Zerodium, a company that buys security exploits to then resell to government entities, tripled its price for WordPress Remote Command Execution (RCE) exploits.

In a tweet sent out on Friday, April 9th, Zerodium announced that they had temporarily tripled the price they pay out to security researchers for WordPress RCE exploits. Increasing the payout from $100,000 to $300,000.

What does this mean for the security of WordPress?

The exploit market, just like any other market, works on the basic principles of supply and demand. A price increase must also mean that there is more demand than there is a supply of WordPress RCE exploits.

This could indicate that WordPress is becoming more secure and that it is getting harder to find the critical security issues that buyers want. On the other hand, we must also assume that these types of exploits already exist and are already being actively sold on Zerodium and other similar platforms.

We could also conclude that if a government is going to pay more than $300,000 on a WordPress RCE exploit, that they intend to use it. World governments may even barter over the exploits so that the seller, in this case, Zerodium, gets the best price.

According to the tweet:

The exploit must work with latest WordPress, default install, no third-party plugins, no auth, no user interaction!

With WordPress having such a large presence on the web, an exploit against WordPress Core with those characteristics would be devastating to the web as a whole if it landed in the wrong hands. Let’s hope that a government with your best interests in mind are the highest bidder!

To protect against such an attack, a defence in depth security strategy must be implemented to attempt to prevent it. This should include a Web Application Firewall (WAF), logging, WordPress hardening and WordPress security plugins.

It is also worth noting that Zerodium was mentioned in the PHP Git server hack just a few weeks ago.