Security Tips For WordPress Plugin Developers

What to do If Someone is Claiming There is a Vulnerability in Your WordPress Plugin

Posted on 29 January 2024 by

In the work we do to keep track of vulnerabilities in WordPress plugins for our customers, we see a lot going wrong with the handling of vulnerabilities in them. While a lot of that involves plugin developers, it also involves Continue reading What to do If Someone is Claiming There is a Vulnerability in Your WordPress Plugin→

How to Use the sanitize_callback When Using the WordPress register_setting() Function

Posted on 26 January 2024 by

One of the many issues we now check for when doing security reviews of WordPress plugins is proper usage of the sanitize_callback when using register_setting() to register settings. That helps to make sure that settings of the plugin don’t contain Continue reading How to Use the sanitize_callback When Using the WordPress register_setting() Function→

The Right Way for WordPress Plugins to Secure Order By Clauses in SQL Statements

Posted on 25 January 2024 by

Recently, one of our competitors in keeping track of vulnerabilities in WordPress plugins, Patchstack, very vaguely claimed there was an unfixed SQL injection vulnerability in a plugin used by at least one of our customers. As the developer noted, Patchstack Continue reading The Right Way for WordPress Plugins to Secure Order By Clauses in SQL Statements→

WordPress Plugin Developers Need to Make Sure There Nonce Checks Both Work if a Nonce Isn’t Sent or if the Nonce is Wrong

Posted on 24 January 2024 by

Yesterday, we released the results of a security review we did of a WordPress plugin. What we found while reviewing the changes made to address the problems we had found is a good reminder that security fixes need to be Continue reading WordPress Plugin Developers Need to Make Sure There Nonce Checks Both Work if a Nonce Isn’t Sent or if the Nonce is Wrong→

The WordPress Function maybe_unserialize() Won’t Prevent PHP Object Injection

Posted on 23 January 2024 by

Recently, an update was released for a WordPress plugin that had a changelog that said the new version addressed a PHP object injection vulnerability by using the WordPress function maybe_unserialize(). That function doesn’t accomplish that. The developer then made a Continue reading The WordPress Function maybe_unserialize() Won’t Prevent PHP Object Injection→

The WordPress Function sanitize_text_field() Function Doesn’t Sanitize User Input for SQL Statements

Posted on 15 January 2024 by

As we warned our customers about last week, a recent update to a WordPress plugin that extends WooCommerce, with 300,000+ installs, tried to fix a SQL injection vulnerability. The developer failed to accomplish that, in part because they were using Continue reading The WordPress Function sanitize_text_field() Function Doesn’t Sanitize User Input for SQL Statements→

WordPress Nonces Can Not Be Used for Authentication

Posted on 10 January 2024 by

Last week we looked at a situation where very popular security plugins are using a security function in a way that the documentation explicitly states it shouldn’t be used. That turns out to not be a one-off problem. WordPress’ documentation Continue reading WordPress Nonces Can Not Be Used for Authentication→

M	T	W	T	F	S	S
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31