Summer of Pwnage, a Dutch community program for anyone interested in software security, is focusing on WordPress for its current open source security bug hunting event. The community program hosts meetups and workshops on the weekend where anyone from “enthusiastic beginners to the 1337est hackers” is welcome to share findings and demonstrate skills and exploits.
The goal of the community event is to contribute to the security of widely used open source software projects and participants are strongly encouraged to responsibly disclose vulnerabilities to the authors of the original code. WordPress and its thousands of plugins are the target for this month, which organizers call “a bug hunter’s paradise.”
Summer of Pwnage July 2016 findings includes dozens of vulnerabilities discovered in popular WordPress plugins. So far, 18 vulnerabilities have been fixed by the plugin authors and more than 40 others are currently in the reporting stage.
This week Ninja Forms, which has more than 600,000 active installs, issued a security release that fixed multiple Cross-Site Scripting (XSS) vulnerabilities discovered by Summer of Pwnage participants. The bug hunters also discovered a XSS vulnerability in WooCommerce (active on over a million installs), which was subsequently patched.
Security updates are also available for other popular plugins as the result of the program’s efforts, including Paid Memberships Pro, WP Fastest Cache, Easy Forms for MailChimp, and others. The list of reported vulnerabilities includes links to describe each and is being updated frequently, as WordPress plugin authors release patches to their plugins.
Summer of Pwnage is hosted at Securify, a software security company. Organizers provide users with VMs and set them loose hunting bugs. The focus of the event is sharing knowledge and teaching others and has been highly beneficial to the WordPress community so far.
With WordPress plugin vulnerabilities so plentiful, even within the top professionally supported plugins, it would be great to see a niche conference or virtual event focused on security with a contributor day. WordPress needs more guardians spread across the community that can specialize in contributing back in this way. Educational events like Summer of Pwnage demonstrate how successful this kind of event can be for hunting down serious vulnerabilities in the software that millions of people use every day.