Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Why 99% Of WordPress Vulnerabilities Are Utterl...

Cameron Jones
January 20, 2025
Technology
0
64

Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant

WordPress has gone from strength to strength over a period of two decades and is now the most popular CMS around, powering close to half of the internet. As WordPress has grown, so has the target on its back for hackers. With about 60,000 free plugins available on WordPress.org alone and a traditionally low barrier of entry, it’s only a matter of time until hackers find a chink in a site’s armour.

Here at Shortie Designs one of our primary services is providing website maintenance and security services for WordPress sites. As part of our security services we keep a very close eye on vulnerability reports in the WordPress ecosystem, and with so many themes and plugins out there it is an endless stream. When a report comes across our desk we review the risk of it being exploited on our client sites, and it didn’t take long for us to realise CVSS ratings are completely worthless when it comes to WordPress.

This presentation will break down a number of vulnerability reports and how their CVSS ratings fail to accurately reflect the true risk to the site, a better methodology of rating vulnerability reports, and the strategies we take to protect our client’s sites from their biggest threat: the clients themselves.

From Everything Open 2025: https://2025.everythingopen.au/schedule/presentation/86/

Cameron Jones

January 20, 2025
Tweet

More Decks by Cameron Jones

See All by Cameron Jones
The Post Thumbnail Paradox
cameronjonesweb
0
65
Translating Your WordPress Project
cameronjonesweb
0
78
Managing WordPress Updates - How To Update WordPress The Right Way
cameronjonesweb
0
36
The Essential Plugins You Should Install On Every Website - WCPMQ 2019
cameronjonesweb
0
630
An Introduction to Plugin Development - WCBNE 19
cameronjonesweb
0
390
Introducing Google Site Kit
cameronjonesweb
0
69
Streamlining Your Template Structures When Building Themes
cameronjonesweb
1
480
7 Free Third Party Services Every Website Needs
cameronjonesweb
0
19
Bridging The Gap Between The WordPress Admin And The Front End
cameronjonesweb
1
430

Other Decks in Technology

See All in Technology
Amazon S3 Tablesと外部分析基盤連携について / Amazon S3 Tables and External Data Analytics Platform
nttcom
0
120
急成長する企業で作った、エンジニアが輝ける制度/ 20250214 Rinto Ikenoue
shift_evolve
2
1.1k
インフラをつくるとはどういうことなのか、 あるいはPlatform Engineeringについて
nwiizo
5
2.4k
自動テストの世界に、この5年間で起きたこと
autifyhq
10
8.1k
エンジニアの育成を支える爆速フィードバック文化
sansantech
PRO
3
990
エンジニアのためのドキュメント力基礎講座〜構造化思考から始めよう〜(2025/02/15jbug広島#15発表資料)
yasuoyasuo
16
6.3k
PL900試験から学ぶ Power Platform 基礎知識講座
kumikeyy
0
120
トラシューアニマルになろう ~開発者だからこそできる、安定したサービス作りの秘訣~
jacopen
2
1.8k
人はなぜISUCONに夢中になるのか
kakehashi
PRO
6
1.5k
『衛星データ利用の方々にとって近いようで触れる機会のなさそうな小話 ~ 衛星搭載ソフトウェアと衛星運用ソフトウェア (実物) を動かしながらわいわいする編 ~』 @日本衛星データコミニティ勉強会
meltingrabbit
0
140
あれは良かった、あれは苦労したB2B2C型SaaSの新規開発におけるCloud Spanner
hirohito1108
2
370
偶然 × 行動で人生の可能性を広げよう / Serendipity × Action: Discover Your Possibilities
ar_tama
1
990

Featured

See All Featured
Designing for Performance
lara
604
68k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
9
430
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
7.1k
Building Your Own Lightsaber
phodgson
104
6.2k
Mobile First: as difficult as doing things right
swwweet
223
9.3k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
193
16k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Bootstrapping a Software Product
garrettdimon
PRO
306
110k
Rails Girls Zürich Keynote
gr2m
94
13k
The Language of Interfaces
destraynor
156
24k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
31
2.1k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k

Transcript

  1. Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Cameron Jones

  2. About Me Cameron Jones Web design & development at Shortie

    Designs Premium WP Plugins at Mongoose Marketplace Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open 2025

  3. Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open

    2025

  4. Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open

    2025

  5. Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open

    2025

  6. Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open

    2025 10-20 Years Ago Today

  7. Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open

    2025

  8. Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open

    2025

  9. Thesis: 99% Of WordPress Vulnerabilities Are Irrelevant Why 99% Of

    WordPress Vulnerabilities Are Utterly Irrelevant Everything Open 2025

  10. Overview Built-in WordPress Security measures CVE and CVSS Vulnerability reports

    A better way to assess WordPress vulnerabilities WordPress’ biggest security risk Proactive prevention strategies Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open 2025

  11. WordPress Security Validation Prepared statements Roles & Capabilities Sanitisation Escaping

    Nonces Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open 2025

  12. Roles & Capabilities Why 99% Of WordPress Vulnerabilities Are Utterly

    Irrelevant wordpress.org/documentation/article/roles-and-capabilities Everything Open 2025

  13. Roles & Capabilities Why 99% Of WordPress Vulnerabilities Are Utterly

    Irrelevant visualcomposer.com/blog/wordpress-user-roles Everything Open 2025

  14. Sanitisation Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant developer.wordpress.org/apis/security/sanitizing

    Everything Open 2025

  15. Escaping Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant developer.wordpress.org/apis/security/escaping

    Everything Open 2025

  16. Nonces Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant wptips.dev/what-is-wordpress-nonce-preventing-csrf-attack

    Everything Open 2025

  17. Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open

    2025 CVE Program

  18. CVSS Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything

    Open 2025

  19. Example: UberMenu <= 3.8.3 Cross-Site Request Forgery to Settings Reset

    Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open 2025

  20. Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open

    2025

  21. Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open

    2025

  22. How I score WordPress Vulnerabilities Why 99% Of WordPress Vulnerabilities

    Are Utterly Irrelevant Everything Open 2025 Risk Little to no damage 1. Potentially dangerous depending on setup 2. Oh #&$^ 3. Likelihood Probably never happen 1. Plausible depending on setup 2. Oh #$*^ 3.

  23. 1 2 3 1 2 3 Risk Likelihood Why 99%

    Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open 2025

  24. Example: POST SMTP Mailer <= 2.9.3 Authenticated SQL Injection Why

    99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open 2025

  25. Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open

    2025

  26. Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open

    2025

  27. 1 2 3 1 2 3 Risk Likelihood Why 99%

    Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open 2025

  28. Example: Mongoose Page Plugin <= 1.8.3 Authenticated Stored Cross-Site Scripting

    Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open 2025

  29. Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open

    2025

  30. Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open

    2025

  31. 1 2 3 1 2 3 Risk Likelihood Why 99%

    Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open 2025

  32. Example: WordFence <= 7.6.2 Compromise of 2FA secrets Why 99%

    Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open 2025

  33. Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open

    2025

  34. 1 2 3 1 2 3 Risk Likelihood Why 99%

    Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open 2025

  35. Example: Themify WooCommerce Product Filter <= 1.4.9 Unauthenticated SQL Injection

    Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open 2025

  36. Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open

    2025

  37. Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open

    2025

  38. 1 2 3 1 2 3 Risk Likelihood Why 99%

    Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open 2025

  39. Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open

    2025

  40. Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open

    2025 Chance of your website running the vulnerable package Popular packages are better maintained Permissions to be exploited Can cause damage

  41. Your Website’s Biggest Security Vulnerability: You Why 99% Of WordPress

    Vulnerabilities Are Utterly Irrelevant Everything Open 2025

  42. Automatic Updates Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant

    Everything Open 2025

  43. Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open

    2025

  44. Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open

    2025

  45. Thesis: 99% Of WordPress Vulnerabilities Are Irrelevant Why 99% Of

    WordPress Vulnerabilities Are Utterly Irrelevant Everything Open 2025

  46. Thank You Custom WordPress Websites shortiedesigns.com Exceptional WordPress Plugins mongoosemarketplace.com

    Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant Everything Open 2025