With claims that WordPress runs on 33% of all websites, WordPress has received a fair amount of security scrutiny over the years.
However, with around 80.000 WordPress plugins available, free of charge, users do not only have to care about the security of WordPress itself, but also about any plugin they may choose to add. This raises the question of how can a WordPress administrator assess which plugins introduce security vulnerabilities, and which do not? The answer is of course that he/she cannot, unless the plugin in question has been tested by a trusted security expert.
I picked a random WordPress plugin from wordpress.org/plugins and performed a very short source code review of it to see exactly how much effort was needed to identify a security vulnerability. Although the first plugin chosen was found to contain a vulnerability that may be critical under certain circumstances, it is of course impossible to reason about the overall level of security in WordPress plugins in general without assessing all, or a statistically significant number of plugins.
Regardless, we encourage everyone who considers using plugins (regardless if it’s in WordPress, Drupal, Jenkins etc.) to ensure that they have been fully vetted by trained security experts.
The bug report of the discovered vulnerability can be read here: dumpco.re/bugs/wp-plugin-print-my-blog-ssrf