WP Tavern › Forums › Create Topic
wycks I have documented approximately 428 plugins on .org that have exploitable code since 2011 on my hobby site. The vast majority of these are updated/fixed, if they contain SQL/PHP exploits they are generally removed immediately upon notification. I can attest to that. These are only plugins that have been reported due a security list with poc’s, the real number of unreported or zero-day is a huge % higher. The reason is simple.. very few people do professional grade security audits on their websites. Some fact : 1. Exploits poc’s are added automatically to exploit tools (wpscan, metasploit. etc, etc). This creates serious “ease of use”. 2. The reported exploits are scanned en masse by bots, by en masse I mean in the tens of millions of requests and probably more. 3. WordPress sites are exploited because of some of these plugins, especially File Inclusion and SQL injection. 4. XSS is by far the most common exploit and is becoming a much more prevalent tactic, it now accounts for most black hat web site activities . I also agree with toscho, github is a safer place because the code is easier to read, easy to fork/fix and the social aspect of it creates exposure.
wycks
I have documented approximately 428 plugins on .org that have exploitable code since 2011 on my hobby site.
The vast majority of these are updated/fixed, if they contain SQL/PHP exploits they are generally removed immediately upon notification. I can attest to that.
These are only plugins that have been reported due a security list with poc’s, the real number of unreported or zero-day is a huge % higher. The reason is simple.. very few people do professional grade security audits on their websites.
Some fact :
1. Exploits poc’s are added automatically to exploit tools (wpscan, metasploit. etc, etc). This creates serious “ease of use”. 2. The reported exploits are scanned en masse by bots, by en masse I mean in the tens of millions of requests and probably more. 3. WordPress sites are exploited because of some of these plugins, especially File Inclusion and SQL injection. 4. XSS is by far the most common exploit and is becoming a much more prevalent tactic, it now accounts for most black hat web site activities .
I also agree with toscho, github is a safer place because the code is easier to read, easy to fork/fix and the social aspect of it creates exposure.
Name *
Email *
Website:
Topic Title (Maximum Length: 80):
Forum: — No forum —AI and WordPress Articles Blocks Showcase Discussions Events Introductions Jobs and Working in WordPress Podcast Episodes Site and Block Editor
Enter your email address to subscribe to this blog and receive notifications of new posts by email.
Email Address
Submit
Enter the destination URL
Or link to existing content