Marcin Probola conducted a PHP static code analysis of the top ~1000 WordPress plugins, and the results showed 103 plugins were vulnerable to at least one vulnerability type (XSS, SQL injection). This is roughly 10 percent! Marcin Probola writes that scanning results were manually verified in his spare time and delivered to official firstname.lastname@example.org from 04.07.2015 to 31.08.2015. Most of reported plugins are already patched, some are not. Vulnerable and not patched plugins are already removed from official wordpress plugin repository.
You can find Marcin Probola list here, which is an interesting read. Kudo’s for this one!
WordPress, on their Codex, provides a lot of functions and information about input & output sanitization, hardening WordPress, and a lot of information is freely available on the Internet about secure PHP programming, SQL injection, Cross Site Scripting (XSS), and so on.
Therefore I don’t understand why so many plugins are written so poorly. Is it time? Money? Knowledge? Functionality? Who knows… Enlighten me! :-)
Please Support Saotn.org
Each post on Sysadmins of the North takes a significant amount of time to research, write, and edit. Therefore, your donation helps a lot! For example, a donation of $3 U.S. buys me a cup of coffee, and as you know: things jsut work better with coffee. A $10 U.S. donation buys me one month of web hosting (yes, hosting costs money). But seriously, thank you for any amount. Much appreciated!
Please donate to support this site if you found a post interesting or if it helped you solve a problem. Thanks! (Tip: no Paypal account required)