☕️David Dewes
(he/him)
M. Sc. Cybersecurity Student
I am currently pursuing a Master’s degree in Cybersecurity at Saarland University and CISPA Helmholtz Center for Information Security. My research interests include automated security testing (fuzzing), web security, and secure software development.
Experience
Undergraduate Research Assistant
CISPA Helmholtz Center for Information Security
Responsibilities include:
- Continuation of my bachelor thesis project on effective web fuzzing to make the technology accessible to the scientific community in the form of a publication
- Support in the (further) development of diverse research projects in the field of systems and web security
- Independent execution and evaluation of experiments for the development of new web fuzzing methods
Working Student
ETAGE 4 GmbH
Responsibilities include:
- Development of php (Laravel and others) and Javascript (ReactJS and NodeJS) applications for use on the web
- Development, maintenance and securing of our servers and services and those of our clients
- Use of content management systems in conjunction with customer relationship management applications
- Setup of exisiting applications for the clients, such as: Shopify, WordPress, Zendesk, Iubenda, and many more
Student Assistant – Scientific Outreach Team
CISPA Helmholtz Center for Information Security
Responsibilities included:
- Support in conception, design, setup/disassembly and technical (further) development of interactive workshops in computer science topics for any audience of any age group
- Supervision and mentoring of ongoing workshop offerings
Internship
Schloss Dagstuhl – Leibniz Center for Informatics
Responsibilities included:
- Development of a presentation tool for meetings of the scientific doctorate
Internship
Schloss Dagstuhl – Leibniz Center for Informatics
Responsibilities included:
- Creation of a php class library to control a DSpace publication server via its REST API
- Development of a user interface to create special documents in DSpace
Education
M. Sc. Cybersecurity
Saarland University
ERASMUS+ Program
Tallinn University of Technology
Grade: excellent (5,00)
Courses included:
- Cybersecurity & Law
- Digital Systems Design
- Java Technologies
B. Sc. Cybersecurity
Saarland University
Grade: good (2,30)
Courses included:
- Programming
- Software Engineering
- Cryptography
- Automated Security Testing
- Automated Debugging
- Mobile Security
General University Entrance Qualification (Abitur)
Gymnasium Wendalinum (St. Wendel)
Grade: very good (1,60)
Achievements
THEMIS: Context-Aware Grey-box Fuzzing for WordPress Plugins
IEEE European Symposium on Security and Privacy 2026 ∙
July 2026
Vulnerabilities in web applications, particularly within content management systems (CMSs) and their plugins, remain a critical attack vector in practice. Dynamic testing techniques such as fuzzing are underutilized in the web domain due to their limited ability to explore deeply nested code paths and context-dependent application logic. This limitation is especially pronounced in the web domain in CMSs, where third-party plugins often introduce complex, domain-specific behaviors that challenge general-purpose fuzzers to detect context-specific software defects.
WordPress CVE-2025-9219
Wordfence ∙
September 2025
The Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘update_post_smtp_pro_option_callback’ function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable pro extensions.
WordPress CVE-2023-7306
Wordfence ∙
July 2025
The Frontend File Manager Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the wpfm_delete_multiple_files() function in all versions up to, and including, 21.5. This makes it possible for unauthenticated attackers to delete arbitrary posts.
WordPress CVE-2025-5701
Wordfence ∙
June 2025
The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.