Vulnerabilities in web applications, particularly within content management systems (CMSs) and their plugins, remain a critical attack vector in practice. Dynamic testing techniques such as fuzzing are underutilized in the web domain due to their limited ability to explore deeply nested code paths and context-dependent application logic. This limitation is especially pronounced in CMSs, where third-party plugins often introduce complex, domain-specific behaviors that challenge general-purpose fuzzers to detect context-specific software defects. In this work, we present THEMIS, a context-aware grey-box fuzzing framework specifically designed for WordPress plugins. We built THEMIS on top of the ATROPOS testing infrastructure and extended it with a domain-specific instrumentation layer, an adaptive test harness, and a custom bug oracle. Together, these components enable targeted vulnerability detection by guiding the fuzzer toward semantically meaningful and security-relevant code paths. By design, our tool prioritizes server-side vulnerability classes, including injection flaws, insecure file access, and logic bugs, while leveraging domain knowledge of WordPress APIs to improve detection precision. We evaluate THEMIS on 68 real-world plugins, including a representative subset drawn from related work. THEMIS successfully reproduces known CVEs from this selection and discovers 10 previously unknown vulnerabilities, which have been responsibly disclosed to the affected vendors. Compared to existing work, THEMIS achieves, on average, faster bug discovery and higher code coverage across the evaluated plugins. Our results demonstrate that domain-specific dynamic analysis, when paired with context-aware instrumentation and oracle-guided feedback, can outperform generic fuzzers in precision, effectiveness, and depth of exploration. These findings underscore the importance of adopting more secure, context-aware security testing strategies.
IEEE European Symposium on Security and Privacy (EuroS&P)
2026-07-06
2026-06-24