Behind the Code: Identifying Zero-Day Exploits in WordPress

: The rising awareness of cybersecurity among governments and the public underscores the importance of effectively managing security incidents, especially zero-day attacks that exploit previously unknown software vulnerabilities. These zero-day attacks are particularly challenging because they exploit flaws that neither the public nor developers are aware of. In our study, we focused on dynamic application security testing (DAST) to investigate cross-site scripting (XSS) attacks. We closely examined 23 popular WordPress plugins, especially those requiring user or admin interactions, as these are frequent targets for XSS attacks. Our testing uncovered previously unknown zero-day vulnerabilities in three of these plugins. Through controlled environment testing, we accurately identified and thoroughly analyzed these XSS vulnerabilities, revealing their mechanisms, potential impacts, and the conditions under which they could be exploited. One of the most concerning findings was the potential for admin-side attacks, which could lead to multi-site insider threats. Specifically, we found vulnerabilities that allow for the insertion of malicious scripts, creating backdoors that unauthorized users can exploit. We demonstrated the severity of these vulnerabilities by employing a keylogger-based attack vector capable of silently capturing and extracting user data from the compromised plugins. Additionally, we tested a zero-click download strategy, allowing malware to be delivered without any user interaction, further highlighting the risks posed by these vulnerabilities. The National Institute of Standards and Technology (NIST) recognized these vulnerabilities and assigned them CVE numbers: CVE-2023-5119 for the Forminator plugin, CVE-2023-5228 for user registration and contact form issues, and CVE-2023-5955 for another critical plugin flaw. Our study emphasizes the critical importance of proactive security measures, such as rigorous input validation, regular security testing, and timely updates, to mitigate the risks posed by zero-day vulnerabilities. It also highlights the need for developers and administrators to stay vigilant and adopt strong security practices to defend against evolving threats.


Introduction
The current status quo in cybersecurity faces significant challenges and limitations, particularly in the detection and mitigation of zero-day vulnerabilities.Traditional approaches, such as signature-based and heuristic-based methods, often fall short in identifying novel threats due to their reliance on known attack patterns.Signature-based methods detect malware by comparing the code against a database of known malware signatures.While effective for known threats, this method fails to detect new, unknown vulnerabilities [1].
Heuristic-based approaches attempt to identify malicious behavior by analyzing the characteristics and behavior of software.Although more flexible, these methods still struggle with high false-positive rates and often cannot detect sophisticated or new attack vectors [2].
Another traditional method is anomaly-based detection, which identifies deviations from established normal behavior profiles.Although this method can potentially detect novel attacks, it is often plagued by high false-positive rates and requires extensive training data to establish accurate behavior profiles [3].Moreover, these methods are inherently reactive, providing solutions only after an attack has been identified and analyzed.Consequently, zero-day attacks, which exploit unknown vulnerabilities, remain a persistent and formidable threat.The National Institute of Standards and Technology (NIST) reports that zero-day vulnerabilities are particularly dangerous because they exploit security gaps that developers are unaware of, leaving systems unprotected until the vulnerability is identified and patched [4].
Cybersecurity incidents are on the rise, leading to a greater focus on cybersecurity research due to increased awareness.At the same time, cybercriminals are getting better at creating new types of attacks.These attacks often use new methods to hide their activities and target specific weaknesses in software.The software world is changing fast, with new programs and technologies being developed all the time.As a result, new vulnerabilities are constantly appearing, giving attackers opportunities to exploit them [5].This creates a never-ending game of cat and mouse between defenders and attackers.These newly discovered vulnerabilities are known as zero-day vulnerabilities and can be used to launch new types of attacks called zero-day attacks [6,7].
Zero-day attacks, though not common, pose a significant and serious threat due to the limited information available at the time they occur.These attacks exploit vulnerabilities that are unknown to the public or software developers when they are first used [8,9].The relationship between zero-day attacks and vulnerabilities is direct and reciprocal.The NIST CVE database recorded 28,828 vulnerabilities in 2023 [10], highlighting the extensive nature of potential risks.
These zero-day vulnerabilities can have a profound impact on web applications, especially those designed for sharing and disseminating information.Websites that serve as primary hubs for e-commerce, entertainment, and services are particularly vulnerable [11].Platforms like WordPress simplify website development for novice users by offering prebuilt packages that streamline the process.A crucial feature of these platforms is the inclusion of web forms, which allow users to input personal and sensitive information [12].
With WordPress holding a 42.7% market share [13], any zero-day vulnerability in this context can have severe consequences for a large number of users, potentially compromising the security of sensitive information.One significant area of concern is cross-site scripting (XSS) vulnerabilities, which enable the injection and execution of malicious code within web applications.XSS attacks are broadly categorized into three types: persistent, reflective, and DOM-based XSS attacks [14].
Specifically, WordPress plugins that require user input can significantly increase the risk of XSS attacks, affecting both the client side and the admin side.When malicious scripts are inserted into these plugins, they can create potential backdoors in the system, providing gateways for unauthorized access.These backdoors are subsequently exploited by malicious actors to gain control over the site, steal data, or launch further attacks [15].
Traditionally, security measures in system design have focused primarily on defending against external attackers [16].However, insider attacks have recently emerged as a significant concern, especially for websites with multiple administrators.Insider attacks can be particularly damaging because they exploit the trust and access privileges of internal users, making detection and prevention more challenging [17].
For WordPress sites, which often rely on a variety of plugins to enhance functionality, the risk is even greater.Poorly designed plugins that fail to properly validate and sanitize user inputs can easily become entry points for XSS attacks.Once an attacker exploits a vulnerability in a plugin, they can inject malicious code that compromises the entire site [18].
Therefore, secure plugin design must now prioritize eliminating vulnerabilities on the admin side as well.This involves implementing robust input validation and output encoding practices, conducting thorough security testing, and regularly updating plugins to patch known vulnerabilities [19].
The major issue tackled by this research is the identification and analysis of zero-day vulnerabilities in WordPress plugins, which are widely used in web development.These plugins, while enhancing functionality, often introduce security risks due to improper input validation and outdated security practices.A significant example of such vulnerabilities is cross-site scripting (XSS), which allows attackers to inject malicious scripts into web pages viewed by other users [20].The novelty of our proposed approach lies in its application of dynamic application security testing (DAST) principles to uncover these vulnerabilities.Unlike traditional static analysis methods, DAST involves real-time interaction with the application, simulating attack scenarios to identify and exploit security flaws as they occur.
Our research provides a detailed examination of 23 popular WordPress plugins, identifying critical zero-day vulnerabilities in three of them.By highlighting the mechanisms and potential impacts of these vulnerabilities, our study offers valuable insights into the practical risks posed by these security flaws.The proposed DAST-based approach demonstrates its effectiveness in proactively detecting and mitigating these threats, thereby offering significant benefits to both developers and end-users by enhancing the overall security posture of WordPress-based websites [4, 20,21].Furthermore, our approach emphasizes the importance of continuous security testing and timely updates to mitigate the risks posed by evolving threats in the dynamic landscape of cybersecurity [22].
One effective method for ensuring the security of web applications is through the application of dynamic application security testing (DAST) principles [23].Unlike static testing methods that analyze source code, DAST involves simulating external attacks on the application to identify vulnerabilities that malicious actors could exploit.This dynamic approach is particularly effective in uncovering weaknesses related to input validation, authentication, and session management.
DAST works by interacting with a running application, sending various inputs, and observing the application's responses.This real-time interaction allows DAST tools to detect security flaws that might not be apparent through static code analysis alone.For example, by submitting a wide range of input data, DAST can identify whether the application correctly handles and sanitizes user inputs, preventing potential injection attacks such as SQL injection or XSS [24,25].
The real strength of DAST lies in its ability to provide a comprehensive assessment of an application's security posture from an external attacker's perspective.By identifying and addressing these vulnerabilities, developers can significantly enhance the security of their web applications, protecting them from a wide range of potential threats [26].
Therefore, keeping this in mind, we conducted a comprehensive study where DASTbased test cases were applied to 23 WordPress plugins that require user or admin interaction with web forms.These plugins were selected based on their widespread use and critical functionality within the WordPress ecosystem [27], making the findings particularly relevant for a broad user base.By simulating real-world attack scenarios through DAST, we were able to assess how these plugins handle various types of input and whether they effectively mitigate XSS risks.
The results of our tests were revealing.We discovered that XSS attacks were indeed possible on three WordPress plugins.This vulnerability allows malicious actors to inject harmful scripts, which can then be executed within the web application, leading to severe security breaches.Particularly alarming was the discovery of vulnerabilities on the admin side of the plugins.An admin-side XSS attack can be especially damaging because it can compromise the administrative control of a website [28].Moreover, our findings indicated the potential for a multi-site insider attack.In WordPress environments where multiple sites are managed under a single installation, a vulnerability in one plugin can jeopardize the security of all sites within the network.This type of attack exploits the trust and access privileges of administrators, making it a significant threat [14].
Once these vulnerable plugins were identified, we demonstrated how these vulnerabilities could be exploited.To this end, we prepared a dummy website within a sandbox environment, allowing us to safely perform further experiments.Our goal was to determine if sensitive information could be extracted by attaching different attack vectors to these compromised plugins [29].
In our detailed experimentation, we focused on two primary attack vectors: keyloggers and truncated malware executable files.First, we tested the deployment of keyloggers to capture sensitive information such as usernames, passwords, and other critical data entered by users or administrators.The keyloggers were designed to silently record keystrokes and send the captured data to an external server, highlighting the potential severity of such an attack.
Second, we tested the zero-click download strategy by sending truncated malware executable files to the admin side of the website.This approach is particularly insidious, as it does not require any action from the admin or user to initiate the download of the malicious file.The zero-click strategy leverages vulnerabilities in the plugins to automatically download and execute malware, bypassing traditional security measures that rely on user interaction to trigger downloads [30].
By employing these attack vectors, we demonstrated how attackers could exploit the identified vulnerabilities to gain unauthorized access and extract sensitive information.The keylogger tests confirmed that personal and confidential data could be effectively captured and exfiltrated without detection.Similarly, the zero-click download strategy showed how malware could be seamlessly introduced into the system, potentially leading to a complete system compromise [31].
Our study illustrates the practical implications of DAST principles and the necessity of proactive security testing in safeguarding web applications.By identifying and mitigating these vulnerabilities, we can prevent potential breaches and protect sensitive information from malicious exploitation.
Naturally, these findings were reported and acknowledged by the National Institute of Standards and Technology (NIST) [32], resulting in the allocation of Common Vulnerabilities and Exposures (CVE) numbers to the three vulnerable plugins, thereby solidifying the significance of our work.The CVE numbers assigned are CVE-2023-5119, CVE-2023-5228, and CVE-2023-5955.These vulnerabilities highlight the critical need for enhanced security measures in WordPress plugins, especially those that handle user input and personal information.The allocation of CVE numbers by NIST underscores the importance of our findings and emphasizes the necessity for developers to prioritize security in their plugin design and implementation.
In this paper, we make the following contributions: 1.
A novel systematic approach, rooted in DAST principles, was implemented to assess WordPress webform plugins.Additionally, mitigation strategies against the identified vulnerabilities are provided.

3.
Creation of a new attack vector incorporating keyloggers was devised, leveraging these vulnerabilities to simulate an attack and extract sensitive information.

Literature Review
The field of cybersecurity research is rapidly advancing, with various methods, including both traditional and AI-based approaches, being utilized for vulnerability detection.
Traditional methods of vulnerability detection have played a crucial role in cybersecurity over the years.These methods can be broadly categorized into signature-based, heuristicbased, and anomaly-based detection.
Signature-based detection relies on a database of known vulnerability signatures to identify threats.This method matches patterns in the code against known signatures, effectively identifying previously documented vulnerabilities [1].It is a well-established technique but struggles with detecting new, unknown threats because it can only identify attacks with pre-existing signatures [33].Despite its effectiveness for known vulnerabilities, signature-based detection is ineffective against zero-day vulnerabilities, as it relies on existing signatures and cannot detect novel threats [1].Notable tools that employ signaturebased detection include Snort and NetSTAT [34].
Heuristic-based detection uses algorithms to identify potentially malicious behavior based on certain predefined rules.This approach aims to detect new, unknown vulnerabilities by analyzing the behavior and characteristics of software [2].Although heuristic methods offer some flexibility in identifying new threats, they often result in high falsepositive rates and may not effectively detect sophisticated or novel attacks [35].
Anomaly-based detection identifies deviations from established normal behavior profiles.By monitoring for anomalies, this method can potentially detect novel attacks.However, it often requires extensive training data to establish accurate behavior profiles and can suffer from high false-positive rates [3].The requirement for large amounts of training data and the propensity for false positives are significant challenges for anomalybased detection methods [3].Nevertheless, anomaly-based intrusion detection systems (AIDS) are advantageous in detecting zero-day attacks as they do not rely on a pre-existing signature database [34].They create models of normal behavior and flag deviations as potential threats, making them suitable for identifying novel attacks [36].
Despite their importance, traditional approaches face several challenges and limitations.Signature-based detection is ineffective against zero-day vulnerabilities as it relies on known signatures [1].Heuristic-based detection suffers from high false-positive rates and limited effectiveness against sophisticated attacks [2].Anomaly-based detection requires extensive training data and is prone to high false-positive rates [3].These limitations highlight the need for more advanced and proactive security measures.
In contrast, AI, ML, and DL approaches have been proposed to enhance vulnerability detection capabilities.Regi et al. [12] investigate various detection and prevention methods for zero-day attacks, including machine learning algorithms to identify abnormal activities.Guo et al. [37] emphasize the limitations of traditional methods and examine machine learning methodologies for zero-day attack detection, highlighting the challenges of limited labeled data and proposing future research directions.El-Sayed et al. [38] and Peppes et al. [39] explore deep learning techniques, such as support vector machines and generative adversarial networks, for malware classification and threat detection, demonstrating high accuracy but also noting significant challenges related to data diversity and model adaptability.
Roumani [40] examines factors influencing the timing of patch releases for zero-day vulnerabilities, utilizing survival analysis to highlight the impacts of various variables on patch release timing.This study identifies gaps in fully understanding all variables influencing patch release timings, suggesting opportunities for future research.
Fuzzing is another traditional method extensively used in vulnerability detection.Fuzzing involves providing invalid, unexpected, or random data inputs to a computer program to find security vulnerabilities and bugs [41].The process includes testcase generation, execution, monitoring, and analysis.Fuzzers are classified into generation-based and mutation-based, with each having its advantages and challenges.Generation-based fuzzers require detailed knowledge of input formats, whereas mutation-based fuzzers modify existing valid inputs to discover vulnerabilities [41].
The summary of the related studies is presented in Table 1.Our study addresses the challenges of traditional approaches by employing dynamic application security testing (DAST), which simulates real-world attack scenarios to identify vulnerabilities at runtime.This approach is particularly effective in uncovering zero-day vulnerabilities and provides a more comprehensive assessment of an application's security posture [22].

Methodology
To systematically identify and assess vulnerabilities in WordPress plugins while adhering to DAST principles, our approach starts with the creation of a sandbox environment equipped with the necessary tools and software, as detailed in Table 2.This controlled environment allows us to dynamically analyze the plugins in real-world conditions, consistent with DAST's focus on runtime testing.Dummy web pages are created using the plugins listed in Table 3, and each plugin undergoes individual testing for XSS vulnerabilities.
In line with DAST principles, which involve examining a running application's behavior, varied configuration settings are examined to assess XSS susceptibility.This includes inserting and executing JavaScript code in the context of each plugin.Successful execution signifies the potential for arbitrary JavaScript execution on the client side, aligning with DAST's objective of uncovering vulnerabilities in real time.Plugins resistant to JavaScript execution are considered secure, whereas those that are susceptible undergo further exploitation analysis.Our exploitation efforts yield two primary types of attacks: 1.
Keylogger-Based Spyware Attack: This attack captures user-entered information from the client web page associated with the vulnerable plugin.By recording keystrokes, the keylogger can silently steal sensitive data such as usernames, passwords, and personal information.

2.
Malware Injection Attack: In this scenario, truncated malware payloads are delivered to client systems using a zero-click download strategy.This approach negates the need for any user interaction, thereby simulating realistic attack scenarios as emphasized by DAST.The malware can execute automatically upon download, providing attackers with unauthorized access to the client system.
Figure 1 provides detailed steps of the proposed method, reflecting DAST's emphasis on understanding how applications behave under attack conditions.

Experimental Framework
In this section, we explain our experimental setup designed to investigate the zero-day vulnerabilities that enable XSS attacks on WordPress plugins.As shown in Table 2, we conducted experiments involving port scanning and keylogger implementation within a Windows 10 sandbox environment.This setup was created to closely mimic real-world conditions, showing how these techniques might be used to extract data from networked machines.Using a custom keylogger written in JavaScript and leveraging the XSS attack vector, we successfully extracted sensitive information by running a Flask server on a Kali Host Machine.
Creating a controlled sandbox environment was a key part of our methodology.Table 2 lists the tools and technologies we used in this sandbox to replicate an operational environ-ment accurately.This setup allowed us to test and analyze the plugins under conditions that closely resemble actual use.
We selected 23 popular WordPress webform plugins, detailed in Table 3, for our experiments.These plugins are specifically designed to handle user data input, including forms, surveys, and personal information submissions.This functionality is critical as it involves direct interaction with users, making it a prime target for malicious exploitation.The plugins are responsible for gathering, processing, and storing user data, which can include sensitive personal information.We integrated these plugins into a custom-built website, which served as the target or victim site for our experiments.This integration was crucial to ensure that our findings would be applicable to real-world WordPress environments, reflecting the typical usage scenarios where user input is a fundamental aspect of the plugin's operation.
Figure 2 shows the process followed to test vulnerabilities.Each plugin was rigorously tested to identify vulnerabilities that could be exploited through XSS attacks.We did this by dynamically inserting and executing JavaScript code within each plugin to see how they handled potentially harmful inputs.If the scripts were executed successfully, it indicated that the plugin had vulnerabilities that attackers could use to inject malicious code, create backdoors, or steal sensitive data.

Exploitation Phase Analysis and Assessment
After the installation and setup processes were complete, we moved on to thoroughly testing WordPress plugins.The proposed testing method successfully revealed zero-day vulnerabilities in three plugins: "Forminator Pro", "User Registration", and "Contact Form Email".These vulnerabilities allowed XSS attacks that enabled unauthorized access to sensitive information submitted through these forms.
In a controlled sandbox environment, mock web pages were created using the plugins listed in Table 2.These simulated web forms were designed with typical elements like text labels, text boxes, and buttons.After configuration, the forms were deployed and accessed via web browsers on the local server.
To evaluate the vulnerability of these web pages to malicious payloads, we sent these payloads through the mentioned plugins.To prevent infecting our systems, truncated versions of the malware, specifically designed to run in a sandbox, were used.This precaution was applied to both the client and admin interfaces to ensure a comprehensive assessment of vulnerabilities across the entire web application.
For the "Forminator" plugin, the "Submission Behavior" option was configured to "Redirect user to URL", embedding the JavaScript into the submission process.Similarly, in the "User Registration" plugin, the JavaScript code was appended to the "Redirect After Registration" option using the External URL selection.Finally, for the "Contact Form Email" plugin, the JavaScript code was incorporated into the "On submit action" event within the "Stay on the page & display a classic JavaScript alert box" setting.Figure 3 shows the specific locations in the configuration where changes were made to allow JavaScript code execution and exploit the XSS vulnerability.After confirming the plugins' susceptibility to XSS, the next step was to assess the extent of the exploitability of this vulnerability.Because these web forms often collect sensitive personal information, we aimed to integrate a keylogger into these forms to exploit the vulnerability, capture sensitive information, and probe target ports via XSS.This required detailed planning and execution, often necessitating advanced techniques to infiltrate systems and extract critical data.To facilitate this, we set up a custom Flask server (listed in Table 2) on the host machine.
In this study, three distinct tasks were conducted to evaluate system vulnerabilities: port scanning, installing a keylogger on the client interface, and transmitting malware.The keylogger was strategically deployed within the "Forminator" and "User Registration" plugins to extract sensitive information.However, due to the specific functionality of the "Contact Form Email" plugin, a different approach was necessary.This approach focused on examining its potential to introduce malware rather than focusing exclusively on data retrieval.
As an example, Figure 4 illustrates how the "User Registration" plugin processes user registration information.This plugin is commonly used to collect essential details from new users, such as usernames, passwords, and email addresses.When subjected to our XSS vulnerability tests, the plugin revealed a significant flaw.Specifically, it triggered the execution of malicious JavaScript code, as shown in Figure 5.This JavaScript code demonstrates how an attacker could exploit this vulnerability to inject harmful scripts into the user registration process.The ability of the plugin to process and accept user inputs without proper sanitization or validation allows these scripts to execute.This scenario can lead to severe consequences, such as unauthorized data access, session hijacking, or the compromise of user credentials.The vulnerability essentially creates a backdoor for attackers to manipulate the registration process and gain unauthorized access to sensitive information.
We also demonstrate that these vulnerabilities can be exploited to attach a keylogger, thereby easily capturing registration credentials.Specifically, on the admin side, an insider could effortlessly extract login credentials for other administrators, as shown in Figure 6.This poses a significant challenge, particularly for multi-site WordPress installations.In a multi-site setup, the risk is magnified because compromising one admin's credentials can potentially lead to the compromise of the entire network of sites.
Our findings highlight the critical importance of securing both user-facing and adminfacing components of WordPress plugins.Proactive security measures, including thorough input validation, regular security audits, and prompt patching of identified vulnerabilities, are essential to protect against such insider threats.Ensuring that all admin interactions are secure and free from exploitable vulnerabilities is crucial in maintaining the overall security and integrity of multi-site WordPress environments.
Overall, this case highlights the importance of proactive security measures in the development and deployment of WordPress plugins, reinforcing the need for continuous monitoring and improvement to protect against evolving cyber threats.
The pseudo-code for the keylogger attached to the client side is presented in Algorithm 1, providing a comprehensive outline of the keylogger's operation, detailing the steps involved in capturing and transmitting sensitive information from the target system to the attacker's server.Algorithm 2 shows the code executed on the server side, responsible for retrieving the data captured by the keylogger, filtering, and storing it for future use.Algorithms 3 and 4 are specifically deployed within the context of the "Contact Email Plugin" to propagate malware payloads to the client interface by exploiting the XSS vulnerability.A notable advantage of this code is its inherent capability to trigger the download of the malicious payload without necessitating any user interaction.This automatic initiation of the download process effectively initiates the zero-click functionality, thereby facilitating the seamless download of the truncated malware to the client system.
Figure 7 demonstrates how we were able to use JavaScript code to pass a malware file onto the user.For this test case, we ensured that the downloaded file was visible to the user, though this method can be made much more covert.This type of attack is often deployed by compromised websites to deliver malware without the user's knowledge.
In our controlled environment, the malware download was executed through a script embedded in a vulnerable plugin.By exploiting the XSS vulnerability, the script initiated an automatic download of the malware file.This approach bypasses the need for user interaction, making it a particularly insidious method of attack.The visible download in our test case was intentional to clearly demonstrate the attack's feasibility.
Such malware files can then be used in an advanced persistent threat (APT) manner to attack more systems and gain access privileges on both client and admin machines.Once the malware is installed, it can perform various malicious activities, such as logging keystrokes, capturing screenshots, stealing sensitive data, or even creating a backdoor for future access.
Algorithms 1-4 retrieve sensitive information entered in WordPress plugins.Additionally, port scanning enables the retrieval of specific information about the client machine, which can be further exploited to add new attack vectors.This is illustrated in Figures 8 and 9, which provide detailed insights into the information we were able to extract in our sandbox environment.
In summary, we selected 23 WordPress webform plugins for our experiments due to their widespread use, particularly focusing on plugins that handle user data input through forms, surveys, and personal information submissions.Testing in a controlled sandbox environment revealed zero-day vulnerabilities in three plugins: "Forminator Pro", "User Registration", and "Contact Form Email".These vulnerabilities allowed XSS attacks that could capture sensitive information.By simulating typical user interactions and deploying malicious payloads, we demonstrated how these vulnerabilities could be exploited to insert keyloggers, transmit malware, and compromise both user-facing and admin-facing components of WordPress plugins, highlighting the critical need for robust security measures in plugin development.To this end, we provided a detailed pseudo-code of the attack vector and showcased how these vulnerabilities were found and exploited.Display an alert with "Captured Data": followed by dataToSend Make a copy of the data.

16:
Remove 'ur-redirect-url' from the form data in the copy.17: Print the filtered data.Print the received data.

20:
Return a confirmation message "Data Received".Set the destination URL of the hyperlink to the attacker's server 4: Set the download attribute of the hyperlink to the intended malware file name 5: Append the hyperlink to the document's body 6: Trigger a click event on the hyperlink to initiate download 7: Remove the hyperlink from the document's body after triggering 8: end function Algorithm 4 Malware distribution-server side.

Challenges and Future Work
The proposed method for identifying zero-day vulnerabilities in WordPress plugins through DAST faces several challenges and limitations that need to be addressed.These challenges are inherent to the nature of web security and the specifics of the DAST approach.
First, scalability is a primary challenge.As the number of plugins and the complexity of web applications grow, the time and resources required to perform thorough security testing increase significantly.This can lead to longer testing cycles and potentially delayed identification of vulnerabilities.Managing this scalability requires optimizing DAST tools to handle large-scale applications efficiently.Implementing horizontal scaling techniques, such as those using Kubernetes for parallel processing, can significantly improve scanning speed and efficiency.
Second, DAST tools generates false positives (incorrectly identifying benign behavior as malicious) and false negatives (failing to detect actual vulnerabilities).This can result in unnecessary remediation efforts or, worse, leaving vulnerabilities unaddressed.Fine-tuning the testing parameters and incorporating more sophisticated heuristics can help mitigate these issues but cannot eliminate them entirely.Utilizing AI-enabled verification mechanisms can help reduce false positives and improve the accuracy of the detection process.
Another significant challenge is the dynamic nature of web applications.Web applications are highly dynamic, with frequent updates and changes in code and configurations.This dynamism can render previously identified vulnerabilities obsolete or introduce new vulnerabilities.Continuous monitoring and repeated testing are essential but also resourceintensive, demanding a robust infrastructure to maintain ongoing assessments.Integrating DAST tools with continuous integration/continuous deployment (CI/CD) pipelines can facilitate continuous security testing and ensure timely identification of vulnerabilities as part of the development process.
Complex attack vectors present another challenge.Modern web applications, including WordPress plugins, often involve complex interactions between various components and third-party services.Identifying vulnerabilities in such interconnected environments requires comprehensive testing that considers all potential attack vectors.This complexity can make it difficult to ensure complete coverage, necessitating advanced testing strategies.Utilizing tools that can dynamically generate unique data and track various headers and tokens can enhance the comprehensiveness of the security assessments.
User and developer awareness is crucial for effective vulnerability management.Users must keep their plugins and applications updated, whereas developers need to follow best security practices during development.Ensuring this level of awareness and compliance is a significant challenge, as it involves ongoing education and vigilance.Providing user-friendly guidelines and tools for maintaining secure configurations can enhance overall security.
Resource constraints are a major limitation, particularly for smaller organizations.Conducting thorough DAST requires significant computational resources and expertise.Small organizations or individual developers may lack the resources to implement comprehensive security testing, leading to potential gaps in vulnerability detection.Offering cloud-based DAST solutions that can be scaled according to the organization's needs can help mitigate resource constraints and provide access to robust security testing capabilities.
In light of these challenges, future work should focus on several key areas to enhance the DAST approach.Developing more advanced automation techniques can help scale the DAST approach to handle larger and more complex applications.This includes automated test case generation, execution, and result analysis.
Integrating DAST tools with continuous integration/continuous deployment (CI/CD) pipelines can facilitate continuous security testing, ensuring that vulnerabilities are identified and addressed promptly as part of the development process.Enhancing collaboration between security experts and developers can lead to better integration of security practices into the development lifecycle, reducing the overall security risk.
Although the current method does not use machine learning, exploring advanced heuristics and AI techniques can help improve the accuracy and efficiency of DAST tools.These technologies can assist in identifying patterns and anomalies that might indicate vulnerabilities.
Developing comprehensive threat models that consider the entire ecosystem of a web application can improve the coverage and effectiveness of security testing.This includes understanding potential attack vectors and their impact on different components of the application.
Finally, educating users on the importance of regular updates and security best practices can mitigate risks associated with outdated or poorly configured plugins.Developing user-friendly guidelines and tools for maintaining secure configurations can enhance overall security.
By addressing these challenges and pursuing the proposed future work, we can enhance the effectiveness and reliability of DAST for identifying zero-day vulnerabilities in WordPress plugins, thereby improving the overall security posture of web applications.

Conclusions
Dynamic application security testing (DAST) operates by interacting with a running application, sending various inputs, and observing the application's responses.This realtime interaction allows DAST tools to detect security flaws that might not be apparent through static code analysis alone.By submitting a wide range of input data, DAST can identify whether the application correctly handles and sanitizes user inputs, thereby preventing potential injection attacks such as SQL injection or cross-site scripting (XSS).The true strength of DAST lies in its ability to provide a comprehensive assessment of an application's security posture from an external attacker's perspective.By identifying and addressing these vulnerabilities, developers can significantly enhance the security of their web applications, protecting them from a wide range of potential threats.
In our comprehensive study, we applied DAST-based test cases to 23 WordPress plugins that require user or admin interaction with web forms.These plugins were selected based on their widespread use and critical functionality within the WordPress ecosystem.By simulating real-world attack scenarios through DAST, we assessed how these plugins handle various types of input and whether they effectively mitigate XSS risks.The results revealed that XSS attacks were possible on three WordPress plugins, exposing significant security vulnerabilities, particularly on the admin side.Additionally, our findings indicated the potential for a multi-site insider attack, exploiting administrative privileges to compromise the security of all sites within a network.Following these discoveries, we reported our findings to the National Institute of Standards and Technology (NIST), resulting in the allocation of Common Vulnerabilities and Exposures (CVE) numbers to the three vulnerable plugins.This acknowledgment underscores the critical need for enhanced security measures in WordPress plugins and emphasizes the necessity for developers to prioritize security in their design and implementation.

Figure 3 .
Figure 3.The JavaScript code added to the plugin enabling XSS attack.

Figure 4 .
Figure 4. User registration web form with XSS.

Figure 5 .
Figure 5.The XSS triggered the JavaScript code execution, shows that a more potent javascript can be executed as well.

Figure 6 .
Figure 6.A keylogger being attached to the plugin from the admin side, showcasing how easy it is for an insider to affect web applications with malicious code.

1 : 3 : 4 : 7 :
Import necessary libraries:2: Import web framework and file transmission capabilities Initialize web application: 5: Create an instance of the web application class 6: Define routing and functionality for the app: 8: Create a route '/download-file' that listens to GET requests 9: Define a function download_file():

Figure 9 .
Figure 9. Sample output displaying the system specifications of the user machine.

Table 1 .
Summary of related studies.

Table 2 .
The table presents the operating systems employed for creating the sandbox environment, along with the tools and technologies.Exploiting XSS vulnerabilities reveals the susceptibility of client machines to malicious attacks, in line with DAST's focus on uncovering security gaps at runtime.Demonstrating these attacks underscores the significant security risks posed by XSS vulnerabilities in Word-Press plugins.Our methodology of identifying, testing, and exploiting these vulnerabilities highlights the critical need for proactive security measures.Such measures are essential to mitigate XSS vulnerabilities and safeguard web-based systems from potential breaches.
Figure 1.The experimental method employed to uncover vulnerabilities and exploits.

Table 3 .
The table displays the comprehensive list of tested WordPress plugins along with their version numbers.WPForms builder plugin for WordPress is designed to simplify the process of creating various types of forms without requiring any coding knowledge.This plugin supports creating contact forms, feedback forms, subscription forms, and more.It offers pre-built templates, spam protection, and mobile responsiveness, ensuring forms look great on all devices.VS Contact Form is a lightweight, user-friendly WordPress plugin for creating basic contact forms.It features fields for Name, Email, Subject, and Message, along with spam prevention via a sum field and a privacy consent checkbox.Users can customize the form using the settings page or by adding attributes to blocks, shortcodes, or widgets.WordPress plugin that enables flexible form creation using shortcodes.It allows customization of input, confirmation, completion, and error pages' URLs.The plugin supports various validation rules and offers a confirmation screen feature.Data from forms can be saved in a database and exported as CSV files, with visualization options for analysis.Add-ons include CAPTCHA for enhanced security and a GUI-based form builder. Contact Form 7 is a highly customizable WordPress plugin for managing multiple contact forms.It allows you to tailor both form and email content with simple markup.Key features include support for Ajax-powered submission, CAPTCHA, and Akismet spam filtering.It is popular for its flexibility and extensive documentation, including FAQs and a support forum.The plugin is maintained by Takayuki Miyoshi and is widely used with over 10 million active installations.Ninja Forms plugin is a versatile form builder for WordPress that supports a wide range of functionalities.It includes 24+ free drag-and-drop fields, customizable fields, and extensive submission management features.Users can create various form types such as contact forms, payment forms, and surveys.Country and Phone Field Contact Form 7 plugin is an add-on for the Contact Form 7 plugin.It introduces two new form tag fields: a country dropdown list with country flags and a country phone extension list.These fields enhance the Contact Form 7 forms by allowing users to select their country and corresponding phone number extension easily.

Table 3 .
Cont.Profile Builder plugin for WordPress is a comprehensive solution for creating user registration forms and user profiles and managing user roles.It offers front-end user registration, login, and profile editing forms with custom fields, content restriction based on user roles, and a built-in Role Editor.

Table 3 .
Cont.Forminator plugin is a comprehensive form builder that allows users to create a variety of forms, including contact forms, payment forms, and quizzes, using a drag-and-drop interface.It supports Stripe and PayPal integrations, GDPR compliance, and provides real-time interactive polls and quizzes.The plugin also offers advanced features like conditional logic, multi-step forms, and various third-party integrations.Forminator includes features for developers to extend its functionality through its API.

Define routing and functionality for handling data: 10
: Create a route at the root URL that listens to both GET and POST methods.11: Define a function receive_data(): 12: if the method is POST then

the app if this is the main script: 27
: Run the app on a specified host and port if the script is the main program being executed.