Zerodium has announced today an increased interest in exploits for the WordPress content management system that achieve remote code execution.
The exploit acquisition platform is now enticing exploit developers and sellers with a $300,000 payout, three times more than the regular price.
The company announced in a tweet today that the current is temporary, without revealing an expiration date or a reason for this decision.
Exploit developers or sellers incited by the new payout should consider the eligibility terms as Zerodium is willing to pay for code that works with the latest version of WordPress.
As is the case with premium exploits, this one should work on a clean installation of WordPress with the default configuration without requiring authentication or user interaction.
This means that leveraging bugs in third-party plugins, no matter how popular and widespread, makes the exploit ineligible.
BleepingComputer reached out to Zerodium for further information regarding this announcement and will update the article when we get it.
Zerodium is one of the best-known exploit brokers on the market, either by developing them in-house or acquiring them from developers.
The company is looking for premium zero-day exploits and is open about the payouts it offers, being the first in this business to publish a pricing chart the year it launched.
Over the years, Zerodium has expanded the list of products, acquiring exploits not just for operating systems and web browsers but also for web servers, email servers, web panels and apps, as well as research and techniques related to certain technologies (WiFi/Baseband, antivirus, routers/IoT, Tor deanonymization, mitigation bypasses).
The broker also updated its payouts and announced larger bounties for Android zero-day exploits than for iOS. Those prices still stand, with the price for Android full chain with persistence zero-click exploits reaching up to $2.5 million, compared to the $2 million for the iOS equivalent.