all form submissions
GatherPress respects WordPress capability checks:
- Event management requires appropriate WordPress capabilities
- RSVP functionality is restricted based on event settings
- Administrative functions require administrator capabilities
GatherPress uses the following third-party libraries:
- WordPress block editor packages (maintained by WordPress core team)
- Leaflet for map functionality
- Moment.js for date/time handling
We monitor these dependencies for security updates and update them promptly when security patches are released.
GatherPress undergoes:
- Automated security scanning via SonarCloud
- Code quality checks with PHPStan and ESLint
- Manual security reviews for all major releases
- Community security audits through open-source collaboration
For security concerns, please email: plugin@gatherpress.org
For general questions, please use our GitHub Issues.
We appreciate the security research community and will acknowledge security researchers who responsibly disclose vulnerabilities (unless you prefer to remain anonymous).