22% of all new websites are using the popular WordPress blogging/CMS tool according to Wikipedia. It has an active community that develops open-source plugins, both for free and premium versions with extra features. Due to significant rates of adoption of WordPress as a platform combined with the ease of acquiring plugins made by the community absent any oversight in terms of security it has become known as a “Security ghetto”. With the majority of plugins being open source and indexed by WordPress, it is trivial to acquire a very large sample of plugins with over 9,000 downloads. The questions we attempt to answer are; what can be learnt from studying all this available source code, and does the open source nature equate into more secure code as some people argue for?
The presentation will discuss the approach used and the lessons learnt by doing manual static vulnerability analysis in bulk across 1,453 WordPress plugins.