Attention WordPress plugin developers! Here’s an opportunity to sharpen your skills. Back in April, Jon Cave created a learning exercise, asking developers to review an intentionally vulnerable plugin that he created. Cave loaded this plugin up with a range of common security vulnerabilities that you might find out in the wild.
The plugin is located here: https://gist.github.com/joncave/5348689
If you want to attempt the challenge, make sure to read Cave’s original post. He warns, “Please remember not to run this plugin on any server that is accessible to the internet!” The idea is to look for the vulnerabilities, make notes of the problem and come up with patches to solve the problems.
When you’re ready, you can find the answers in Jon Cave’s follow-up post: How to Fix the Intentionally Vulnerable Plugin. He explains each vulnerability in detail and lets you know how it can be fixed.
The Intentionally Vulnerable Plugin is full of rotten code that will help you to learn about performing security reviews as well as how to fix vulnerabilities in your own plugins. If you’re coming up on some holiday free time, this might be a fun little challenge to take on.