A little while ago a colleague shared this interesting article from RIPS on the state of WordPress security. It focused on an automated analysis of 44,705 plugins from the WordPress.org plugin directory (almost all of them).
They found that 68.4% of those plugins contained cross-site scripting vulnerabilities. That’s a huge number, and a huge number of vulnerable WordPress installs as a result.
If you’re a plugin developer it’s important to protect yourself and the users of your plugin from such attacks. The solution is quite simple; late escaping.
Anything that your plugin outputs to the browser (e.g. using
__ etc) should be escaped using the functions WordPress core provides. This is something I advise developers about every single day while I review code for WordPress.com VIP clients.
There’s a really insightful post on escaping within WordPress from 2014 by my colleague Nick Daugherty that I highly recommend reading to get up to speed on why and how to escape late.
Finally, this from the article is also worth pointing out:
WordPress [sic] is not as insecure as its reputation would suggest. Rather it is a top target due to its incredible prevalence.
If you were an attacker, wouldn’t you go after 27% of the web if you could?