This page details the possible sources of user-controllable input into a WordPress component. This is where we, as attackers, can input a malicious payload into the application to be used at a later point in the application in a sink to perform an action.

PHP

The following table shows sources of user-controllable input to PHP applications in general. The PHP docs are a good first stop for understanding how each of these works and what input is accepted.

WordPress

The following table shows sources of user-controllable input into WordPress. The WordPress Developer Resources are a good first stop for understanding how each of these works and what input is accepted.

WordPress - User Information

If you have access to a user account, you will typically have access to create/modify the following sources. These fields may be retried by functions such as: get_user_meta, wp_get_current_user, get_user_by, get_the_author_meta or directly via SQL.

WordPress - Shortcodes and Attributes

In WordPress, contributor and higher-level users will have access to executing shortcodes. These are shortcuts that create HTML snippets based on user-controllable attributes and content. For example, [gallery ids=10,11,12] will create a gallery in a post with the three images of the IDs provided. These attributes are not always sanitized correctly, which can lead to vulnerabilities, primarily cross-site scripting (XSS) or local file inclusion (LFI).