← Back to portfolio

[ CASE STUDY ]

WordPress Intranet — Static Code Analysis

Client: Corporate intranet, Colombia, 2025 Service: Web Application Pentest Type: White-box / source code review

Executive Summary

Full source code review of a private WordPress intranet used by a Colombian company. The assessment revealed 20 vulnerabilities across the codebase, server configuration, and third-party integrations — including hardcoded credentials for external HR and payment systems that could allow complete account takeover and financial data exposure.

Findings (20 Total)

  • Critical (3): Hardcoded plaintext API keys and credentials for external HR platform and payment processor embedded in custom plugin source code
  • Critical (1): SQL injection in custom reporting module — unauthenticated, full database read access
  • High (4): Insecure Direct Object Reference (IDOR) allowing any authenticated user to access any other employee's documents
  • High (2): Stored XSS in employee profile fields, no output encoding
  • Medium (6): Missing CSRF tokens on state-changing forms, outdated dependencies with known CVEs, overly permissive file uploads
  • Low (4): Information disclosure, missing security headers, verbose error messages in production

Methodology

Static code analysis using manual review and automated scanning. Dynamic testing against a staging environment. OWASP Testing Guide v4 methodology. Findings validated with proof-of-concept exploits for all critical and high issues.

Outcome

All 20 vulnerabilities documented with CVSS v3.1 scores, exploit steps, and specific remediation guidance. Client applied all remediations within 2 weeks. Re-test confirmed successful closure of all critical and high findings.