WordPress’ popularity as a content management system (44 percent of CMS market share) is matched in parallel by the number of security vulnerabilities afflicting the open source platform, as well as its versatile plug-ins and themes.
It’s not unlikely that a developer may be at a loss as to the security of a particular plug-in, or the disclosure of a devastating flaw in the core WordPress code that could expose a website to attack. During last weekend’s BruCon in Belgium, U.K.-based security researcher Ryan Dewhurst released the WPScan Vulnerability Database, a one-stop shop for the latest WordPress, plug-in and theme vulnerabilities that he hopes becomes an indispensable resource for pen-testers, administrators and WordPress developers.
Dewhurst told Threatpost that the genesis for the databases was the creation of WPScan, a Ruby-based WordPress vulnerability scanner he wrote in 2011. WPScan, he said, filled a gap because at the time there were no automated tools that scan for security issues in the context of the platform. WPScan is at version 2.5 as of this weekend and scans in the background for bugs, outputting any issues it finds, Dewhurst said. Around the time he built WPScan, Dewhurst said he began working on the vulnerability databases as well. That part of the project was this year pushed over the top by £5,000 in funding from BruCon’s 5by5 Project.
“As WPScan detected WordPress versions, plug-ins and themes installed on a WordPress blog, it was easy enough for us to then output any vulnerabilities associated to that version, plugin or theme if we kept the issues in a database,” Dewhurst said…
Read the full story here