Cross-Site Scripting – Authentication Bypass Vulnerabilities

Resolved peopleinside
(@peopleinside)

10 years, 4 months ago

Does Wordfence
scanner find this kind of issue on the plug in code or not?

I saw you have shared article about WordPress security
https://www.wordfence.com/blog/2015/12/xss-vulnerabilities-hacking-ftp/
https://www.wordfence.com/learn/privilege-escalation-vulnerabilities/
https://www.wordfence.com/learn/php-vulnerabilities-types-and-how-they-originate/#xss

but I Am not able to understand what I can do for make the site secure. How I can know if someone of my plug-in can be vulnerable?

My scan of Wordfence not indicate me any security issue on the plug in
Thanks

https://wordpress.org/plugins/wordfence/

Viewing 4 replies - 1 through 4 (of 4 total)

WFBrian
(@wfbrian)

10 years, 4 months ago

Hi,

I’m checking to get you a good answer. Hold tight.

Thanks,
Brian

WFBrian
(@wfbrian)

10 years, 4 months ago

Hi,

Just got some info and currently we do not scan plugins for XSS vulnerabilities and do not fix the code of other vendors plugins. I’d recommend only using plugins from reputable sources. You can always check with the plugin maker and see how they handle security and vulnerabilities.

Hope that clarifies things. Thanks for the question!
-Brian

Thread Starter peopleinside
(@peopleinside)

10 years, 4 months ago

Hi Brian, thank you for your reply.
Can be a good idea to ask to consider in the future to add scan of vulnerability in the code?

Is not easy understand of security of plug in, WordPress is also used from many user not all expert and with the attention in full security.

Nod need maybe to fix issue but alert the user a plug in can be dangerous for the code.
You posted a great articles into this day and since Wordfence is focused on the security this feature will be very userfull for many user also for full WordPress community.

Consider that please.
Thank you!

Plugin Author Mark Maunder
(@mmaunder)

10 years, 4 months ago

Hi,

The short answer is: We won’t be providing this feature and no one else does.

The longer answer:

What you’re asking for is something called “static code analysis” which describes the process of a machine finding vulnerabilities in code written by a human. It is a very complex field and static code analysis is unreliable – it can’t find vulnerabilities with a high degree of certainty. We are not in the business of providing static code analysis tools and I don’t think any vendor can automate them as a kind of “scan” which is what you’re looking for.

Regards,

Mark.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Cross-Site Scripting – Authentication Bypass Vulnerabilities’ is closed to new replies.