WordPress website penetration testing

WordPress site penetration testing was requested by Customer to conduct a gray-box testing of his WordPress based business website. The test was performed on the staging site first and then on the production to reduce the risk of production data/web-site availability damage. Project size was 5 man-days with total duration of 10 calendar days (a few days were spent to get credentials from the side of developers).


The following bugs were identified:

  • The XSS bug was found in one of the WordPress extensions. There was also directory listing enabled (the configuration issue). The findings were reported to the customer. In two weeks we verified the bug fixes (free of charge).
  • The SQL injection bug was identified in the custom theme developed by the developer.
  • XSS was in one of the WordPress extensions (which was out of date).
  • Directory listing was enabled in the webserver configuration.
  • Combination of race condition and insufficient file extension validation in the CV upload section (in the career part of the web-site). It was possible to upload a php script as CV and trigger its execution before the file was deleted (after processing by the web-site business logic).
This website uses cookies to give you the best experience. Terms & Conditions