WordPress.org

Ready to get started?Download WordPress

Forums

Security vulnerabilities in WordPress (3 posts)

  1. dsdaas
    Member
    Posted 1 month ago #

    My client did a source code review with Fortify. The below vulnerabilities flagged as present in WordPress core:

    Critical - 6812
    High - 3241
    Medium - 3558
    Low - 3262

    Most of the critical errors flagged are: Cross-Site Scripting: Persistent & Cross-Site Scripting: Reflected

    Other:
    Command Injection
    Dangerous File Inclusion
    Dynamic Code Evaluation: Code Injection
    Open Redirect
    Password Management: Hardcoded Password
    Password Management: Password in HTML Form
    Path Manipulation
    Privacy Violatoin: Heap Inspection
    SQL Injection
    System Information Leak

    How do I answer the client? Any 3rd party information on this that supports my case that WordPress is not vulnerable?

  2. Daniel Cid
    Member
    Posted 1 month ago #

    I have not even read the full report and I can guarantee they are all false positives.

    Most code review tools are very verbose and will generate a lot of noise that had to be filtered manually by a developer.

    This article is good as well:

    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

    thanks,

  3. catacaustic
    Member
    Posted 1 month ago #

    If there's that many vunerabilities then surely they'd all have exploits out there in the wild now. I'm sure that there are some, but they are very quickly patched.

    If a client sent me a list like that my first repsonse would be:

    I understand that you've been given these form a party outside of the website development, so I'd like ot know the full details of each proposed vunerability to allow me to check these for myself.

    99.999% of the time they won't give out any details (because there's none to give out), and if they do give something you'll quickly be able to dis-prove it with a couple of very quick tests.

Reply

You must log in to post.

About this Topic

Tags