We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take the security of Notion2WP seriously. If you have discovered a security vulnerability, please report it to us as described below.
- Do not open a public GitHub issue for security vulnerabilities
- Do not disclose the vulnerability publicly until it has been addressed
-
Report via GitHub Security Advisories
- Go to the Security tab
- Click "Report a vulnerability"
- Provide detailed information about the vulnerability
-
Include in Your Report
- Type of vulnerability (e.g., XSS, SQL injection, CSRF)
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
-
Expected Response Time
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity (see below)
- Response: Immediate
- Fix: Within 24-48 hours
- Examples: Remote code execution, authentication bypass
- Response: Within 24 hours
- Fix: Within 7 days
- Examples: SQL injection, privilege escalation
- Response: Within 48 hours
- Fix: Within 30 days
- Examples: XSS, CSRF
- Response: Within 7 days
- Fix: Within 90 days
- Examples: Information disclosure, minor security issues
- Never share your Notion integration token
- Store integration tokens securely (WordPress will handle this)
- Rotate tokens regularly if compromised
- Use WordPress security best practices
- Keep WordPress core updated
- Keep Notion2WP plugin updated
- Use strong admin passwords
- Enable two-factor authentication
- Use HTTPS for your WordPress site
- Limit plugin installations to trusted sources
- Only grant necessary permissions to your integration
- Review connected pages regularly
- Use internal integrations (not public) when possible
- Monitor integration usage in Notion settings
- Keep PHP version updated (7.4+ required)
- Enable WordPress debug logging only in development
- Restrict file permissions appropriately
- Use secure hosting environment
-
Authentication
- Secure token storage in WordPress database
- WordPress nonce verification for all AJAX requests
- Capability checks for admin operations
-
Data Handling
- Input sanitization using WordPress functions
- Output escaping to prevent XSS
- Prepared statements for database queries (via WordPress API)
-
API Security
- HTTPS required for Notion API calls
- Token sent via secure Authorization header
- No token exposure in client-side code
-
WordPress Integration
- Follows WordPress coding standards
- Uses WordPress security APIs
- Capability-based access control
- Integration tokens are stored in WordPress database (encrypted via WordPress)
- Requires WordPress admin access for configuration
- Depends on WordPress security measures
When we receive a security vulnerability report, we will:
- Confirm Receipt: Acknowledge receipt within 48 hours
- Assess Severity: Evaluate the vulnerability and assign severity
- Develop Fix: Create and test a patch
- Release Update: Publish security update
- Public Disclosure: After patch release, we will:
- Credit the reporter (unless anonymity requested)
- Publish security advisory
- Update CHANGELOG with security fix details
Security updates will be:
- Released as soon as safely possible
- Clearly marked as security releases in changelog
- Announced via GitHub releases and security advisories
- Backward compatible when possible
For security concerns that don't qualify as vulnerabilities, you can:
- Open a GitHub Discussion
- Email: (Add your email if you want to provide one)
We appreciate security researchers who help keep Notion2WP secure. With your permission, we will:
- Credit you in the security advisory
- List you in our security acknowledgments
- Thank you in the release notes
Thank you for helping keep Notion2WP and our users safe!