The Melapress Show

REGEXSS Demo: How Hackers Exploit Regular Expressions in WordPress | Matthew Rollings (Stealthcopter)

58 min · 1 de may de 2026
Portada del episodio REGEXSS Demo: How Hackers Exploit Regular Expressions in WordPress | Matthew Rollings (Stealthcopter)

Descripción

In Episode 49 of the Melapress Show, Matthew Rollings, application security professional and bug bounty hunter, joins Robert Abela to break down RegexXSS: a vulnerability class hiding in the regex code of WordPress plugins. Mat explains how post-sanitization regex manipulation can reintroduce cross-site scripting even after WordPress has done its job, and demonstrates how an attacker can leverage it to take over a full admin account. Many developers are unaware that using regex to parse or modify HTML, even after WordPress's built-in KSES sanitization, can introduce fresh XSS vectors. With over 70,000 WordPress plugins in existence, and regex used heavily throughout PHP development, this vulnerability class is both widespread and chronically under-reported. Mat has earned £20–30k in bug bounties from this single class alone. Key topics include: * The definition of RegexXSS and why it's distinct from conventional cross-site scripting * How WordPress sanitizes input by default and exactly where that protection ends * Why regex is fundamentally context-unaware and therefore unsafe for HTML manipulation * A step-by-step demo of abusing a regex deletion to smuggle a JavaScript payload * How XSS can be escalated to silent admin account creation in WordPress 🎙 Guest: Matthew Rollings [https://www.linkedin.com/in/mat-rollings], Application Security Professional 🎙️ Host: Robert Abela [https://www.linkedin.com/in/robertabela/], Melapress [https://melapress.com/]

Comentarios

0

Sé la primera persona en comentar

¡Regístrate ahora y únete a la comunidad de The Melapress Show!

Empezar

2 meses por 1 €

Después 4,99 € / mes · Cancela cuando quieras.

  • Podcasts exclusivos
  • 20 horas de audiolibros / mes
  • Podcast gratuitos

Todos los episodios

53 episodios

Portada del episodio Accessibility, Revenue, and the Mistakes Most Agencies Keep Making | Anne-Mieke Bovelett

Accessibility, Revenue, and the Mistakes Most Agencies Keep Making | Anne-Mieke Bovelett

Most organizations only consider accessibility when faced with a legal deadline or a complaint. Anne-Mieke Bovelett's approach begins much earlier, at the stage of product decisions, design systems, and CMS workflows that ensure a site is accessible for everyone before any code is written. With 27 years of experience in web infrastructure across retail, academic, agency, and enterprise clients in the Netherlands, Germany, and beyond, she knows exactly where agencies often go wrong with accessibility, and the consequences of these mistakes. In this conversation, Anne and Robert unpack the gap between technical compliance and real-world usability, explain why accessibility, SEO, usability, and conversion optimization are increasingly the same discipline, and discuss how AI search and agents are raising the stakes for clear semantic structure. Key topics include: * Why "WCAG compliant" doesn't guarantee a usable website * The accessibility mistakes that show up on WordPress sites regardless of who built them * How to reframe accessibility as an investment instead of a project cost * Where accessibility debt gets introduced during discovery, design, and development * What metrics actually demonstrate accessibility ROI to a client * How AI-driven search and agents change the value of accessible, well-structured content 🎙️Guest: Anne-Mieke Bovelett [https://www.linkedin.com/in/bovelett/], Accessibility Strategist [https://annebovelett.eu/] 🎙️Host: Robert Abela [https://www.linkedin.com/in/robertabela/], Melapress [https://melapress.com/]

3 de jul de 20261 h 12 min
Portada del episodio Regression Testing, Visual Testing & QA: What WordPress Pros Need? | Mike Miler (WebChange Detector)

Regression Testing, Visual Testing & QA: What WordPress Pros Need? | Mike Miler (WebChange Detector)

Agencies applying updates across dozens of client sites face a consistent challenge: the issues that matter most, such as broken forms, failed checkouts, and layout regressions, rarely surface on the homepage. Without a structured testing process, these issues surface only when a client notices. Mike Miler, Founder of WebChange Detector, works with agencies on exactly this problem and brings a grounded, tool-informed perspective on where testing effort actually pays off. Key topics include: * The practical difference between testing, monitoring, and QA, and why each serves a different purpose in a maintenance workflow * How regression testing and visual testing work, and the distinct failure types each one is designed to catch * Which change types carry the highest risk: plugin and theme updates, design changes, third-party integrations, or configuration changes * How to structure a QA checklist that's consistent and repeatable across multiple team members * What to automate when managing websites at scale, and what still requires a human review step * Practical uses of AI in generating test coverage and flagging anomalies 🎙 Guest: Mike Miler [https://www.linkedin.com/in/mikemiler/], Founder at WebChange Detector [https://www.webchangedetector.com/] 🎙️Host: Robert Abela [https://www.linkedin.com/in/robertabela/], Melapress [https://melapress.com/]

26 de jun de 20261 h 0 min
Portada del episodio WordPress Playground Deep Dive: Making WordPress Easier to Try and Learn | Adam Zielinski (Automattic)

WordPress Playground Deep Dive: Making WordPress Easier to Try and Learn | Adam Zielinski (Automattic)

Getting started with WordPress, whether as a learner, a contributor, or an agency evaluating plugins for a client, has always required more setup than it should. WordPress Playground was built to address that friction directly, making it possible to run a full WordPress environment in the browser, instantly, with no installation required. In this live episode, Adam Zieliński shares how the project has evolved, the adoption patterns that surprised the team, and the common misconceptions that still follow Playground around. Key topics include: * The original problem WordPress Playground was created to solve, and why instant access matters * How agencies are using Playground for plugin and theme evaluation, product demos, and client onboarding * Interactive learning approaches versus traditional tutorials, and how Playground is reshaping WordPress education * Reducing setup friction for contributors and making it easier to reproduce, test, and share issues * Where AI and experimentation intersect with Playground, and what unexpected use cases have emerged * Adam's vision for where Playground fits in the next generation of WordPress workflows 🎙Guest: Adam Zieliński [https://www.linkedin.com/in/adamziel/], WordPress Core Committer & Architect of WordPress Playground [https://wordpress.org/playground/] 🎙️Host: Robert Abela [https://www.linkedin.com/in/robertabela/], Melapress [https://melapress.com/]

19 de jun de 202653 min
Portada del episodio WordPress Plugin Supply Chain Attacks: Hunting for Backdoors with AI | Austin Ginder (Anchor Host, WP Beacon)

WordPress Plugin Supply Chain Attacks: Hunting for Backdoors with AI | Austin Ginder (Anchor Host, WP Beacon)

Supply chain attacks against WordPress plugins are difficult to spot because they often hide behind legitimate update processes that users trust every day. In this episode, Austin Ginder, Founder of Anchor Host and WPBeacon, shares how investigating compromised sites across a large managed WordPress environment led him to uncover multiple examples of plugin supply chain abuse. He explains the techniques involved, how AI accelerated the investigation process, and what the WordPress ecosystem can do to improve software integrity. Key topics discussed: • How plugin supply chain attacks operate through trusted update channels • The attack patterns Austin investigated, including expired domain takeovers, redirected update infrastructure, and version number manipulation • How Claude Code accelerated timeline reconstruction and forensic investigation • WPBeacon and its role in identifying indicators of supply chain compromise • WPRegistry and the vision for a community-driven plugin integrity database • The challenges surrounding abandoned plugins and ecosystem governance • The growing impact of AI on both attackers and defenders 🎙Guest: Austin Ginder [https://www.linkedin.com/in/austinginder/], Anchor Host [https://anchor.host/] & WP Beacon [https://wpbeacon.io/] 🎙️Host: Robert Abela [https://www.linkedin.com/in/robertabela/], Melapress [https://melapress.com/]

12 de jun de 20261 h 6 min
Portada del episodio AI in WordPress Core: Connectors, Abilities & How to Stay Secure | Jonathan Bossenger (Automattic)

AI in WordPress Core: Connectors, Abilities & How to Stay Secure | Jonathan Bossenger (Automattic)

In Episode 51 of the Melapress Show, Jonathan Bossenger, Developer Advocate at Automattic, joins Robert Abela to break down how WordPress is being rebuilt from the ground up to work with AI and what that means for the people who build and manage WordPress sites. The conversation covers the four Core AI building blocks that shipped with WordPress 7, why the Abilities API could change how developers structure their plugins, and the real security considerations involved in connecting your site to an AI provider. Whether you're a seasoned plugin developer or just getting started, this episode gives you a clear picture of what's happening now and where things are heading. Key topics include: * The four WordPress Core AI building blocks: Abilities API, AI Client, MCP Adapter, and Connectors * How the user-controlled model means site owners decide how AI is used on their site * Why connecting to AI providers makes API key security more critical than ever, and what to do about it * How to get a feature request or idea into the hands of the right WordPress Core contributors * What the Abilities API does, why it matters for plugin developers, and how to start registering abilities * What the WordPress AI plugin is, how it mirrors the Gutenberg/performance plugin model, and where it's heading * How AI is reshaping the developer role and why experienced developers blogging and sharing more matters now more than ever 🎙 Guest: Jonathan Bossenger [https://www.linkedin.com/in/jonathanbossenger/], Developer Advocate at Automattic [https://automattic.com/] 🎙️ Host: Robert Abela [https://www.linkedin.com/in/robertabela/], Melapress [https://melapress.com/]

29 de may de 20261 h 1 min