If you discover a security vulnerability in Bulk Plugin Installer, please report it responsibly.

Do not open a public GitHub issue for security vulnerabilities.

Instead, please email the maintainers directly at the email address listed in the plugin header or use GitHub's private vulnerability reporting.

• A description of the vulnerability
• Steps to reproduce the issue
• The potential impact
• Any suggested fixes (optional)

• Acknowledgment within 48 hours
• A fix timeline within 7 days for critical issues
• Credit in the release notes (unless you prefer to remain anonymous)

This plugin follows WordPress security best practices:

• All AJAX handlers verify nonces with wp_verify_nonce()
• All endpoints check user capabilities with current_user_can()
• Multisite-aware capability checks (manage_network_plugins in Network Admin)
• File uploads are validated for ZIP format, path traversal, symlinks, and zip bombs
• File paths validated against expected upload directory (prevents path traversal)
• All user input is sanitized and escaped before output
• Database queries use prepared statements via $wpdb->prepare()
• No direct filesystem calls — operations use WordPress APIs
• Uploaded plugin data sanitized per-field before processing