Sign up to save your podcasts
Or
Share REGEXSS Demo: How Hackers Exploit Regular Expressions in WordPress | Matthew Rollings (Stealthcopter)
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
REGEXSS Demo: How Hackers Exploit Regular Expressions in WordPress | Matthew Rollings (Stealthcopter)
In Episode 49 of the Melapress Show, Matthew Rollings, application security professional and bug bounty hunter, joins Robert Abela to break down RegexXSS: a vulnerability class hiding in the regex code of WordPress plugins. Mat explains how post-sanitization regex manipulation can reintroduce cross-site scripting even after WordPress has done its job, and demonstrates how an attacker can leverage it to take over a full admin account.
Many developers are unaware that using regex to parse or modify HTML, even after WordPress's built-in KSES sanitization, can introduce fresh XSS vectors. With over 70,000 WordPress plugins in existence, and regex used heavily throughout PHP development, this vulnerability class is both widespread and chronically under-reported. Mat has earned Β£20β30k in bug bounties from this single class alone.
Key topics include:
- The definition of RegexXSS and why it's distinct from conventional cross-site scripting
- How WordPress sanitizes input by default and exactly where that protection ends
- Why regex is fundamentally context-unaware and therefore unsafe for HTML manipulation
- A step-by-step demo of abusing a regex deletion to smuggle a JavaScript payload
- How XSS can be escalated to silent admin account creation in WordPress
π Guest: Matthew Rollings, Application Security Professional
ποΈ Host: Robert Abela, Melapress
View all episodes
By Robert AbelaIn Episode 49 of the Melapress Show, Matthew Rollings, application security professional and bug bounty hunter, joins Robert Abela to break down RegexXSS: a vulnerability class hiding in the regex code of WordPress plugins. Mat explains how post-sanitization regex manipulation can reintroduce cross-site scripting even after WordPress has done its job, and demonstrates how an attacker can leverage it to take over a full admin account.
Many developers are unaware that using regex to parse or modify HTML, even after WordPress's built-in KSES sanitization, can introduce fresh XSS vectors. With over 70,000 WordPress plugins in existence, and regex used heavily throughout PHP development, this vulnerability class is both widespread and chronically under-reported. Mat has earned Β£20β30k in bug bounties from this single class alone.
Key topics include:
- The definition of RegexXSS and why it's distinct from conventional cross-site scripting
- How WordPress sanitizes input by default and exactly where that protection ends
- Why regex is fundamentally context-unaware and therefore unsafe for HTML manipulation
- A step-by-step demo of abusing a regex deletion to smuggle a JavaScript payload
- How XSS can be escalated to silent admin account creation in WordPress
π Guest: Matthew Rollings, Application Security Professional
ποΈ Host: Robert Abela, Melapress