Project mission is to crowdsource the indexing and curating of plugin bug data

WordPress project WPHash harvests 75 million hashes for detecting vulnerable plugins

An open source project designed to help security researchers fingerprint WordPress Plugins is seeking feedback and contributors.

Currently in beta mode, WPHash is a free-to-use web service that helps security professionals identify installed plugins and whether they contain security vulnerabilities.

To this end, it indexes 75 million SHA256 hashes for WordPress plugins – covering the vast majority available on the WordPress marketplace, along with their various versions.

The project mission is “to crowd-source the indexing and curating of WordPress plugin vulnerability data”.

Enumeration and fingerprinting

“WPHash’s main purpose is to provide security researchers with additional tooling in the form of a web service, which helps them in the enumeration and fingerprinting of installed WordPress plugins,” Dave Miller, WPHash architect and security engineer at Swiss IT security company cyllective, tells The Daily Swig.

The WPHash website comprises an alphabetical index of hashes, a search function for this index, an experimental OpenAPI spec for looking up hashes and filepaths, and FAQs. Both original and normalized SHA256 checksums are indexed.

Catch up with the latest WordPress security news

“Researchers can query WPHash for known filepaths of the plugin they’re after,” says Miller. “Then, they request these filepaths on the target and calculate the SHA256 hash, which they then use to lookup plugin metadata on WPHash. This process allows them to determine exact plugin versions, and with further investigation determine if the plugin is vulnerable.”

Indexed vulnerabilities can be queried via WPHash or in researchers’ own tooling by using the raw data available on the WPHash GitHub repo.

Miller has said on Reddit that WPHash is not intended to be a direct competitor to Automattic WordPress security scanner WPScan, whose vulnerability data and tooling he concedes is currently “more curated and more complete”.

Nevertheless, WPHash fulfils Miller’s preference for freely accessing crowdsourced vulnerability information “in my own tooling without being stuck with API rate limits”.

Call for contributors

The scope of future development for WPHash partly hinges on the level of community support Miller can attract. At the very least, he is “dedicated to keep operating WPHash for free and try to keep improving both the REST API as well as the data behind it”.

A number of retweets on Twitter and upvotes on Reddit have signalled support for the project, suggests Miller, who hopes to enlist some co-contributors from the open source community “once people start playing around with WPHash and its data. I think I need to make it easier and start writing contribution guides to get more people involved.”

Anyone who wishes to contribute, field questions, or offer feedback to WPHash can do so by contacting Miller via his Twitter account.

Cyllective, which published a blog post documenting its research into plugin vulnerabilities in May, is sponsoring the project.

RECOMMENDED Graph-based JavaScript bug scanner discovers more than 100 zero-day vulnerabilities in Node.js libraries