Security Policy

Please note that if you run your own WordPress installation or are a WordPress developer and think you have found a security vulnerability in CoCart, here is how to report an issue.

Although we strive to create the most secure products possible, we are not perfect. If you happen to find a security vulnerability in one of our products, we would appreciate letting us know and allowing us to respond before disclosing the issue publicly.

Reporting Security Vulnerabilities

While we try to be proactive in preventing security problems, we do not assume they’ll never come up.

It is standard practice to responsibly and privately disclose to us, a security problem before publicizing, so a fix can be prepared, and damage from the vulnerability minimized.

What is a “security” issue?

A security issue is a type of bug that can affect the security of WordPress installations.

Specifically, it is a report of a bug that you have found in the CoCart code, and that you have determined can be used to gain some level of access to a site running CoCart that you should not have.

Your site being “hacked” is not a security issue. The security issue will involve knowing how the attacker got in and hacked the site.

You forgetting your password or losing access to your site is not a security issue. If you lost access through a bug in the CoCart code, then that might be a security issue.

Generally, security issues are complex problems. If you want to report a security issue, then that’s great! You’re in the right place. However, be sure that what you’re reporting is actually a security issue. The experts that you are reporting it to are very busy, and don’t usually respond to non-security issues.

The security reporting system is NOT for support. Don’t send general problems there.

Where do I report security issues?

For security issues with CoCart plugins, please submit a report at securityreport@cocartheadless.com. Include as much detail as you can.

In all cases, you should not share the details with anyone else until after the fix for the bug has been officially released to the public.

Why are there path disclosures when directly loading certain files?

This is a server configuration problem. Never enable display_errors on a production site.