Skip to content
/ wordpress-plugin-semgrep-rules Public

Semgrep rules I've personally written to help me find security vulnerabilities in WordPress plugins.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

muhanLuo/wordpress-plugin-semgrep-rules

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
authorization
authorization
 
 
csrf/hooks
csrf/hooks
 
 
misc
misc
 
 
xss
xss
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Semgrep Rules for WordPress Plugins

This is a list of Semgrep rules I've personally written to help me find security vulnerabilities in WordPress Plugins.

Note: When running these rules in Semgrep, you may want to set a longer timeout using the following argument --timeout 90. Some of these rules do take a bit longer to run and can sometimes timeout on larger files.

A big thanks to WordFence for providing so much free educational material on WordPress plugin security. Many of these rules are based off the following document they created: Common WordPress Vulnerabilities and Prevention Through Secure Coding Best Practices

Rules

Missing Authorization

Rule(s) Description
wp-hook-missing-auth-* These rules find callback functions that don't use current_user_can() in their function body. These rules only focus on callbacks called by add_action() and only if the hook name passes the following regex (wp_ajax_.*|admin_init|admin_post_.*|admin_action_.*|profile_update|personal_options_update).

For more information, read pages 5-11 of this document on Common WordPress Vulnerabilities.
wp-return-true-register-rest-route This rule finds uses of register_rest_route() uses where 'permission_callback' => '__return_true'. This means that the associated callback doesn't include any authorization checks.

More information on the register_rest_route() function can be found here on WPKama.
wp-missing-auth-rest-route-* These rules find uses of register_rest_route() uses where current_user_can() isn't included in the body of the function called by'permission_callback' . This means that this REST route likely doesn't perform authorization checks.

More information on the register_rest_route() function can be found here on WPKama.

Cross-Site Request Forgery (CSRF)

Rule(s) Description
wp-hook-missing-csrf-protection-* Finds callback functions that don't use wp_verify_nonce(), check_ajax_referer(), or check_admin_referer() in their function body. These rules only focus on callbacks called by add_action() and only if the hook name passes the following regex (wp_ajax_.*|admin_init|admin_post_.*|admin_action_.*|profile_update|personal_options_update|admin_menu).

For more information, read pages 12-14 of this document on Common WordPress Vulnerabilities.

Cross-site Scripting (XSS)

Rule(s) Description
wp-reflected-xss Identifies data flows from the $_GET or $_REQUEST superglobal to a function which prints strings such as echo(), print(), printf(), ect... Excludes all findings where data flows through a sanitizer such as esc_attr() or wp_kses().

For more information, see this article by WordFence on how to find XSS vulnerabilities in WordPress plugins.

Miscellaneous

Rule(s) Description
wp-missing-direct-access-check This rule finds PHP files which do not prevent a user from directly accessing it. PHP files which do not verify whether a constant like ABSPATH or WPINC exists are marked.

Further reading here from Notes on Tech

About

Semgrep rules I've personally written to help me find security vulnerabilities in WordPress plugins.

Topics

php wordpress wordpress-plugin csrf-protection sast semgrep semgrep-rules

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Languages