Frank Bültge bueltge

WordPress Plugin Security Testing Cheat Sheet

source: https://github.com/ethicalhack3r/wordpress_plugin_security_testing_cheat_sheet

This cheat sheet was compiled by Dewhurst Security to record the knowledge gained when testing WordPress plugins for security issues for our clients. The security documentation provided by WordPress and found online for plugin security is sparse, outdated or unclear. This cheat sheet is intended for Penetration Testers who audit WordPress plugins or developers who wish to audit their own WordPress plugins.

This is a living document, feedback in the form of Issues or Pull Requests is very much welcomed.

Cross-Site Scripting (XSS)

Keybase proof

I hereby claim:

I am bueltge on github.
I am bueltge (https://keybase.io/bueltge) on keybase.
I have a public key whose fingerprint is 5EA5 319F D531 1C84 7094 2FE4 1A56 7625 5969 6D2D

To claim this, I am signing this object:

Regular Expression Cheat Sheet - PCRE

Kudos/Source: https://github.com/niklongstone/regular-expression-cheat-sheet

Anchor	Description	Example	Valid match	Invalid
^	start of string or line	^foam	foam	bath foam
\A	start of string in any match mode	\Afoam	foam	bath foam
$	end of string or line	finish$	finish	finnish
\Z	end of string, or char before last new line in any match mode	finish\Z	finish	finnish

WordPress i18n CheatSheet

Whenever I write plugins or themes, there is one thing that needs a little extra attention and is quite frankly hard to get right: Translatable text. This list should helps me to find the right way fast.

Props to Alex Kirk, there list it inside a quiz.

You want to output the username in a sentence.

Assume that the $username has been escaped using esc_html().

	<?php

	/**
	* Add a 'Add rel="nofollow" to link' checkbox to the WordPress link editor
	*
	* @see https://danielbachhuber.com/tip/rel-nofollow-link-modal/
	*/
	add_action( 'after_wp_tiny_mce', function(){
	?>
	<script>

	//@see http://blog.codeinside.eu/2016/05/12/copy-to-clipboard-with-javascript

	function detectIE() {
	var ua = window.navigator.userAgent;

	var msie = ua.indexOf('MSIE ');
	if (msie > 0) {
	// IE 10 or older => return version number
	return parseInt(ua.substring(msie + 5, ua.indexOf('.', msie)), 10);
	}

	// @see http://dnaber.de/blog/2015/wordpress-antipattern-filter-im-constructor-zuweisen/
	class MetaBoxRegistrar {

	private $metaBox;

	public function __construct( MetaBoxInterface $metaBox ) {

	$this->metaBox = $metaBox;
	}

	<?php
	/**
	* Plugin Name: WP Members Add-on, Change Read Access for role author
	*/

	! defined( 'ABSPATH' ) && exit;

	register_activation_hook( __FILE__, function() {

	if ( ! function_exists( 'wpmem_block' ) ) {

	<?php
	/**
	* Plugin Name: https Fix for enqueue scripts/styles
	*/

	// Fix some badly enqueued scripts with no sense of HTTPS for the back end only.
	// Kudos to http://snippets.webaware.com.au/snippets/cleaning-up-wordpress-plugin-script-and-stylesheet-loads-over-ssl/
	add_action( 'wp_print_scripts', 'fb_enqueueScriptsFix', 100 );
	add_action( 'wp_print_styles', 'fb_enqueueStylesFix', 100 );

	<?php # -- coding: utf-8 --
	/**
	* Plugin Name: MultilingualPress Add-on that get a Dropdown Language Menu
	* Description: This is a simple add-on for the MultilingualPress plugin to get a dropdown language menu.
	* Author: Inpsyde GmbH
	* Author URI: http://inpsyde.com
	* Version: 2015-11-28
	* Text Domain: textdomain
	* License: GPLv2+
	* Network: true