Wordpress Plugin Vulnerabilities

[Aegean]

I have long been an advocate of using Wordpress for content based sites & blogs whilst using more professional systems or bespoke coding for ecommerce sites, sensitive database sites, or any site dealing with real client transactions etc.

For anyone that is interested I have posted a link below to a recently published report on the top 50 plugins for wordpress and their (if any) security vulnerabilities.

20% were vulnerable to attacks such as SQL injections and so far over 8 million vulnerable plugins or plugins containing concealed instructions have been downloaded.

http://www.checkmarx.com/wp-content...curity-State-of-WordPress-Top-50-Plugins3.pdf

 

[PaulGregory]

It doesn't actually name the 11 top 50 plugins that still have vulns, although you could guess them from the descriptions and download counts.

I suspect that some of the vulnerabilities can only be exploited if you have access to the admin side. Looking at the list, a few only work on the admin side and others only have inputs on the admin side. Source Code Analysis tends to ignore the context of "only trusted people can actually use this screen".

The general advice it gives is broadly sound but naturally enough for a report from a source code analysis provider it recommends automated source code analysis...