WordPress plugin vulnerabilities – four 0days

It’s a known fact that plugins are the weak spot in the security of WordPress. Even though the developer guide dedicates a full chapter on plugin security, it’s no guarantee that developers follow these guidelines. It’s not even guaranteed that plugin creators are professional developers. In fact, anybody can create a plugin and share it on wordpress.org/plugins.

How are these plugins verified? The developer FAQ indicates that a manual code review is done:

What happens after submission?What happens after submission?

You will get an automated email telling you about the submission immediately. At that point, someone will manually download and review your code. If we find no issues with the security, documentation, or presentation, your plugin will be approved. If we determine there are issues, you will receive a second email with details explaining what needs to be fixed.

However, consider this:

  • Currently there are 55,000 plugins available in the directory
  • Most plugins require an update after each update of the WordPress core (monthly)
  • WordPress is free software

How much time/budget do you think WordPress is able to allocate to review your custom Holiday Photo Slider plugin?


A little experiment

I wanted to find out how easy it would be to find vulnerabilities in WordPress plugins. So I downloaded around 30 random plugins (with a minimal active user count of >10.000) and start looking at the code.

  • I found 4 zero day vulnerabilities
    • 3x XSS
    • 1x CSV injection
  • The vulnerable plugins often had ugly badly written code
  • In one case, the rips-scanner was able to spot the vulnerability

As expected, the manual code review done by WordPress is insufficient. When even an automatic scan can find vulnerabilities, I’m wondering if they do any review at all.

Details and exploit code are available on exploit-db:

Leave a Comment