WordPress Security
Knowledge Base.
Reference articles for security researchers and developers. Covers WordPress internals, vulnerability patterns, and practical testing methods.
How WordPress works under the hood — hooks, authentication, REST API, and plugin architecture.
WordPress AJAX Hooks and Security
How wp_ajax and wp_ajax_nopriv hooks work, finding AJAX handlers, and exploiting common AJAX security vulnerabilities
WordPress Nonces and Bypass Techniques
How WordPress nonces work internally, their 24-hour lifespan, how plugins expose them, and common bypass patterns
WordPress REST API Security
REST API architecture, authentication methods, common vulnerabilities including missing permission callbacks, SQLi, and IDOR
WordPress Plugin Architecture for Security Researchers
Plugin file structure, lifecycle hooks, entry points, and efficient audit methodology for finding security-relevant code
Detailed coverage of XSS, SQL injection, CSRF, privilege escalation, and file upload flaws in WordPress.
WordPress SQL Injection Patterns
wpdb->prepare() usage, extraction techniques, WordPress table structures, and grep patterns for finding SQL injection vulnerabilities
WordPress Authentication and Privilege Escalation
User roles, capability checks, cookie authentication, and common privilege escalation patterns in WordPress plugins
WordPress File Upload Vulnerabilities
wp_handle_upload internals, MIME bypass techniques, unrestricted upload exploitation, and testing upload endpoints with curl
WordPress Cross-Site Scripting
Stored, reflected, and DOM XSS in WordPress, escaping functions, common vulnerable patterns, and impact scenarios including admin account takeover
WordPress CSRF Attacks
CSRF in the WordPress context, nonce-based protection gaps, building exploit pages, and chaining CSRF with XSS for admin takeover
Practical testing environments, tooling, and systematic methodologies for WordPress security research.