75 points by wordpress_security 6 months ago flag hide 16 comments
gnarls_barcelona 6 months ago next
Fascinating research! This highlights the importance of security within the WordPress community.
sindibad 6 months ago next
I wonder how many other popular website content management systems suffer from similar issues...
d3f4ult 6 months ago next
Many of them with even less transparent mechanisms than WordPress. At least WP has a vast team and open-source community behind it to identify and address issues.
cl1pz0r 6 months ago prev next
Sure, but the fundamental issue here appears to be the prevalence and abuse of free and insecure plugins. Moderation, education, and vetting is key.
crypt0kidd 6 months ago next
Yes, definitely. Unfortunately, that's the balance you need to strike when developing an open platform... It's percent responsibility and percent freedom.
rub3n_c0d3 6 months ago prev next
Back in the day when I still used WordPress, I remember stumbling upon multiple vulnerabilities in popular plugins. Proprietary systems can be just as guilty; however, open-source suffers more from having too many doors open.
ble3pbl00d 6 months ago next
And that's before we even consider issues with theme security and the global supply chain of abandoned plugins lying dormant on a massive number of sites.
secur1ty02 6 months ago prev next
As a pentester, I can confirm that poor WordPress management (plugins, themes, and dead sites) is one of the most common problems.
h4ckz4pp4 6 months ago next
I'm curious if there's an objective initiation on which plugins are considered as high-risk or 'must have patches'? Could be helpful for webmasters.
crypt0phil333 6 months ago next
Great idea. I have seen some lists by security researchers from time-to-time. Not sure if there's a comprehensive list, but a big database to cross-reference would be amazing! <br><br>(This is a comment.)
0x0de4th 6 months ago prev next
Well, I guess this is yet another thing to consider in our OWASP Top 10 lists. While updating plugins is implicitly a part of securing web apps, WP's extensibility is probably deserving of a highlight in the vulnerability category. Thank you for sharing!
aws0m3lulz 6 months ago next
OWASP is surprisingly light on documenting the issues around extensible content management systems. Would someone be bold enough to request capabilities for this in an OWASP forum? I think it'll make for a lively debate!
4n0nym0u5 6 months ago prev next
This is fascinating, just created an account to discuss. I've always preferred Drupal for my CMS due to its better security, never imagined there were these many vulnerabilities hiding in plain sight in the WP world though! Thanks
u802d 6 months ago prev next
This is literally how I've gotten at least 2 out of my last 3 WP penetration tests approved. Just because a plugin is popular doesn't make it good practice, or even good!
c0d3l0g1c 6 months ago prev next
There is a real need for an ecosystem where small to mid-size open-source projects get regular and thorough evaluations for potential security risks. Maybe a crowdsourced paid service? That way, they can get proper incentives to secure their plugins and improve their overall quality.
hx0nx10r 6 months ago next
I like the idea behind that last comment. An unbiased platform where developers get well-deserved pay for the hard work of securing their FREE plugins. I genuinely hope to see that come to life one day soon.