June 10, 2019 by Luka Šikić
At WebARX we are continuously involved in improving the security of WordPress eco-system. Most of our work consists of creating firewall virtual patches for known vulnerabilities in WordPress code and plugins.
We also perform security assessments of popular WordPress plugins and themes in which our goal is to identify security flaws before bad guys and notify the affected plugin developer.
To improve the effectiveness of finding security vulnerabilities, we have decided to develop our own solution to help us, as well as extension developers to find security vulnerabilities in WordPress extensions.
Read more about a common misconception in WordPress security from the blog post how to secure WordPress.
The code analysis tool for WordPress has the ability to identify directly exploitable flaws such as SQL Injection, Stored cross-site scripting and such. However, it also gives you a good idea of what endpoints plugin is exposing and what can be controlled through the user’s input.
The code analysis tool for WordPress can be downloaded from our GitHub repository.
Simply clone the repository, install requirements and run the script.
$ git clone https://github.com/webarx-security/wpbullet wpbullet
$ cd wpbullet
$ pip install -r requirements.txt
$ python wpbullet.py
To scan plugin source code, you can specify local system path, WordPress Plugins repository link or a web location to the ZIP archive. It returns registered admin actions, ajax hooks, functions loaded at admin_init hook and vulnerabilities that were found in source code analysis.
It will also detect if a particular variable’s value is controlled by user input and then later used in a query or code.
Due to a modular design, new modules for identifying vulnerabilities can be created by anyone. For more information on how to create your own modules visit our GitHub repository. Everyone is welcome to contribute to the project and submit issues/pull requests.
Update: Today you can already find wpbullet listed among other penetration testing tools at kitploit.com and within BlackArch Linux distribution.