Millions At Risk From Critical Vulnerabilities From WordPress Plugins

First time accepted submitter dougkfresh writes "Checkmarx's research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection. Furthermore, a concentrated research into e-commerce plugins revealed that 7 out of the 10 most popular e-commerce plugins contain vulnerabilities. This is the first time that such a comprehensive survey was prepared to test the state of security of the leading plugins." It does seem that Wordpress continues to be a particularly perilous piece of software to run. When popularity and unsafe languages collide.

Re:Every language is unsafe.

[MtHuurne]

That's the wrong question: instead of performing a dangerous operation only if the input doesn't look suspicious, you should not perform the dangerous operation at all. So if the input data is supposed to be an image, pass it to a function that can only process images. That way, if an attacker does manage to sneak in PHP code disguised as an image, it will just trigger an error condition instead of being executed.

Re:Every language is unsafe.

[Dragonslicer]

For example, the oldest (and until fairly recently, only) way of handling database queries in PHP pretty much asks for you to be vulnerable to SQL injection attacks, because there's no parameterization so all you can do is awkwardly run a hodgepodge of escaping functions and hope they work. By contrast, Perl, Java, Python, and C# all provide support for parameterizing queries in their standard approaches to handling database queries about 10 years before PHP did. That's the kind of thing that gives PHP its bad reputation.

Depends on your definition of "fairly recently." PDO was available as an extension for PHP 5.0 (2004) and was included in the standard installation for PHP 5.1 (2005). There hasn't been any excuse not to be using it for at least 5 years.