Wordpress is one of the most widely used content management systems out there, if not the most. The Wordpress core has contained vulnerabilities over the years but nothing like what we see in the plugin eco-system. Wordpress Plugins are packages of code that can be installed in the Wordpress core to achieve added functionality and help with different tasks and maintenance of your website. They are very handy to save you writing functionality yourself but the downside of them is you really do not know who has written the plugin and the threat landscape of it. Yes, anyone can create and publish a plugin for you to use.
There are companies dedicated to indexing these plugins and tracking vulnerabilities that are reported in their source code, shoutout to Patchstack and WP Scan who both do a great job in doing so. Visiting these sites you can see the huge lists of vulnerabilities that exist and the multiples that come through every single day. This constant stream of new vulnerabilities means there is plenty of new ones being discovered and dropped daily as you can see below.
I always thought about capitalising on these vulnerabilities within Bug Bounty but in order to do so I needed to be able to index a list of Wordpress instances and their plugins across all of my Bug Bounty targets. In total I have amassed ~21,000 Wordpress Instances containing 72578 Wordpress Plugin installations, with 6070 unique plugins.
My view is always focussed around attack surface and this provided a huge extended attack surface for me within Bug Bounty and continues to do so with these instances/plugins being updated on a continuous basis. You can see how this looks for me within my Overcast ASM platform below.
Having this data has allowed me to collaborate with many talented researchers in order to score bounties through their 0/N days in plugins. Some of these being more critical than others and bug types ranging from Remote Code Execution through to Cross Site Scripting. You can see just some of rewards below!
The two Remote Code Execution bugs came from the same source, being one plugin. It allowed an unauthenticated user to remove any file on the Wordpress instance and in doing so you could remove the config.php file and overwrite it to an instance you now control, allowing you to execute code on their server.
The bug involving the wp-migrate-db plugin, was actually as a result of another plugin on the system. One really uncommon plugin allowed a directory transversal vulnerability where you could not read files but you could disclose their file paths. In doing so we were able to figure out the file path of a DB backup created by the wp-migrate-db plugin and download this through the browser. This allowed us an up-to-date back up of their production database for this instance.
These are just a few of the discovered bugs within Overcast's Wordpress data and were the result of collaborations with talented researchers who identified issues within the plugins and from this we were able to identify the instances that use them and exploit it. I'd like to thank these researchers for the collaborative efforts and name a few that I've interacted with the most in this domain: MrTuxracer (https://twitter.com/MrTuxracer), TomorrowIsNew (https://hackerone.com/tomorrowisnew_), Bludger (https://hackerone.com/bludger)
Feel free to reach out to me if you’d like to collaborate on anything, it’s nice to be able to use the ASM data I collect in collaborative efforts.
Overall, Wordpress is a fairly secure and really useful utility for getting sites up and running quickly but using the plugins can open up your threat landscape. It is important to keep these plugins up to date and know exactly where they come from and who is maintaining them. Resources like Patchstack and WP Scan can help with this to see the history of plugins before installing and help with maintaining.
In context of Bug Bounty & Companies, Wordpress and its Plugins are often overlooked but paying attention to these can provide great expansion/reduction in attack surface, especially if monitored over time.
If you have anything interesting in the Wordpress domain as a researcher then feel free to reach out to us at Overcast Security for collaboration!
Additionally if you are a company which heavily relies on Wordpress for one reason or another, our Attack Surface Management product can help secure not only your Wordpress assets but any other externally facing ones too — feel free to get in touch.