From 3232db33216ca834b7f00c0a5ac6208808639279 Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Wed, 13 Aug 2025 16:52:29 +0200 Subject: [PATCH] Update wordpress.md --- .../pentesting-web/wordpress.md | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/src/network-services-pentesting/pentesting-web/wordpress.md b/src/network-services-pentesting/pentesting-web/wordpress.md index 8491d4b07..04717c759 100644 --- a/src/network-services-pentesting/pentesting-web/wordpress.md +++ b/src/network-services-pentesting/pentesting-web/wordpress.md @@ -555,13 +555,6 @@ Issues introduced by this snippet: ``` The response discloses the result of the injected query or alters the database, proving SQLi. -#### Hardening checklist - -* Enforce **type validation** (`is_numeric()` for integers). -* Escape with **`esc_sql()`** or, even better, use **`$wpdb->prepare()`**. -* Treat *nonce-only* endpoints as **privileged** – add `current_user_can()` / `is_user_logged_in()` where appropriate. - ---- ### Unauthenticated Arbitrary File Download / Path Traversal (WP Job Portal <= 2.3.2) @@ -587,14 +580,6 @@ curl -G https://victim.com/wp-admin/admin-post.php \ ``` The server responds with the contents of `wp-config.php`, leaking DB credentials and auth keys. -#### Hardening checklist - -* Sanitize filenames with helpers such as `sanitize_file_name()` or a custom `wpJP_clean_file_path()` that strips `../` & `./`. -* Make sure the **resolved path stays inside** the intended upload directory (`realpath()` + prefix check). -* Restrict the action to **authenticated roles** and validate the nonce. - ---- - ## References - [Unauthenticated Arbitrary File Deletion Vulnerability in Litho Theme](https://patchstack.com/articles/unauthenticated-arbitrary-file-delete-vulnerability-in-litho-the/)