Domain Manage

Wordpress Plugin Vulnerabilities

Discussion in 'Wordpress' started by Aegean, Jul 24, 2013.

Thread Status:
Not open for further replies.
  1. Aegean

    Aegean Active Member

    Joined:
    Feb 2011
    Posts:
    752
    Likes Received:
    16
    I have long been an advocate of using Wordpress for content based sites & blogs whilst using more professional systems or bespoke coding for ecommerce sites, sensitive database sites, or any site dealing with real client transactions etc.

    For anyone that is interested I have posted a link below to a recently published report on the top 50 plugins for wordpress and their (if any) security vulnerabilities.

    20% were vulnerable to attacks such as SQL injections and so far over 8 million vulnerable plugins or plugins containing concealed instructions have been downloaded.

    http://www.checkmarx.com/wp-content...curity-State-of-WordPress-Top-50-Plugins3.pdf
     
  2. Domain Forum

    Acorn Domains Elite Member

    Joined:
    1999
    Messages:
    Many
    Likes Received:
    Lots
     
  3. PaulGregory

    PaulGregory Active Member

    Joined:
    Jun 2013
    Posts:
    230
    Likes Received:
    2
    It doesn't actually name the 11 top 50 plugins that still have vulns, although you could guess them from the descriptions and download counts.

    I suspect that some of the vulnerabilities can only be exploited if you have access to the admin side. Looking at the list, a few only work on the admin side and others only have inputs on the admin side. Source Code Analysis tends to ignore the context of "only trusted people can actually use this screen".

    The general advice it gives is broadly sound but naturally enough for a report from a source code analysis provider it recommends automated source code analysis...
     
Thread Status:
Not open for further replies.

Share This Page