Scanning WordPress Plugins for Vulnerabilities

WordPress is the most used Content Management System (CMS) for websites that runs 42.8% of all Internet Websites (w3tech, Oct 2021). WordPress users range from individual users to large corporations who use it to run a blog site, e-commerce store, company website, and more. One of the reasons for its popularity is the availability of themes and plugins developed by third parties that allow the website owner to add functionality easily without knowing how to code. At the same time, there has been an increasing trend of finding vulnerabilities from these third-party plugins. This paper will explore and compare the result of finding WordPress vulnerabilities on previous plugins with known Common Vulnerabilities and Exposures (CVE) vulnerabilities using a Static Application Security Testing (SAST) and WordPress specific scanner, WPScan. This paper will compare the effectiveness of a SAST to proactively find vulnerabilities against WPScan which detects vulnerabilities reactively as they need to be reported in its database to find a match.