Sysadmins of the North
Don't forget to share this post!

10% WordPress plugins in top ~1000 is vulnerable, a PHP static code analysis shows

Marcin Probola conducted a PHP static code analysis of the top ~1000 WordPress plugins, and the results showed 103 plugins were vulnerable to at least one vulnerability type (XSS, SQL injection). This is roughly 10 percent! Marcin Probola writes that scanning results were manually verified in his spare time and delivered to official from 04.07.2015 to 31.08.2015. Most of reported plugins are already patched, some are not. Vulnerable and not patched plugins are already removed from official wordpress plugin repository.

You can find Marcin Probola list here, which is an interesting read. Kudo’s for this one!

WordPress, on their Codex, provides a lot of functions and information about input & output sanitization, hardening WordPress, and a lot of information is freely available on the Internet about secure PHP programming, SQL injection, Cross Site Scripting (XSS), and so on.

Therefore I don’t understand why so many plugins are written so poorly. Is it time? Money? Knowledge? Functionality? Who knows… Enlighten me! 🙂

About the Author Jan Reilink

My name is Jan. I am not a hacker, coder, developer, programmer or guru. I am merely a system administrator, doing my daily thing at Vevida in the Netherlands. With over 15 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, WordPress, websites & optimization. Want to support me and donate? Use this link:

follow me on:

Leave a Comment:

Skip to content