- Wordpress Core
- Wordpress Plugins
- Wordpress Themes
Skills Needed
- Source Code Analysis
- Web Development (Html+Javascript+PHP+SQL)
- Knowledge of Web2 Vulnerabilities
- Scripting Knowledge
- Knowledge of Mass Automated Weaponization of Vulnerabilities
- CVE Reversing
Source Code Analysis Types
- Static Analysis
- Dynamic Analysis
Additional Skills for Elite Threat Research
- Honeypot deployment and monitoring real world attacker's vulnerability exploitation workflow
Install Docker 🐳
sudo apt update -y
sudo apt install -y docker.io
sudo apt install docker-compose -y
docker version
docker-compose version
groups
sudo docker ps
sudo docker run hello-world
echo $USER
sudo usermod -aG docker $USER
Reboot your machine to save the changes
- Current user is now part of
dockergroup
sudo cat /etc/group | grep -i docker
cat /etc/group | grep -i docker
docker ps -a
Wp-Xdebug-Docker ⚓
📥Installation Step-by-step commands (Linux)
git clone https://github.com/dhakalananda/wp-xdebug-docker
cd wp-xdebug-docker
docker version
docker-compose up -d
docker ps -a
Visit port 8000 on localhost http://localhost:8000/
Or Visit port 8000 on 127.0.0.1 http://127.0.0.1:8000/
http://localhost:8000/wp-admin/install.php?step=1
👨💻VS Code Extensions
1️⃣ Dev Containers
2️⃣ PHP Debug
Make sure it's from xdebug verified one.
Select /wp-xdebug-docker-wp-1
Go to the directory /var/www/html/ (within container , not locally)
Run & Debug ⚙️
Select debugger as "PHP"
Now we replace this file with
{
"version": "0.2.0",
"configurations": [
{
"name": "Listen for Xdebug",
"type": "php",
"request": "launch",
"port": 9000
}
]
}
Click on "Run and Debug"
Set a breakpoint in wp-login.php
If your breakpoint not getting hit, watch this
VSCODE: File > Preferences > Settings
🔌Download Wordpress Plugins
Click on any of the plugins listed and download it's source code.
wget {zip_file_link_from_download_button}
unzip {plugin-file-name.zip}
Open Visual Studio Code if already installed or open with any IDE you want
Start your analysis
🎨Download Wordpress Themes
Similarly download like Wordpress Plugins elaborated previously.
🔍 STATIC CODE ANALYSIS BASIC EXAMPLES
Below grep commands helps to narrow down to potential places to further test accordingly.
1️⃣ Broken Access Control
This can help to find potential endpoints to further analyse dynamically, however you need to figure it out, it's made of the feature or a vulnerability where anyone can trigger that endpoint.
grep --color=always --include="*.php" -ir 'permission_callback' . | grep -i "__return_true"
grep --color=always --include="*.php" -ir 'permission_callback' . | grep -i "__return_true" | sort -u 
2️⃣ XSS
GET Request Param
grep --color=always --include="*.php" -ir 'echo' . | grep -i "\$_GET"
POST Request Param
grep --color=always --include="*.php" -ir 'echo' . | grep -i "\$_POST"
Remove esc_
grep --color=always --include="*.php" -ir 'echo' . | grep -i "\$_GET" | grep -iv "esc_"
grep --color=always --include="*.php" -ir 'echo' . | grep -i "\$_POST" | grep -iv "esc_"Remove sanitize_
grep --color=always --include="*.php" -ir 'echo' . | grep -i "\$_GET" | grep -iv "sanitize_"
grep --color=always --include="*.php" -ir 'echo' . | grep -i "\$_POST" | grep -iv "sanitize_"3️⃣ SQL Injection
grep --color=always --include="*.php" -ir 'wpdb->' . | grep -iv "prepare(" | grep -iv "sanitize_"
DELETE
grep --color=always --include="*.php" -ir 'wpdb->' . | grep -iv "prepare(" | grep -iv "sanitize_" | grep "DELETE"
FROM
grep --color=always --include="*.php" -ir 'wpdb->' . | grep -iv "prepare(" | grep -iv "sanitize_" | grep "FROM"ORDER BY
grep --color=always --include="*.php" -ir 'wpdb->' . | grep -iv "prepare(" | grep -iv "sanitize_" | grep "ORDER BY"
4️⃣ Open Redirect
grep --color=always --include="*.php" -ir "wp_redirect" .
grep --color=always --include="*.php" -ir "wp_redirect" . | grep "$"
Where to Submit Confirmed Vulnerabilities🔖
Before submitting, read all important guidelines & rules properly.
1️⃣ PatchStack
https://patchstack[.]com/database/report
2️⃣ WordFence
https://www[.]wordfence[.]com/threat-intel/vulnerabilities/submit/
There might be more places to report however I am not aware of it.