Content uploaded by Iman Athauda
Author content
All content in this area was uploaded by Iman Athauda on Dec 27, 2024
Content may be subject to copyright.
Sri Lanka Institute of Information Technology
B.Sc.(Hons) in Information Technology Specializing in Cyber Security
Individual Assignment – WordPress
Secure Software Engineering – IE4042
Submitted By:
Student Name
Student RegistrationNumber
Athauda A.M.I.R.B
IT21049354
31/10/2024
Table of Contents
1. Domain and Historical Analysis ....................................................................................... 4
1.1. Overview of the product ...................................................................................................... 4
1.2. Assets of the Product ............................................................................................................ 6
1.3. Attacks Explanations ........................................................................................................... 7
1.4. Vulnerability History ........................................................................................................... 9
A. CVE-2021-29447 ............................................................................................................................... 10
B. CVE-2021-24284 ............................................................................................................................... 11
C. CVE-2022-3180 ................................................................................................................................. 12
D. CVE-2021-39341 ............................................................................................................................... 13
E. CVE-2022-21664 ............................................................................................................................... 14
2. Design Analysis ............................................................................................................... 17
2.1. An Overview of Architecture ............................................................................................. 17
2.2. Function of Subsystems and Subsystems ......................................................................... 18
2.2.1. The core directory of WordPress ................................................................................................ 18
3. Threat Model ................................................................................................................... 24
4. Evaluation of Code Inspections ...................................................................................... 25
5. Specific Checklist for the Project ................................................................................... 31
6. Conclusion ....................................................................................................................... 33
List of Figures
Figure 1:Logo of the Wordpress ................................................................................................ 4
Figure 2:The process by which WordPress sites were compromised after being attacked ........ 9
Figure 3:The total number of attacks attempted by CVE-2021-24284.................................... 11
Figure 4:Overview of Architecture Wordpress ........................................................................ 17
Figure 5:WP Root Directory .................................................................................................... 18
Figure 6:Workpress Folder....................................................................................................... 19
Figure 7:WP Core Files............................................................................................................ 19
Figure 8:Architecture of Threat Modeling ............................................................................... 24
Figure 9:Diragram of Threat Modeling ................................................................................... 25
Figure 10:Worpress Extensions & themes are susceptible to the TimThumb vulnerability .... 27
Figure 11:Enabling 2FA ........................................................................................................... 32
Figure 12:Use a CDN............................................................................................................... 33
1. Domain and Historical Analysis
1.1. Overview of the product
Figure 1:Logo of the Wordpress
WordPress is an open-source content management system (CMS) that is available for free.
The initial version of WordPress was released to the public on May 27, 2003, which was also
the day it was accessible via the internet. The GNU General Public License, specifically
version 2 of the license, is the license under which the program in issue is licensed. The
project was developed in collaboration between American developer Matt Mullenweg and
British developer Mike Little. Their efforts were a result of cooperation. There are numerous
websites that extensively employ the content management system WordPress. These websites
include journals, social networks, and personal homepages. On a global scope, WordPress
powers approximately 73 million websites. These websites are accessed by a user base that
exceeds 300 million individuals, who collectively browse an outstanding 2.5 billion pages on
a monthly basis. The availability of a diverse array of plugins, which can be regarded as
broadly available, is a significant factor that contributes to the widespread adoption of
WordPress.
At the time of this publication, the official WordPress plugin directory has registered a total
of 286,416,770 downloads and a significant number of 19,073 plugins. A wide variety of
plugins is created by numerous programmers and communicated without charge. WordPress's
primary advantage is its ability to regulate and modify both the front and back ends of a
website. WordPress separates itself from other content management systems by because of its
ability to oversee both the frontend and infrastructure of a website. The content management
system WordPress is capable of facilitating the development of a wide range of websites,
such as blogs, online commerce, enterprises, educational institutions, and personal online
portfolios.
It is usual to refer to any characteristic that defines or distinguishes an entity as its features.
Traits or attributes may serve as features. The software is compatible with over seventy
languages, offers a vast array of modules, and displays a diverse selection of visually
captivating themes that can be easily accessed with a single click [1]. The software
incorporates these capabilities.
The WordPress platform is employed by numerous important and widely recognized
enterprises. Sony Music, the CNN Press Room, Disney Books, Microsoft News, Toyota
Brazil, Katy Perry, the New York Post, the Grubhub Blog, 9to5Mac, The Harvard Gazette,
and the Mozilla Blog are a subset of notable examples. WordPress has six different user roles:
Administrative, Editorial, Author, Contributor, Subscriber, and Super Admin. WordPress is
extensively employed by individuals who are involved in the development of websites, blogs,
and articles. The primary goal of WordPress is to simplify the process of creating and
disseminating online content, without any restrictions on the intended audience or
geographical location. A professional who specializes in WordPress development possesses a
high level of expertise and knowledge regarding the complex mechanisms and functionalities
of the WordPress platform. The prospective endeavors of the individuals in question may
involve the development of novel goods or the enhancement of the WordPress platform, with
a particular emphasis on plugins and themes. Additionally, clients may request assistance
with the development, customization, and administration of a WordPress website [2].
WordPress development is a multifaceted field in which some developers concentrate on
improving essential files, while others extend functionality by developing plugins, widgets,
themes, and blocks. In addition, certain developers aid clients in the development and
maintenance of their websites, frequently managing multiple projects. In order to enhance the
platform for all users, certain developers are involved in the evaluation and resolution of
issues within the WordPress core as part of this endeavor. WordPress, which is acknowledged
as the most widely used content management system, is endorsed by more than 50,000
plugins and themes that facilitate the development of visually appealing and professional
websites for both novices and expert users. Nevertheless, hackers frequently exploit
vulnerabilities within WordPress installations due to its open-source nature and popularity.
Many WordPress plugins pose substantial exploitation risks, despite their low CVSS ratings,
which are occasionally disregarded by security teams. By the conclusion of 2021, Risk Based
Security had disclosed a total of 10,359 vulnerabilities associated with third-party WordPress
plugins, with 2,240 of these vulnerabilities being disclosed in 2021 alone—a substantial
142% increase from 2020.
Furthermore, the majority of these supplementary vulnerabilities in WordPress plugins have
already been subjected to open attacks (77%). Businesses that depend on CVEs will be
oblivious of 60% of the publicly known vulnerabilities in WordPress plugins. The risk-based
team believes that the most effective approach to address WordPress's growing vulnerability
is to concentrate on the most readily exploited issues rather than allocating resources based
on the level of risk [3].
1.2. Assets of the Product
WordPress contains numerous components that could potentially be exploited by malicious
individuals to gain illicit access. User data, static files, user profiles, and themes are all
significant assets within the WordPress framework. Given the extensive use of WordPress by
millions of individuals who depend on online browsers for a variety of purposes, it is
imperative to ensure the security of WordPress resources in order to maintain the trust of
users. Malware infections are frequently implicated in the assault. If appropriate protective
measures are not employed, the WordPress platform is susceptible to system failure. The
websites generated by users on the WordPress platform possess inherent value as valuable
resources, in addition to their primary purpose.
A security vulnerability has been identified in the WordPress Plugin Asset Manager, which
allows unauthorized individuals to exploit the system by submitting malevolent material. The
issue occurs when the program fails to adequately sanitize human input. The vulnerability
that has been identified allows an unauthorized individual to upload and execute arbitrary
PHP code within the Web server process. This prospective vulnerability has the potential to
enable a variety of attacks, including the escalation of privileges and unauthorized entry. The
WordPress Plugin Asset Manager's security has been compromised in version 0.3, and it is
possible that it was compromised in previous iterations [4].
The platform's susceptibility to security lapses is exacerbated by the wide variety of
WordPress releases that are implemented. However, WordPress has made significant strides.
In comparison to previous periods, the present situation is distinguished by a greater degree
of safety and development.
1.3. Attacks Explanations
WordPress has emerged as the most widely used publishing platform worldwide. It is utilized
by more than 50% of all websites on the internet. The WordPress codebase is accessible to all
individuals as a result of its open-source nature. Its popularity has led to hackers
concentrating on it in search of exploitable vulnerabilities. WordPress 4.7.2 was released in
response to the discovery of a security vulnerability in order to safeguard the core installation
from SQL injections and the posts list table from XSS attacks. Automated attacks offer a
rapid method for infecting a large number of websites, provided that the perpetrator has
identified a vulnerability in WordPress, a popular theme, or a plugin that is used by
WordPress.
The term "malware" encompasses a diverse array of perilous programs that share a common
objective: Theft of sensitive information from websites and their users. Hackers may employ
a variety of methods to execute their unlawful activities, including the insertion of malware
files into legitimate website files or the injection of code into preexisting files. The virus may
employ "backdoor" files in an effort to obtain unauthorized access or cause severe disruption.
Hackers exploit security vulnerabilities in plugins and themes, fabricate duplicates of existing
add-ons, or develop entirely new ones with the objective of introducing malicious code into
users' websites. Using FTP, SFTP, wp-admin, or other comparable protocols, malicious
redirection codes can be inserted to compromise websites. Redirects that are encoded in the.
Visitors are frequently directed to malicious domains through the use of the htaccess file and
other essential WordPress files. In the subsequent section, we will examine a variety of
strategies that can effectively impede unauthorized access attempts in the context of
WordPress [5].
Credit card skimming is a form of malicious software that is intended to steal credit card
information from unsuspecting consumers. The most prevalent method employed by credit
card skimmers to capture sensitive financial data is the injection of malicious JavaScript code
into online payment forms. These skimmers are concealed in order to prevent their discovery.
Cross-site scripting (XSS) is feasible on WordPress. If an adversary discovers a tool that is
either outdated or inadequately maintained, they can gain access to the files that govern the
website's front end. Phishing attempts may occur on WordPress sites that have outdated
plugins, themes, and software, as well as forms that lack sufficient security measures.
SQL Injection attempts are frequent on the majority of WordPress sites, as they are designed
to foster community. SQL injection is a prevalent form of attack. It is typically accomplished
through the completion of forms that visitors complete, such as contact forms, payment
information fields, and lead generation forms. Ads for pharmaceutical products will appear
when an individual searches for a hacked site if the Pharma Hack vulnerability is employed
to insert malicious code into outdated WordPress sites and plugins. The site can be reliably
removed from search engine lists due to its ability to disseminate spam, despite the fact that
the vulnerability is more likely to be exploited by spam than by genuine malware.
In 2020, hackers attempted to access WordPress from over 9.7 million distinct IP addresses,
resulting in 4.3 billion attempts. This caused it to become one of their preferred targets.
According to a study conducted by Sucuri, 81% of WordPress site assaults are successful due
to the fact that the passwords were either stolen or weak. It was the second most prevalent
form of attack on websites that aimed to introduce harmful code. Automated attacks on
WordPress sites have become increasingly prevalent in recent years. According to Media
Temple, the majority of WordPress assaults that are executed automatically are premeditated.
This is due to their exceptional functionality. Hackers may be able to rapidly identify security
vulnerabilities in a website and exploit them before the site managers can address them.
Additionally, the expenses associated with conducting an automated attack are reduced [6].
Figure 2:The process by which WordPress sites were compromised after being attacked
1.4. Vulnerability History
WordPress has a long history of security vulnerabilities, which are attributable to its
tremendous popularity and the abundance of accessible plugins and themes. Over the years,
numerous issues have arisen, such as Tim Thumb script vulnerabilities that enable the posting
of malicious files and XML-RPC weaknesses that enable remote hackers to attack websites.
Both the primary code and external plugins have been affected by popular vulnerabilities,
including SQL Injection and Cross-Site Scripting (XSS).If these issues are not resolved
promptly, data breaches and compromised sites may result.
Additionally, hackers have exploited security vulnerabilities, including incorrect file
permissions and weak passwords, and brute force attacks on logon credentials have
consistently posed a risk.The proliferation of plugins and themes on WordPress raises
security concerns, as hackers can exploit vulnerable add-ons. The site owner is ultimately
responsible for ensuring the security of the site by consistently utilizing the most recent
software, instituting strict access restrictions, and conducting frequent vulnerability scans,
despite the fact that the WordPress community makes every effort to make updates and
patches accessible [7].
A. CVE-2021-29447
A bad XXE injection that utilises an acceptable access code is the cause of an XML issue
identified as CVE-2021-29447. The XML processor may be susceptible to injection attacks
as a result of the error installation settings. We have the ability to infiltrate programmes that
employ the XML language as one of their features, which allows us to incorporate elements
from external sources. Today, we will examine a new XXE defect; however, there are a few
things you should be aware of.
SonarSource discovered a security vulnerability in the WordPress Media Library known as
the XML external entity attack (XXE). In order to exploit this CMS vulnerability, both PHP 8
and the attacker's user account must be capable of uploading media assets. Please bear in
mind the second scenario as we examine an illustration of how to exploit this vulnerability. It
is capable of being utilised remotely and affects all WordPress versions prior to 5.7.1.[8]
• Access to any host file is possible, including wp-config.php, which contains the host's
database authentication information. This is referred to as random file exposure.
• The WordPress system is vulnerable to HTTP requests being sent by unauthorised
individuals as a result of server-side request forgery (SSRF). This could have a
significant impact, given the circumstances. The vulnerability can only be exploited if
WordPress is running PHP 8. It is also crucial to have the ability to include files of
varying forms. This is equivalent to the author position for the majority of WordPress
installations. However, it may be exploited to access lower-level resources if it is
paired with a plugin that permits the addition of media files or another vulnerability.
B. CVE-2021-24284
WordPress has issued a warning regarding a "unexpected" increase in intrusions that are
directed at the Kaswara Modern Bakery Page Builder Addons WordPress app due to a
security vulnerability that has yet to be resolved. The vulnerability, which is designated as
CVE-2021-24284, enables an unauthorised user to upload any file. This could be exploited
by attackers to execute code and assume complete control over WordPress installations that
are affected.
Figure 3:The total number of attacks attempted by CVE-2021-24284
Approximately 443,868 threats have been prevented on over 1,000 websites by WordPress
each day since the beginning of the month. The objective of this project appears to be to
incorporate harmful code into JavaScript files that appear to be secure, thereby redirecting
individuals to websites that are harmful. In order to safeguard themselves from potential
assaults and locate a more suitable plugin, users should promptly eliminate it from their
WordPress sites. It is estimated that between 4,000 and 8,000 websites utilise the utility.
This flaw has detrimental consequences for access, security, and privacy. The developer has
not yet responded to requests for assistance, and the device has been disabled [9].
C. CVE-2022-3180
• Issue: Security Flaw in Privilege Escalation
The premium plugin WPGateway has been actively exploited by hackers to gain access to
WordPress websites, which is a zero-day vulnerability. This vulnerability was recently
identified. In this specific case, the zero-day vulnerability is identified as CVE-2022-3180.
The severity of this vulnerability is classified as Critical due to its CVSS score of 9.8.
A website can be completely taken over by an unauthenticated attacker who adds a rogue user
with admin credentials and activates the module on the website. The zero-day vulnerability
that was present in the WPGateway premium plugin was discovered by the WordPress Threat
Intelligence team. By employing this approach, the WPGateway plugin may be employed to
establish an unauthorised administrator on a website. The severity level is classified as
Critical when the CVSS Vulnerability Score is 9.8 [10].
• How to Determine Whether Your Website Has Been Hacked
As part of this ongoing endeavour, search for a new administrator with the same identity to
determine whether your website has been compromised. You can now determine whether
your website has been compromised. Furthermore, we were able to handle requests that were
directed to /wpcontent/plugins/wpgateway/wpgateway-webservice-new.php?wp new
credentials=1. without any complications. Despite the fact that the data indicate that the
attack was specifically directed at your website, there is no guarantee that it was hacked.
"If you have the WPGateway plugin installed, we urge you to remove it immediately until an
update is made available and to check for malicious administrator users in your WordPress
dashboard,"
D. CVE-2021-39341
An attacker can remotely execute arbitrary code on vulnerable WordPress installations, take
sensitive data, inject malicious JavaScript, and more as a result of vulnerabilities in Opti
Monster. In summary, these numerous vulnerabilities enable unauthorised access to
confidential API data on more than one million platform-based websites..
The plugin version 2.6.5, which was published on October 7, was updated to address the
primary vulnerability, which was identified on September 28 and designated as CVE-2021-
39341. This vulnerability could have resulted in the exposure of confidential data and the
acquisition of unrestricted access to the optimmonster.com API by an unauthorised
application [11].
Opti Monster is an opt-in form builder that can dependably connect to other services and
assist website owners in converting users into members and buyers through the use of
application programming interfaces (APIs).
If an individual obtains an API key for one of your Opti Monster accounts, they have the
ability to modify your settings or incorporate detrimental JavaScript code into your website.
The permission escape issue may arise at any REST-API route that was registered with a
plugin.
The /wp-json/omapp/v1/support route is the most detrimental. In order to access the API
address, the threat players did not need to register in to the website they were targeting. This
implies that the HTTP request they transmit will not undergo security verification.
Conversely, the suspicious API keys have been discarded by Opti Monster's coders,
necessitating that website proprietors generate new ones.
This vulnerability has no impact on availability, a low impact on integrity, and a high impact
on confidentiality.
WordPress suggests that all users verify that their websites are operating on the most recent
modified version (2.6.5 as of this writing).
E. CVE-2022-21664
WordPress was developed in PHP and is frequently integrated with the MariaDB database
management system. CVE-2022-21664 is If one of the classes lacked sufficient sanitization,
unwanted SQL queries could be executed. WordPress 5.8.3 has been updated to include a
solution that resolves this issue. Additionally, security updates resolve vulnerabilities in
versions that are affected, dating back to 4.1.34. WordPress versions 3.7-5.8 are susceptible to
four vulnerabilities. The following vulnerability has been resolved in all versions of
WordPress since 3.7; if you have not already done so, please upgrade.
1. Karim El Ouerghemmi and Simon Scannell of SonarSource identified the issue of
storing XSS through post slugs.
2. Simon Scannell of SonarSource deserves recognition for identifying object injection
as a problem in numerous multisite installations.
3. Trend Micro's Zero-Day-Initiative-Related Security Advisory for the SQL injection
vulnerability in WP Query.
4. Ben Bidner, a member of the WordPress security team, discovered and disclosed the
SQL injection vulnerability in WP Meta Query, which only affects versions 4.1–5.8.
This specific vulnerability poses a significant hazard to the security of data in all three
domains: availability, integrity, and confidentiality. Version 5.0.15+dfsg1-0+deb10u1, which
corresponds to the previous stable release (buster), has remedied the aforementioned issues.
The stable distribution version 5.7.5+dfsg1-0+deb11u1 resolves the aforementioned
concerns. This issue is resolved by upgrading to 5.8.3. The modification labelled
c09ccfbc547d75b392dbccc1ef0b4442ccd3c957 may contain the solution to this issue. The
remedy is now accessible through github.com. The most effective countermeasure is likely to
be updating to the most recent version [12].
This vulnerability has a partial impact on availability, integrity, and confidentiality.
Detailed Technical Information
The technical details of the vulnerability are described in greater detail in this section. First,
we will provide a concise definition of XXE defects. Subsequently, we examine the
WordPress core vulnerability that our analyser identified, including its precise location in the
code and the reasons for its reemergence in PHP 8 despite prior attempts to repair it.
Vulnerabilities in XML External Entity (XXE)
The definition of special entities in XML enables their subsequent use throughout the file. For
example, utilise it to prevent the creation of duplicate endeavours. The entity myEntity is
defined in the following code for future use.
Resources that are referenced via URIs may also be used to derive values for defined entities.
In this context, they are referred to as "external entities":
XXE attacks are directed at this capability. When user-managed content is parsed with an
adaptable XML parser, they become feasible. The value associated with each object is
typically substituted in the final product when things are loosely designed. An attacker who
effectively provided the URI file:/var/www/wp-config.php and inspected the XML parsing
result may, for example, disclose sensitive file content in the final sample. The user is not
always provided with the outcome of XML parsing, despite the fact that this is the case with
the WordPress defect that is being discussed.
XXE in WordPress
WordPress users who are signed in are permitted to submit files to the Media Library for
inclusion in blog articles. The getID3 utility is employed by WordPress to extract relevant
data from.mp3 files, such as the composer's name and the title of the music. XML that has
been processed is included in this dataset.
The simplexml load string() function is employed in PHP for XML parsing. The behaviour of
PHP's underlying XML parser (Libxml2) is modified by the third parameter.
The comments regarding XXE protection in the code that is being displayed are particularly
captivating. If you review these prior to reviewing the static code analyser report, you may
develop the impression that the report is a false positive and that the requisite measures have
been implemented to prevent vulnerability.
Examining the code's history can facilitate comprehension of the code and the remarks that
accompany it. In 2014, WordPress 3.9.2 addressed a XXE security vulnerability. This is the
reason the developers decided to implement the call libxml disable entity loader(true) at the
time. In order to prevent the XML parser from importing external entities, the PHP function
libxml disable entity loader() is used.
However, as we will see, there are also methods to manage it. This is no longer an issue as of
the fix in WordPress 5.7.1 and later. The modification is available for download at github.com
at this time [13].
Partial confidentiality is significantly affected by this vulnerability, while integrity and
availability are not affected.
2. Design Analysis
2.1. An Overview of Architecture
Diagrams Illustrate an Exposition of WordPress Architecture. WordPress's file structure may
initially appear perplexing. In contrast, WordPress allows users to maintain a website that is
both manageable and well-organized. In order to create a website that is both professional and
refined, it is essential for individuals to have a thorough understanding of the file and
directory structure within WordPress [14].
Figure 4:Overview of Architecture Wordpress
2.2. Function of Subsystems and Subsystems
The optimisation of the site's functionality by users is contingent upon the organisation and
arrangement of WordPress files and directory structure. The website's functionality is enabled
by the code contained in the documents.
2.2.1. The core directory of WordPress
Subsequently, the website files, template files, plugins, and themes are uploaded to the server
after the WordPress software has been downloaded and properly installed.
The process of uploading or installing WordPress involves the transfer of all necessary files
from a local computer to the public html folder of a web server, thereby enabling the
construction of a functional website [15].
Figure 5:WP Root Directory
Figure 6:Workpress Folder
The wp-includes subdirectory contains all of WordPress's essential components. The
WordPress source code, code libraries, and packages are just a few of the numerous formats
in which it can be found. Not the BOM, but the code is the primary concern. As a result, it is
imperative that you refrain from tampering with the wp-includes folder in any capacity, as it
is highly probable that such an action will result in the site being rendered unusable [16].
Figure 7:WP Core Files
Index.php
At this stage of the WordPress installation procedure, the index.php file is generated. The
primary files are loaded when a page is requested, and the site is displayed to consumers.
In the absence of an index.php file, the contents of the root directory will be displayed in the
browser.
Anyone who can gain access to that directory has the potential to read any content on the site,
which presents a security risk. Hackers will have a more straightforward time identifying
vulnerabilities on the site and potentially exploiting them to gain access to even more private
data.
Configuration files for WordPress
The address and port number of your server are located in a file named wp-config.php.
The instructions for configuring your blog can be found in the file wp-config.php. It also
allows you to select options such as whether to display images on the interface and whether
to serve content over HTTPS.
The following is a collection of images, animations, and other content that users have
uploaded to your website, such as PDFs and images. Additionally, WordPress necessitates
additional files, such as JavaScript files.
Advertising and social media sharing icons, among other features that enhance the
functionality of the website, are located in the wp-content/plugins area.
The Database
WordPress employs a MySQL database to facilitate its operations. The database is
advantageous in this scenario because it is capable of compiling the site's content into
structured tables. This context encompasses a variety of content, including user remarks,
online postings, web pages, and similar mediums.
The WordPress code is primarily responsible for retrieving data from the database and
displaying it on the webpage. The content of a WordPress site is not influenced by its style,
which enables the site to undergo substantial aesthetic changes without the risk of textual
duplication. Please enter the name of the item into any available text field on the website and
press the Enter key to obtain information on a specific piece of content, such as a post or page
title. The information will be displayed in a sidebar or selection menu, which will help users
easily locate and access it at a later time.
The WordPress database is comprised of the tables wp_options, wp_users, wp_usermeta, and
wp_posts. The following categories are associated with posts within the WordPress
framework: wp_postmeta, wp_terms, wp_term_relationships, wp_term_taxonomy,
wp_comments, wp_commentmeta, and wp_links. The database expands in size as the
programme develops and additional tools are incorporated, accumulating a larger volume of
data and encompassing a greater number of tables.
The Theme
The WordPress theme is responsible for the visual aspect of a WordPress website, which
includes its layout and colour scheme. WordPress provides a preconfigured theme that can be
used to create new webpages in a quick and efficient manner. Magazine themes, gallery or
portfolio themes, business/corporate themes, personal themes, eCommerce themes, and
video/picture blogging themes are among the numerous specialist themes that are available
for a variety of purposes. These themes are available for either free or a fee. Premium themes
offer a broader selection of options and support to consumers. The WordPress platform offers
users the ability to obtain and exchange themes. WordPress themes enable users to alter the
visual appearance and overall aesthetic of a site or installation without the necessity of
directly manipulating the underlying code or modifying the existing content.
Widgets
Widgets are plug-and-play modules that are movable and allow users to have complete
control over the appearance and positioning of their site's widgetized sidebars. Additionally,
widgets facilitate the integration of numerous plug-ins, thereby enhancing the system's
overall functionality. WordPress programmers may enhance the functionality of their
websites by employing modules. A slideshow, a Facebook-style box, a micro news slider, and
other features may be implemented using these small modules [17].
Plugins
Plugins are software components that can be installed on any self-hosted WordPress site to
implement new features or perform new duties. Plugins developed by the WordPress
community are accessible exclusively on WordPress sites that are hosted by the user. Themes
are a prevalent method for users to distinguish their websites on managed website systems
such as WordPress.com. Nevertheless, the majority of platforms prohibit users from installing
free extensions that would enable them to further personalise these sites.
A basic WordPress site can be effortlessly converted into a robust online platform that can
accommodate a diverse array of features, such as e-commerce, membership administration,
blogging, and the intricate requirements of a global organisation, with the assistance of
plugins. Plugins are an excellent method for enhancing the functionality of your WordPress
site by incorporating new and beneficial features.
Security Features of Subsystems
WordPress provides a collection of services and application programming interfaces (APIs) to
help developers prevent the injection of malicious code and ensure the integrity of data.
These APIs are available to secure, validate, or sanitise input and output, and best practices
and documentation are available.
Data in database and filesystem interactions, as well as in URLs, HTTP headers, and HTML.
Administrators can further restrict the types of files that can be uploaded by utilising filters.
The WordPress core programme is responsible for user accounts and authentication. The
server manages details such as user ID, name, and password, in addition to authentication
cookies.
Conventional methods, such as salting and stretching, are employed to safeguard passwords
in the database.
Any active sessions will be terminated when you exit WordPress after version 4.0.
In order for content to be displayed on the front end of WordPress, it is necessary to enable a
theme. The theme development team and the core development team have conducted
extensive testing and analysis of the WordPress default theme (currently "Twenty Twenty-
Three") to identify security vulnerabilities.
Site designers have the ability to generate a child theme that incorporates minor
modifications while maintaining the majority of the original theme's features and security.
This enables individuals to generate distinctive motifs by modifying the standard template. If
an administrator determines that the predetermined epidermis is unnecessary, they may
promptly eliminate it [18].
The proprietors of plugins and themes have the ability to continuously develop them, with
any updates or new features being documented and made accessible to users through the
repository. The control interface is utilised to notify site administrators of plugin
modifications.
The WordPress Security Team notifies the developer when a security flaw is identified in a
plugin. This allows them to collaborate to resolve the issue and release a new, updated
version of the plugin that is free of the vulnerability. The Security Team may remove the
plugin or theme from the public directory and repair and update it directly if the developer of
the plugin fails to respond or if the vulnerability is extremely severe.
WordPress has provided automatic background updates since version 3.7 for all successive
minor releases, including 3.7.1 and 3.7.2. The WordPress Security Team has the ability to
identify and resolve vulnerabilities, as well as distribute automated patches for WordPress,
without the necessity for the website proprietor to take any action [19].
3. Threat Model
The primary security features of WordPress are delineated in the following threat models.
This category encompasses file sharing and databases.
A data store and an application service comprise a web application. A web browser serves as
a conduit between the user and the application service. The application service maintains data
in a relational database and a file sharing system. Consequently, the client system's
components consist of the application process, the browser process, and the two data
repositories. In addition, there are two data fluxes from the application service to the data
storage, and one data flow from the user's browser to the application service. This protects
against attacks such as denial of service, information exposure, and identity deception [20].
Figure 8:Architecture of Threat Modeling
Figure 9:Diragram of Threat Modeling
4. Evaluation of Code Inspections
Select files that contain visually appealing content, have been identified as vulnerable in the
past, and may contain hyperlinks to product assets. The guidelines for coding and describing
WordPress are unambiguous. Giving current code files is of the utmost importance. Presently,
it is impossible to modify the regular code. Before the code can be relocated, the writer will
need to modify its organisation. The original code must be rewritten by a programmer in
order for the upgrade to function properly. They enable authors to conceal portions of the
code that are not as critical. If you require more sophisticated capabilities or the ability to
customise it, there are alternative options available. If the appropriate input is provided,
certain functions will allow us to pass 0 and utilise it. Programming languages enable the
incorporation of additional inputs. Certain programmers are eliminating reasons that are not
utilised frequently.
Inline methods and inheritance were implemented by the WordPress developers. Function
performance may occasionally deteriorate. It induces a sense of unease and decelerates
individuals. Planning a system without considering concurrency Additionally, we will ensure
that our source code is free of errors during the code correction process. Certain tasks are no
longer required. The presence of these types of items in this region conveys a message that
caution is necessary. The compiler and version contain errors and warnings.
It is important to remember that larger files do not necessarily yield superior results when
selecting them for code evaluations. A more significant issue is the identification of files that
were previously incorrect or have persistent issues. It is crucial to analyse the code of files
that pertain to private or product assets [21].
• Results of Code Inspection
Many WordPress themes employ a tool called timthumb.php to modify the scale of images.
More than 39 million results are returned when the movie's name is searched on Google. In
the event that your WordPress theme contains a [22].
If your paid or free theme includes an unchanged version of timthumb.php, it is imperative
that you either remove it immediately or modify it to ensure that the $allowedSites list is
empty. Without the owner's authorisation, an individual could upload files and execute code
on a website that is not secure. If you are on Windows and require access to the logon and
password, you may either use "putty" or SSH to connect to the web server. Change the
directories to the location of the WordPress installation. This will be contingent upon the host
you are employing and the configuration you have implemented.
They discovered a significant vulnerability in a widely used WordPress Live Conversation
tool that could enable attackers to modify chat sessions and access chat records if it were
exploited. The vulnerability, designated as CVE-2019-12498. WordPress administrators
should promptly activate the most recent version of the plugin.
Figure 10:Worpress Extensions & themes are susceptible to the TimThumb vulnerability
WordPress code inspections involve a comprehensive examination of the codebase to identify
potential improvements and issues. These inspections typically encompass a variety of
subjects, including the following: security vulnerabilities, performance optimisation, general
code quality, and coding standards conformance.
WordPress prioritises security, and code examinations frequently reveal vulnerabilities that
could potentially facilitate data breaches or hacking. In an effort to safeguard sensitive data
and preserve the integrity of their websites, developers may enhance the security of their
WordPress installations by identifying and resolving these vulnerabilities.
In addition to security, code examinations emphasise the adherence to coding standards and
best practices within the WordPress ecosystem. WordPress's core, plugins, and themes are all
consistent and legible as a result of the well-established code standards. Inspections locate
violations of these guidelines and encourage developers to generate code that is both legible
and well-maintained. Additionally, code inspections detect performance-related issues, such
as resource-intensive operations and wasteful database queries. By addressing specific
performance obstacles, developers have the potential to improve the user experience and
potentially increase search engine rankings by increasing the speed and responsiveness of
their WordPress websites. In general, code examinations are a critical phase in ensuring the
dependability, security, and efficiency of WordPress-based projects.
CVE-2019-10673 was a vulnerability in the Ultimate Member plugin for WordPress prior to
2.0.40. This enabled attackers to enrol in as the administrator, obtain confidential
information, and execute any desired code. This is feasible due to the attacker's ability to
modify the administrator's email address in the profile. This enables the perpetrator to reset
the administrator password by utilising the "password forget" form on WordPress.
It is imperative that WordPress managers obtain the most recent version as soon as feasible.
Severity
CVE ID
Description
High
CVE-2021-44223
Attackers from abroad can
now more easily execute any
code they desire on
WordPress installations that
utilise any plugin whose
slug complies with the name
rules of the WordPress.org
Plugin Directory but is not
yet included in the directory
by employing a supply-
chain attack.
High
CVE-2023-2986
The encryption key that was
hardcoded during the
creation of the
aforementioned connections
was the source of the CVE-
2023-2986 flaw.
It is effortless for an attacker
to create links with the
hardcoded encryption key
and gain access to user
accounts, as those links also
register the user in.
Medium
CVE-2021-39200
In versions that are affected,
the output data of the
function wp_die() may be
disclosed due to certain
circumstances. Things such
as nonces may be included
in this data. Afterwards, it
can be employed to perform
tasks on your behalf.
WordPress 5.8.1 and any
previous versions that were
susceptible to this issue have
been updated with a
solution.
Refusal A security advisory has been released by Word Fence, which has identified a critical
vulnerability in the Abandoned Cart Light for WooCommerce plugin for WordPress.
Presently, this plugin is utilised by more than 30,000 websites. This vulnerability may allow
unauthorised users to access the accounts of individuals who have abandoned their
purchasing carts.
Customers are the typical target audience, but other niche demographics may also be
impacted. Fight Back Word Fence is eager to resolve this matter as soon as feasible due to the
potential hazards. The vulnerability, which has been identified as CVE-2023-2986, has been
assigned a severity rating of 9.8 on the CVSS scale.
This vulnerability is present in plugins that were previously released. An authentication
bypass issue was caused by weak encryption during the notification process for clients who
abandoned their purchasing carts on e-commerce websites. This may be the source of the
problem.
In particular, the encryption key of the plugin is statically included, which allows malicious
entities to obtain unauthorised access to a user's account that has an abandoned cart. There is
a possibility that an attacker could gain unauthorised access to an administrator user account
or other user accounts with elevated privileges if they have been conducting assessments on
the abandoned cart feature. This is feasible by exploiting an authentication circumvent
vulnerability, as Eastvon Martin, a security researcher, has identified.
The vulnerability of the plugin was promptly resolved by Tai Chi Software following its
responsible disclosure on May 30, 2023. The remedy is included in Version 5.15.0, which
was released on June 6, 2023. The most recent iteration of Abandoned Cart Light for
WooCommerce is 5.15.2. Word Fence has reported an additional authentication circumvent
issue that is affecting the Calendar Appointment Booking BookIt plugin, which was
developed by Style Mix Themes. CVE-2023-2834, a security vulnerability, has been assigned
a Common Vulnerability Scoring System (CVSS) value of 9.8 and affects over 10,000
WordPress installations.
According to East Van Martin, a security researcher, the vulnerability is the result of the
plugin's inadequate certification of the user's identity during the booking process. Therefore,
in the event that an unauthorised individual acquires access to the email address, they may
exploit this access to impersonate any existing user on the website, including administrators.
On June 13, 2023, Style Mix Themes resolved the vulnerability by releasing plugin version
2.3.8. It is strongly advised that users promptly deploy the update to resolve the issue. The
problem is present in version 2.3.7 and previous iterations.
5. Specific Checklist for the Project
Although all websites are susceptible to some degree of vulnerability, some may be more
susceptible to compromise than others. If they attract attention to themselves, enterprise-level
project managers are at risk of becoming simple targets for adversaries. One potential
explanation for this phenomenon is that hackers are attracted to organisations due to the
potential to access substantial quantities of personally identifiable information about their
customers.
WordPress sites can leverage an extensive array of security features, which is a fortunate
development. Additionally, the majority of these safety precautions are exceedingly
straightforward and can be implemented within minutes. The objective of this article is to
offer a comprehensive WordPress security protocol that can be employed to safeguard your
website. The concept of a WordPress security protocol may appear antiquated in the context
of corporate websites. In summary, there is a diverse array of resources and instruments
available to facilitate the automation of critical procedures. Nevertheless, it is effortless to
neglect a few critical details when managing a substantial website.
For instance, the absence of WordPress updates for an extended period is unlikely to have any
adverse effects on a blog with a small audience. However, neglecting to address this issue can
lead to significant financial losses and website malfunctions for online businesses that heavily
depend on WordPress plugins and third-party integrations. The primary objective of a
security checklist is to ensure comprehensive coverage, thereby decreasing the probability of
omission.
• Activate two-factor authentication (2FA) for all user accounts
Two-factor authentication (2FA) is now prevalent across the majority of the internet.
The additional authentication step you implement on your WordPress login page will impede
an attacker's ability to access your site in the event that they acquire valid login credentials. If
you have not already done so, you may implement two-factor authentication in WordPress by
utilising Jetpack's Secure Authentication feature. You have the option to configure this feature
to necessitate two-factor authentication (2FA) and permit WordPress.com logins for self-
hosted WordPress sites.
Figure 11:Enabling 2FA
• Restrict the number of logon attempts
Brute-force logon attacks are frequently observed. Malicious hackers and automated software
applications are highly susceptible to exploiting inadequately secured logon credentials.
They strive to locate locations where they can make numerous login attempts without
confronting access restrictions. One potential approach to reduce the likelihood of effective
brute force attacks is to establish restrictions on the number of login attempts that users are
permitted to make within a specific timeframe. Although it is possible for ordinary users to
neglect their passwords on occasion, they rarely engage in the high volume of login attempts
per minute that automated bots frequently employ.
Utilising a plugin like Jetpack is a simple approach to restrict the frequency with which a user
can authenticate themselves on a WordPress website. Jetpack users are granted access to a
security utility that is capable of preemptively blocking hazardous IP addresses, thereby
protecting their website from brute force attacks, at no additional cost.
• Opt for a Content Delivery Network (CDN)
A Content Delivery Network (CDN) is a collection of servers that collaborate to minimise the
bandwidth consumption and load time of a website. Cloudflare and Jetpack Boost are among
the most widely used Content Delivery Networks (CDNs) for WordPress. Traffic filtering,
encrypted data transmission, and distributed denial-of-service (DDoS) prevention are just a
few of the methods by which a content delivery network (CDN) can enhance the security of
Your Website. This enhances the site's overall performance and safeguards it from a diverse
array of hazards. Although not mandatory, this is a beneficial additional precaution to
implement after the standard security measures for WordPress have been implemented.
Figure 12:Use a CDN
6. Conclusion
The report provides a comprehensive analysis of the security vulnerabilities in WordPress,
with a particular emphasis on the Domain Analysis and the History Analysis. Section 1.1
commences this document with a comprehensive overview of WordPress and its assets. In
Section 1.3, a number of genuine attacks against WordPress are detailed, and in Section 1.4,
the history of WordPress security flaws is examined. The second section, "Design Analysis,"
provides a comprehensive examination of the architecture (Section 2.1) and subsystems
(Section 2.2) of WordPress, elucidating their functions within the broader framework.
Furthermore, the paper explores the threat model for WordPress (Section 3), emphasising the
importance of understanding one's risks and opportunities.
The code that was written is examined in Section 4 to identify and resolve any issues. This
article offers a comprehensive and organised examination of the security vulnerabilities of
WordPress, including its origins, architecture, and other relevant information.
7. References
[1] “How to Become a WordPress Developer in 2022 [+ Tips from WCEU Speaker Paul
Bearne].” https://blog.hubspot.com/website/become-wordpress-developer
[2] “Blog Tool, Publishing Platform, and CMS – WordPress.org.” https://wordpress.org/
[3] “What Is WordPress? Explained for Beginners.” https://kinsta.com/knowledgebase/what-
is-wordpress/
[4] “What Is WordPress and How It Works? All You Need to Know.”
https://www.hostinger.com/tutorials/what-is-wordpress
[5] “7 Types of WordPress Attacks (And How To Avoid Them).”
https://www.cminds.com/blog/wordpress/7-types-wordpress-attacks/
[6] “4 Most Common WordPress Attacks, and How to Defend.”
https://themeisle.com/blog/common-wordpress-attacks/
[7] “Attacking WordPress | HackerTarget.com.” https://hackertarget.com/attacking-
wordpress/
[8] “NVD - CVE-2021-24284.” https://nvd.nist.gov/vuln/detail/CVE-2021-24284
[9] “NVD - CVE-2021-39341.” https://nvd.nist.gov/vuln/detail/CVE-2021-39341
[10] “CVE-2022-3180 : Critical zero-day vulnerability discovered in WPGateway,”
https://www.debugbar.com/
[11] “Debian: CVE-2022-21664: wordpress -- security update.”
https://www.rapid7.com/db/vulnerabilities/debian-cve-2022-21664
[12] “TryHackMe walkthrough — Wordpress: CVE-2021–29447 | by TheBlackAlbum |
Medium.” https://theblackalbum.medium.com/tryhackme-walkthrough-wordpress-cve-
2021-29447-8a50d7c548f
[13] Brown, K., & Carter, S. "Protecting Web Applications: WordPress Vulnerabilities and
Solutions." IEEE Transactions on Dependable and Secure Computing, vol. 18, no. 6, 2021,
pp. 1695-1704.
[14] Jang, Y., & Kim, H. "Risk-Based Security Approach for Vulnerabilities in WordPress
Plugins." IEEE Conference on Network Security, vol. 27, no. 5, 2019, pp. 318-327.
[15] “Beginner’s Guide To WordPress File Structure & Database.”
https://www.malcare.com/blog/beginners-guide-to-understanding-the-structure-of-a-
wordpress-
[16] “Beginner’s Guide to WordPress File and Directory Structure.”
https://www.wpbeginner.com/beginners-guide/beginners-guide-to-wordpress-file-and-
directory-structure
[17] “Giving WordPress Its Own Directory | Advanced Administration Handbook | WordPress
Developer Resources.” https://developer.wordpress.org/advanced-
administration/server/wordpress-in-directory
[18] “The Ultimate WordPress Security Guide - Step by Step (2023).”
https://www.wpbeginner.com/wordpress-security/
[19] “Security – WordPress.org.” https://wordpress.org/about/security/
[20] “Understanding The Application Threat Modelling: – Security Web.”
https://securitywebexploit.wordpress.com/2018/12/26/understanding-the-application-
threat-modelling/
[21] “How to use browser developer tools to inspect WordPress website code.”
https://mhthemes.com/support/knb/browser-developer-tools-to-inspect-code-wordpress-
[22] “How to inspect your WordPress webpages code in your browser ? - Press Customizr
Documentation.” https://docs.presscustomizr.com/article/272-inspect-your-webpages-in-