Over the past 10 years that WPScan have been cataloging WordPress vulnerabilities, we have had many hundreds of independent security researchers contribute to our WordPress vulnerability database. Today, we talk to m0ze, a long time WPScan vulnerability database contributor, who shares his thoughts on the state of WordPress security today.
Please introduce yourself.
My name is Vlad, also known as m0ze. I am an independent security researcher, co-founder of the Defcon Moscow group and 2600 Moscow meetings, addicted to music and coffee, interested in psychology and vector graphics. In short – learn by practice, live by the code, stay true.
How did you get started in security?
The term “security” in this case has a commercial and professional connotation, my views and convictions are closer to the term “hacker”. In the 90s, when I took my first steps in this direction, it wasn’t any imposed corporate environment of “ethics” – keen enthusiasts explored the world of computers and the networks, where everyone had their own piece of happiness. The study of the computer itself and its capabilities was of paramount importance, then, with the advent of the modem, the first “forays” into the Internet were possible, which significantly expanded the boundaries of research in this area. Then I came across the magazine “Hacker”, and I first learned that there is such a term conventionally denoting geeks and enthusiasts who study the capabilities of computers, networks and security. This is it.
How did you get started in WordPress security specifically?
Specifically, for the interest in the security of WordPress, I can say “thanks” to the Envato marketplace, because it’s the software and scripts sold there that don’t differ in code quality and safety, which I personally encountered while helping one mate to implement a large-scale project. He bought a premium WordPress theme and several plugins there, and I started providing the technical side of the project and decided to take a look at the code in general. A couple of hours later, some vulnerabilities were identified: Unrestricted File Upload, SQLi, IDOR, XSS – in short, and to this day the most popular vulnerabilities of premium products.
The next step was to notify the author and Envato’s QA department about these vulnerabilities, but from their side I didn’t find understanding what this was all about. To clarify what vulnerabilities are and why they should be fixed, I decided to randomly select other themes from the ThemeForest catalog and, using their example, show that there are vulnerabilities, that they need to be fixed, and that this issue requires attention and control. The bottom line is that in ~15 minutes I found about 8 vulnerable themes on the marketplace, which surprised myself. Then the interest was triggered, whether there are many vulnerable items in general and what is the overall situation with the safety of the products sold on this marketplace. Without going into details, I will say that to this day everything is very bad. This is how my targeted interest in the security of WordPress began.
You have been submitting vulnerabilities to our database for years, how does WPScan help you with the vulnerability disclosure process?
The most important factor is the publicity, the publicity of such common security problems of a product, with a focus on eliminating vulnerabilities. It really helps to make the product better. The second important point is the neglect of independent researchers and their warnings about the discovered vulnerabilities. Some developers can only be reached through a more official channel – a specialized company that provides security services (like WPScan f.e.), the WordPress Plugins Team itself, or by making a 0-day release.
What tools do you use to find WordPress vulnerabilities?
Nothing special: Burp Suite / ZAP, different browsers with pack of extensions, personal scripts and payloads, text editor and my private server for tests. I use this set the most.
What are your opinions on the state of WordPress security today?
By itself, the WordPress engine is quite safe, which is confirmed by the statistics. In any case, for now, this is so, but it seems to me that in the coming years the picture may change for the worse – this is the case with all projects that are gaining great popularity and want to please as many users as possible with all modern trends. WordPress CMS is getting bigger and more complex, and it has grown out of the “blog only” niche many years ago, remember what WordPress was like 8 years ago and what it is now 🙂 «When you aim for perfection, you discover it’s a moving target.» ©
There isn’t much to say about themes and plugins – everything is very, very sad in terms of security.
What advice do you have for someone wanting to get started in finding WordPress vulnerabilities?
Hop in right now if you really want to. Don’t wait for a “magic sign” cause you will only waste your time (which you will regret later). Dare, make mistakes and ask “stupid” questions – this is your right as a beginner. Your task is to learn, ours is to show the path, inspire and teach. Over the years, you will teach us something, believe me.
Don’t hold on to commerce and money, stand for the idea and your curiosity. Don’t be afraid of failure, cause failure creates a choice: stop trying or try harder. The essential question is to finalize the defeat or establish a progress. This is your wake-up call.
«When you lose fun and start doing things only for the payback, you’re dead.» © Phrack #65
Who should someone who wants to get started in WordPress security follow on Twitter?
It’s important for a beginner to gain as often and as much information as possible about the WordPress ecosystem, about the vulnerabilities found, threats and updates. For this, a subscription to the accounts of top security companies in WordPress and to the official accounts of this CMS is quite enough. I will not say anything about the personal accounts of independent researchers, because everything is individual here: information useful to a beginner will be mixed with photos of kittens and endless emotions about the COVID-19 pandemic.
I would also not recommend subscribing to everyone in a row, since this is a social network, and reading too large unfiltered Twitter (or any other) feed will take a lot of time, without giving a significant amount of useful information.
Anything else that you would like to add?
Yep. Stay positive, stay true and be healthy during this difficult time. Thanks for reading this interview!
What’s your Twitter handle so that people can follow you?
My Twitter account is @vladm0ze, feel free to follow 🙂