The beginnings of a list of WordPress and theme and plugin-specific security verification checks
Verify that plugin “uninstall” works correctly
The app will have either an “uninstall” hook, or an uninstall.php file – see http://codex.wordpress.org/Function_Reference/register_uninstall_hook for more details on how they work.
1. Make sure that uninstall deletes all db tables, stored procedures, and theme files which were installed.
2. When using ‘uninstall.php’ the plugin should always check for the WP_UNINSTALL_PLUGIN constant, before executing. The WP_UNINSTALL_PLUGIN constant is defined by WordPress at runtime during a plugin uninstall, it will not be present if ‘uninstall.php’ is requested directly.
Make sure that sensitive requests are protected from CSRF using the native WordPress nonce functions. See: http://codex.wordpress.org/WordPress_Nonces
When a form is submitted, verify that the submitter has authority and intention to perform the requested function.
In a nutshell, the app should check for is_admin() or current_user_can() to make sure unauthorized users can’t submit the form.
Check for Correct Data Validation
Check the WP docs for expected usage, defaults, etc, to verify whether the call is going to perform the way the developer intended. It’s usually worth digging into the WordPress sources to see how these are actually implemented, and give that a sanity check.
The WordPress Core Source Browser is at: http://core.trac.wordpress.org/browser
Links to PHP sanitization/validation function docs are below: