Web Application Attack and Audit Framework

Tony Perez recently wrote about the Web Application Attack and Audit Framework (W3AF), which is a tool you can use to scan a website for various vulnerabilities, like XSS and SQL injection. You can watch a demo to get a feel for what it does. I think it’s a good thing to run during the testing […]

Cross Site Scripting Vulnerability in Subscribe2 Plugin

News of the XSS bug in Subscribe2 didn’t show up in any of my RSS feeds or mailing lists, even though it’s a fairly popular plugin, so I wanted to make a note of it in case anyone else missed it. Version 8.2 has a fix for it. Update: It also sounds like an official […]

WordPress Plugin and Theme Security

Mark Jaquith recently gave a good presentation on writing secure WordPress themes and plugins at Wordcamp Phoenix 2011. The notes are also available. The main points are: Protect against SQL Injection by using the API whenever possible (because it automatically handles data sanitization). If the API can’t do what you need, use $wpdb->prepare(). Protect against […]

Ian Dunn

WordPress Developer

Tag Archives: Cross-site Scripting

Web Application Attack and Audit Framework

Cross Site Scripting Vulnerability in Subscribe2 Plugin

WordPress Plugin and Theme Security