DeepSec 2025 Talk: Catching WordPress 0-Days on the Fly – Ananda Dhakal

Sanna/ October 9, 2025/ Conference/ 0 comments

WordPress powers over 40% of the web, making its plugin ecosystem a prime target for attackers. While security researchers manually audit plugins for vulnerabilities, the ever-growing number of third-party extensions makes this approach inefficient. What if we could find all the vulnerabilities right after developers publish them?

In this talk, we introduce a research-driven methodology for identifying 0-day vulnerabilities in WordPress plugins using static code analysis. We will showcase how we built a tool that continuously monitors the WordPress Plugin Repository via its SVN system, detects newly pushed code or change sets in real-time using multi-threading, and flags potentially dangerous patterns. By leveraging static analysis, the tool identifies sensitive functions and automatically alerts researchers when risky code is introduced.

We will dive into the inner workings of this automation, discuss the challenges of scaling static analysis for thousands of plugins, and present real-world case studies of zero-days uncovered using this technique.

By the end of this session, attendees will walk away with a deeper understanding of how to leverage real-time monitoring of the repository and static code analysis on a mass scale for vulnerability research.

We asked Ananda a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  1. It features multiple CVEs in WordPress plugins
  2. The idea mimics the CI/CD pipeline for the whole WP repository
  3. Briefing of the whole architecture and flow of the tooling
  4. Generation of the leads along with issues found through the approach
  5. The talk is the result of internal security research of Patchstack

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Looking at all the zero days led to the curiosity that we could try to intercept them when they land on the repo

Why do you think this is an important topic?

Every day, there are tens, if not hundreds, of security issues pushed to the WordPress open-source repository, which we tried to tackle.

Is there something you want everybody to know – some good advice for our readers, maybe?

WordPress hacking is cool!

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

AI is not taking over our jobs anytime soon.

 

Ananda is a security enthusiast who has been doing web hacking and bug bounty since 2018. Ananda is working as a Vulnerability Researcher at Patchstack and focuses on finding security vulnerabilities in the WordPress ecosystem.

Share this Post

Leave a Comment

Your email address will not be published. Required fields are marked *

*
*

This site uses Akismet to reduce spam. Learn how your comment data is processed.