Advancing WordPress security through research

At Verpent, publishing security research is a key priority, and this year brought valuable opportunities to contribute to the WordPress security ecosystem. Through in-depth analysis of open-source plugins, several vulnerabilities were identified and disclosed, resulting in multiple CVEs:

• March 25, 2024: CVE-2024-27188 – Stored Cross-Site Scripting in Breeze
• September 12, 2024: CVE-2024-45460 – Stored Cross-Site Scripting in Flipping Cards
• September 20, 2024: CVE-2024-8680 – Stored Cross-Site Scripting in MailChimp for WordPress
• September 23, 2024: CVE-2024-44037 – Stored Cross-Site Scripting in Multipurpose Ticket Booking Manager
• September 26, 2024: CVE-2024-47338 – SQL Injection in WPExperts Square for GiveWP
• September 26, 2024: CVE-2024-47336 – Stored Cross-Site Scripting in Terms Descriptions
• November 15, 2024: CVE-2024-52435 – SQL Injection in Premium Packages
• January 3, 2025: CVE-2025-22320 – XSS in Product Dyno WP

For those looking to deepen their expertise in source code review or explore vulnerability research, platforms like Patchstack and WordFence offer valuable insights into plugin security and mitigation strategies. These resources have been instrumental in advancing Wordpress security research and in the background strengthen the safety of the ecosystem.

Researcher profiles

• Patchstack
• WordFence

Looking ahead, We aim to expand this research and continue contributing to the security community. Here’s to another year of impactful findings!