Demo Videos

See how DefendWP protects your website even if vulnerable plugins are installed.

Vuln Type: Direct static code injection

Plugin: Loco Translate < 2.5.4


Vulnerability: The plugin mishandles data inputs which get saved to a file, which can be renamed to an extension ending in .php, resulting in authenticated “translator” users being able to inject PHP code into files ending with .php in web-accessible locations.

DefendWP protects your website by identifying if PHP code or a PHP file is being added through POST calls or forms maliciously.

Vuln Type: Broken Access Control

Plugin: Booster for WooCommerce ˂=7.0.0


Vulnerability: Unauthorized modification of data due to a missing capability check on the ‘manage_options’ function. This makes it possible for authenticated attackers with Shop Manager privileges to update arbitrary site options.

DefendWP protects your website by blocking non-admin users from updating the wp_options table.

Vuln Type: Cross-site request forgery (CSRF), Bypass, Gain privilege

Plugin: REST API TO MiniProgram <=


Vulnerability: The plugin does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users, such as subscriber to call and delete arbitrary attachments.

DefendWP protects your website by preventing an unauthenticated user from deleting media attachments.

Vuln Type: Authentication Bypass

Plugin: WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) < 7.6.5


Vulnerability: The improper credential validation on the plugin allows unauthenticated attackers to escalate privileges if administrator’s email is known.

DefendWP protects your website by blocking the admin user login if they log in without entering a password.