Episode 55: Popping WordPress Plugins - Methodology Braindump

Episode 55: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is joined by Wordpress Security Researcher Ram Gall to discuss both functionality and vulnerabilities within Wordpress Plugins.Follow us on twitterSend us any feedback here:Shoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:------ Ways to Support CTBBPodcast ------WordFence - Sign up as a researcher! https://ctbb.show/wf---Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.Hop on the CTBB DiscordWe also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Guest:Ramuel GallUpdraftPlus VulnXML-RPC PingBackUnicode and Character SetsReflected XSSPOP ChainWordpressPluginDirectorySubscriber+ RCE in ElementorSubscriber+ SSRFUnauthed XSS via User-Agent headerTimestamps:(00:00:00) Introduction(00:05:55) Add_action & Nonces(00:26:16) Add_filter & Register_rest_routes(00:38:39) Page-related code & Shortcodes(00:50:24) Top Sinks for WP(01:02:19) Echo & SQLI Sinks(01:15:07) Nonce Leak and wp_handle_upload(01:18:16) Page variables & Pop Chains(01:26:55) WP Escalations & Bug Reports