Summer of Pwnage hacking event has uncovered 64 vulnerabilities. Does this make WordPress the Adobe Flash of the CMS world?
Summer of Pwnage (#sumofpwn) describes itself as being a “community program for everyone with interest in software security” and that means everyone from “enthusiastic beginners to the 1337est hackers out there” apparently. When you strip back the leet speak marketing, it’s actually an open source security bug hunting event. The brainchild of Dutch application security outfit Security, #sumofpwn states that everyone is the owner of their bugs and exploits and can “use them as you like.” It does, however, encourage participants to be part of the solution and disclose them responsibly to the original code authors.
As SC publishes this story today, #sumofpwn has reached day 21 of 29 and uncovered 64 vulnerabilities. We cannot confirm how many of these have been responsibly disclosed and patched as a result. However, one of the most serious of newly disclosed bugs we are aware of included a reflected XSS problem in the very popular Ninja Forms plugin which has some 600,000 users. This has, thankfully, already been patched in a plugin update.
All of this does sound like evidence that WordPress is very insecure and sites built using it should be treated with suspicion. But hold on a moment, how true is that?