Interested in going full-time bug bounty? Check out our blueprint!

Popping WordPress Plugins - Methodology Brain dump (Ep. 55)

Episode 55: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is joined by Wordpress Security Researcher Ram Gall to discuss both functionality and vulnerabilities within Wordpress Plugins.

Follow us on twitter

Send us any feedback here:

Shoutout to https://twitter.com/realytcracker for the awesome intro music!

====== Links ======
Follow your hosts Rhynorater https://twitter.com/rhynorater & Teknogeek https://twitter.com/0xteknogeek on twitter:

====== Ways to Support CTBBPodcast ======

WordFence - Sign up as a researcher! https://ctbb.show/wf

===
Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

Hop on the CTBB Discord

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Guest:
Ramuel Gall - https://twitter.com/ramuelgall
UpdraftPlus Vuln - https://www.wordfence.com/blog/2022/02/vulnerability-in-updraftplus-allowed-subscribers-to-download-sensitive-backups/
XML-RPC PingBack - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/wordpress-xml-rpc-pingback-vulnerability-analysis/
Unicode and Character Sets - https://www.joelonsoftware.com/2003/10/08/the-absolute-minimum-every-software-developer-absolutely-positively-must-know-about-unicode-and-character-sets-no-excuses/
Reflected XSS - https://www.wordfence.com/blog/2022/02/reflected-xss-in-header-footer-code-manager/
POP Chain - https://www.wordfence.com/blog/2023/12/psa-critical-pop-chain-allowing-remote-code-execution-patched-in-wordpress-6-4-2/
WordpressPluginDirectory - https://github.com/WordPressplugindirectory
Subscriber+ RCE in Elementor - https://www.wordfence.com/blog/2022/04/elementor-critical-remote-code-execution-vulnerability/
Subscriber+ SSRF - https://www.wordfence.com/blog/2023/06/credential-stealing-server-side-request-forgery-patched-in-getwid/
Unauthed XSS via User-Agent header - https://www.wordfence.com/blog/2023/04/multiple-vulnerabilities-patched-in-shield-security/

Timestamps:
(00:00:00) Introduction
(00:05:55) Add_action & Nonces
(00:26:16) Add_filter & Register_rest_routes
(00:38:39) Page-related code & Shortcodes
(00:50:24) Top Sinks for WP
(01:02:19) Echo & SQLI Sinks
(01:15:07) Nonce Leak and wp_handle_upload
(01:18:16) Page variables & Pop Chains
(01:26:55) WP Escalations & Bug Reports
(01:15:07) Nonce Leak and wp_handle_upload
(01:18:16) Overriding page variables & Pop Chains
(01:26:55) WP Escalations
(01:33:55) Bug Reports