WordPress powers over 40% of the web, making its plugin ecosystem a prime target for attackers. While security researchers manually audit plugins for vulnerabilities, the ever-growing number of third-party extensions makes this approach inefficient. What if we could find all the vulnerabilities right after developers publish them?

In this talk, we introduce a research-driven methodology for identifying 0-day vulnerabilities in WordPress plugins using static code analysis. We will showcase how we built a tool that continuously monitors the WordPress Plugin Repository via its SVN system, detects newly pushed code or changesets in real-time using multi-threading, and flags potentially dangerous patterns. By leveraging static analysis, the tool identifies sensitive functions and automatically alerts researchers when risky code is introduced.

We will dive into the inner workings of this automation, discuss the challenges of scaling static analysis for thousands of plugins, and present real-world case studies of zero-days uncovered using this technique.

By the end of this session, attendees will walk away with a deeper understanding of how to leverage real-time monitoring of the repository and static code analysis on a mass scale for vulnerability research.