[WEB SECURITY] Security of plugins for WordPress

MustLive mustlive at websecurity.com.ua
Sat Nov 21 16:32:32 EST 2009


Hello participants of Mailing List.

There many engines for web sites and many of them support plugins. And
vulnerabilities happen not only in engines, but also in plugins for them. I
want to tell you about different vulnerabilities in plugins for WordPress
(which is widespread engine).

In my post Security of plugins for WordPress
(http://websecurity.com.ua/3397/) this August I made a summary about all
vulnerabilities in plugins for WordPress, which I found during 2006-2009.

In this list 135 different vulnerabilities are mentioned in 20 plugins for
WordPress. Including Cross-Site Scripting, Insufficient Anti-automation,
Cross-Site Request Forgery, Directory Traversal, Arbitrary File Deletion,
Denial of Service, Full path disclosure, Insufficient Authorization,
Information Leakage, Abuse of Functionality, HTTP Response Splitting, SQL
Injection and CRLF Injection vulnerabilities.

Most posts mentioned in the list are on Ukrainian (so use Google Translate),
but some of them are on English - posts from my Month of Bugs in Captchas
(MoBiC) project (http://websecurity.com.ua/category/mobic/), which I made in
2007. So take care of your plugins for WP and web sites which use them.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list