D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

[LUG] WordPress security was Re: Chromium Browser

 



On 2015-08-18 15:46, Simon Avery wrote:

I totally agree with that as a general principle - same principle when people say Wordpress is insecure. It's not - but many of its plugins are!
Well judging by recent updates, WordPress core still has some issues.

I've found a few security issues in WordPress plugins, but I've not found any in core, although I must have missed one by a narrow margin, as I was poking at shortcodes quite hard as it felt a bit "shaky", but I missed the hole that was fixed in 4.2.3.

I predict there will be more WordPress core issues like the above found. I doubt also it is fully secure from authenticated users who can author content, e.g. privilege escalation.

Plugins we are running at a ~10% hit rate for XSS issues easily detected by automated tools with no manual intervention (other than crossing off the false positives - sigh), although not all are easy to exploit. Tempted to automate this step, but clearly it is harder than it looks or others would have done it.

That should give one pause for thought before installing yet another plugin, especially if it lets untrusted third parties edit content in various ways.

That said I still run WordPress, but where it matters it is layered with various controls to mitigate issues (especially XSS), and we test the plugins we use.

--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq