Welcome to Part 2 of the WordPress Security Research Beginner Series! If you haven’t had a chance, please review the series introduction blog post for more details on the goal of this series and what to expect as well as Part 1, which covers WordPress Request Architecture and Hooks. In WordPress Request Architecture and Hooks, we reviewed how requests are handled in WordPress, how those requests relate to hooks, which hooks are interesting to vulnerability researchers, how plugins and themes are loaded, and how they might handle direct requests. Now that you have a good understanding on how to access and trigger the code you’ll need to test, we are going to review how to identify code that has been appropriately (and inappropriately) protected by developers. We hope that by providing this beginner series on WordPress vulnerability research, you’ll use the knowledge you’ve gained to participate in the Wordfence Bug Bounty Program, where you can earn up to $31,200 for each vulnerability reported. By finding and reporting these vulnerabilities, you play a direct role in strengthening the layered defenses that help keep the WordPress ecosystem secure. Table of Contents Why Is Understanding WordPress Security Architecture Important? WordPress Security Ethos Core Security Features in WordPress Static Analysis Fundamentals Sources, Sinks, and Data Flow Understanding Input Handling and Data Flow Data Validation and Sanitization Escaping Pro-Tip: Dynamically Evaluating Code with…Read More