WordPress security testing

There are a lot of security solutions around WP eco system advertising their possibility to fight malware, intrusions and exploitation. Most of them are endpoint security solutions, there are cloud ones, but also market knows the managed WP services that offer security in their own way. Having big choice sometime is a problem, because you …

WordPress security testing Read More »

WordPress attachment api functions and any post type

Core had put some efforts in order to prevent accessing attachment post type functions from another post types. Usually checks are done by calling get_post and comparing the post type with attachment, but that is selective and only in hand picked places. It is that way because performances mainly, so many functions are lacking this checks. Eli5 PoC One of …

WordPress attachment api functions and any post type Read More »

WordPress and phar unserialize

Core team had put some effort into project in order to preven unserialize of user input via phar stream wrapper. In general, efforts are good, but to excelent there are two more grades and this is the max with this approach. In the core there is function path_join that accepts two parameters $base and $path. $path is then sent towards function path_is_absolute and from the code …

WordPress and phar unserialize Read More »