Hacker News new | ask | show | jobs
by dr_hercules 4002 days ago
With respect to a software like Wordpress which is:

- huge and powerful

- vividly maintained and extended by lots of developers

- rarely features security issues which aren't fixed immediately

... the question arises whether the quality of its code base is in this case maybe rather an academic issue.
1 comments
liviu- 4002 days ago
>- rarely features security issues which aren't fixed immediately

I tried to use WordPress once. I downloaded a theme from wordpress.org with the assumption that themes are reviewed before making there. Nevertheless, I did some basic pentesting before putting my app live, and I quickly found a XSS vulnerability in the search bar of the theme (their paid version featured the same vulnerability). Maybe my experience is not to be generalised to WordPress in general, but it put me off.

link
dr_hercules 4002 days ago
> Maybe my experience is not to be generalised to WordPress in general, but it put me off.

WordPress plug ins are - as far as I know - not reviewed. You're at the mercy of the respective developer.

link
liviu- 4002 days ago
They are, as this link seem to indicate: https://wordpress.org/plugins/add/

>Currently there are 224 plugins in the review queue, 198 of which are awaiting their initial review.

link
dr_hercules 4002 days ago
There are more than 38k plug ins available (https://en.wordpress.org/plugins/). And also from what I have seen so far - there is no extensive (if any) reviewing done regarding safety and quality.
link
lucaspiller 3997 days ago
When you first add a new plugin it is reviewed, but once it's been accepted you are free to push out whatever changes you want without review.
link