Title: Security vulnerabilities in WordPress Last modified: August 21, 2016 --- # Security vulnerabilities in WordPress * [dsdaas](https://wordpress.org/support/users/dsdaas/) * (@dsdaas) * [12 years ago](https://wordpress.org/support/topic/security-vulnerabilities-in-wordpress/) * My client did a source code review with Fortify. The below vulnerabilities flagged as present in WordPress core: * Critical – 6812 High – 3241 Medium – 3558 Low – 3262 * Most of the critical errors flagged are: Cross-Site Scripting: Persistent & Cross- Site Scripting: Reflected * Other: Command Injection Dangerous File Inclusion Dynamic Code Evaluation: Code Injection Open Redirect Password Management: Hardcoded Password Password Management: Password in HTML Form Path Manipulation Privacy Violatoin: Heap Inspection SQL Injection System Information Leak * How do I answer the client? Any 3rd party information on this that supports my case that WordPress is not vulnerable? Viewing 2 replies - 1 through 2 (of 2 total) * [Daniel Cid](https://wordpress.org/support/users/ddsucurinet/) * (@ddsucurinet) * [12 years ago](https://wordpress.org/support/topic/security-vulnerabilities-in-wordpress/#post-4995536) * I have not even read the full report and I can guarantee they are all false positives. * Most code review tools are very verbose and will generate a lot of noise that had to be filtered manually by a developer. * This article is good as well: * [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html) * thanks, * [catacaustic](https://wordpress.org/support/users/catacaustic/) * (@catacaustic) * [12 years ago](https://wordpress.org/support/topic/security-vulnerabilities-in-wordpress/#post-4995702) * If there’s that many vunerabilities then surely they’d all have exploits out there in the wild now. I’m sure that there are some, but they are very quickly patched. * If a client sent me a list like that my first repsonse would be: * > I understand that you’ve been given these form a party outside of the website > development, so I’d like ot know the full details of each proposed vunerability > to allow me to check these for myself. * 99.999% of the time they won’t give out any details (because there’s none to give out), and if they do give something you’ll quickly be able to dis-prove it with a couple of very quick tests. Viewing 2 replies - 1 through 2 (of 2 total) The topic ‘Security vulnerabilities in WordPress’ is closed to new replies. * In: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/) * 2 replies * 3 participants * Last reply from: [catacaustic](https://wordpress.org/support/users/catacaustic/) * Last activity: [12 years ago](https://wordpress.org/support/topic/security-vulnerabilities-in-wordpress/#post-4995702) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics