Popping WordPress Plugins - Methodology Brain dump (Ep. 55)
HTML-код
- Опубликовано: 5 авг 2024
- Episode 55: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is joined by Wordpress Security Researcher Ram Gall to discuss both functionality and vulnerabilities within Wordpress Plugins.
Follow us on twitter
Send us any feedback here:
Shoutout to / realytcracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater / rhynorater & Teknogeek / 0xteknogeek on twitter:
====== Ways to Support CTBBPodcast ======
WordFence - Sign up as a researcher! ctbb.show/wf
===
Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.
Hop on the CTBB Discord
We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Today’s Guest:
Ramuel Gall - / ramuelgall
UpdraftPlus Vuln - www.wordfence.com/blog/2022/0...
XML-RPC PingBack - www.trustwave.com/en-us/resou...
Unicode and Character Sets - www.joelonsoftware.com/2003/1...
Reflected XSS - www.wordfence.com/blog/2022/0...
POP Chain - www.wordfence.com/blog/2023/1...
WordpressPluginDirectory - github.com/WordPressplugindir...
Subscriber+ RCE in Elementor - www.wordfence.com/blog/2022/0...
Subscriber+ SSRF - www.wordfence.com/blog/2023/0...
Unauthed XSS via User-Agent header - www.wordfence.com/blog/2023/0...
Timestamps:
(00:00:00) Introduction
(00:05:55) Add_action & Nonces
(00:26:16) Add_filter & Register_rest_routes
(00:38:39) Page-related code & Shortcodes
(00:50:24) Top Sinks for WP
(01:02:19) Echo & SQLI Sinks
(01:15:07) Nonce Leak and wp_handle_upload
(01:18:16) Page variables & Pop Chains
(01:26:55) WP Escalations & Bug Reports
(01:15:07) Nonce Leak and wp_handle_upload
(01:18:16) Overriding page variables & Pop Chains
(01:26:55) WP Escalations
(01:33:55) Bug Reports 
Наука
![The moment we stopped understanding AI [AlexNet]](http://i.ytimg.com/vi/UZDiGooFs54/mqdefault.jpg)
Yes! This stuff just gives me lots of energy, thanks!
Although the WP project is impressive and has a lot of flexibility, it is just SOOOO painful for any developer coming in from non-Wordpress world. So many foot guns! So much technical functionality that is vastly different from current web dev best practices, whether we are talking about the PHP world (Symphony/Laravel) or other language ecosystems. I see that WP is slowly modernizing in areas where it can, but still those efforts haven't made it fun (or easy) for regular devs who are used to modern dev to jump in. And yes, I do get that it is a CMS and not a straight-up frameworks, but still...
Hearing this discussion with a true WP technical expert is very interesting, enjoyed learning a couple things!
Amazing Episode! Love the content keep it up
Truly good job!!!
Hey @criticalthinkingpodcast, Elementor is 16M+
If you want to automate your WP plugin audits a good place to start is with codeql and/or a PHP AST manipulation tool of some type to avoid the regex shenanigans.
CodeQL doesn't support PHP, though.