Security vulnerabilities in WordPress (3 posts)

  1. dsdaas
    Posted 1 year ago #

    My client did a source code review with Fortify. The below vulnerabilities flagged as present in WordPress core:

    Critical - 6812
    High - 3241
    Medium - 3558
    Low - 3262

    Most of the critical errors flagged are: Cross-Site Scripting: Persistent & Cross-Site Scripting: Reflected

    Command Injection
    Dangerous File Inclusion
    Dynamic Code Evaluation: Code Injection
    Open Redirect
    Password Management: Hardcoded Password
    Password Management: Password in HTML Form
    Path Manipulation
    Privacy Violatoin: Heap Inspection
    SQL Injection
    System Information Leak

    How do I answer the client? Any 3rd party information on this that supports my case that WordPress is not vulnerable?

  2. Daniel Cid
    Sucuri.net Support
    Posted 1 year ago #

    I have not even read the full report and I can guarantee they are all false positives.

    Most code review tools are very verbose and will generate a lot of noise that had to be filtered manually by a developer.

    This article is good as well:



  3. catacaustic
    very awesome
    Posted 1 year ago #

    If there's that many vunerabilities then surely they'd all have exploits out there in the wild now. I'm sure that there are some, but they are very quickly patched.

    If a client sent me a list like that my first repsonse would be:

    I understand that you've been given these form a party outside of the website development, so I'd like ot know the full details of each proposed vunerability to allow me to check these for myself.

    99.999% of the time they won't give out any details (because there's none to give out), and if they do give something you'll quickly be able to dis-prove it with a couple of very quick tests.

Topic Closed

This topic has been closed to new replies.

About this Topic