Wpgarlic A proof-of-concept WordPress plugin fuzzer used in | HackGit
Wpgarlic
A proof-of-concept WordPress plugin fuzzer used in the research described in https://kazet.cc/2022/02/03/fuzzing-wordpress-plugins.html that helped to discover more than 140 vulnerablities in WordPress plugins installed on almost 15 million sites.
If you want to continue the research, start with less popular plugins - if a plugin achieved at least 10k active installs between October 2021 and January 2022, I have most probably looked at the fuzzer reports (and most focus has been put on plugins having at least 20k active installs). Because there is a lot of randomness in how fuzzer works, some vulnerabilities in these plugins remain undiscovered - but fewer ones.
Fuzzer reports contain a lot of false positives - most of them don't indicate a vulnerability. After seeing a report, first analyze whether the behavior you're observing is indeed a vulnerability or a false positive. Don't spam WPScan/vendors with raw fuzzer reports - provide a PoC exploit instead.
