-
Notifications
You must be signed in to change notification settings - Fork 0
CpanelInc/tech-wpscanner
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
# Script: wpscanner
# Author: Peter Elsner <peter.elsner@webpros.com>
# Purpose: Standalone command line to check WPCore version, Plugin name, or Theme name against the wpvulnerability.net database.
# Created: 5/21/2024
# Copyright 2024, WebPros International, LLC.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
#
# 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
#
# THE SOFTWARE LICENSED HEREUNDER IS PROVIDED "AS IS" AND WEBPROS INTERNATIONAL, LLC D/B/A/ CPANEL (CPANEL) HEREBY DISCLAIMS ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, RELATING TO THE SOFTWARE, ITS THIRD PARTY COMPONENTS, AND ANY DATA ACCESSED THEREFROM, OR THE ACCURACY, TIMELINESS, COMPLETENESS, OR ADEQUACY OF THE SOFTWARE, ITS THIRD PARTY COMPONENTS, AND ANY DATA ACCESSED THEREFROM, INCLUDING THE IMPLIED WARRANTIES OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. CPANEL DOES NOT WARRANT THAT THE SOFTWARE OR ITS THIRD PARTY COMPONENTS ARE ERROR-FREE OR WILL OPERATE WITHOUT INTERRUPTION. IF THE SOFTWARE, ITS THIRD PARTY COMPONENTS, OR ANY DATA ACCESSED THEREFROM IS DEFECTIVE, YOU ASSUME THE SOLE RESPONSIBILITY FOR THE ENTIRE COST OF ALL REPAIR OR INJURY OF ANY KIND, EVEN IF CPANEL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DEFECTS OR DAMAGES. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY CPANEL, ITS AFFILIATES, LICENSEES, DEALERS, SUB-LICENSORS, AGENTS OR EMPLOYEES SHALL CREATE A WARRANTY OR IN ANY WAY INCREASE THE SCOPE OF ANY WARRANTY.
./wpscanner [ --core <version> | --plugin <plugin name> | --theme <theme name> ] [ --verbose]
--core <version> - checks the Core version of WordPress vulnerabilities.
--plugin <plugin_name> - checks the Plugin for any/all vulnerabiliites.
\_ --version <plugin_version> - pass this to compare version number against vulnerability database.
--theme <theme_name> - checks the Themes for any/all vulnerabiliites.
--verbose Use with any of the above 3 options to get MORE VERBOSITY.
--help - You're looking at it.
Example:
./wpscanner --core 6.4.3
There are 2 known vulnerabilities for the 6.4.3 version of WordPress core [ pass --verbose to list ].
./wpscanner --plugin woocommerce
There are 17 known vulnerabilities for the woocommerce WordPress Plugin [ pass --verbose to list ].
./wpscanner --theme ripple
There are 3 known vulnerabilities for the ripple WordPress Theme [ pass --verbose to list ].
./wpscanner --core 6.4.3 --verbose
WordPress Core Version: 6.4.3
[1] ----------
\_ CVE: CVE-2023-5692 https://www.cve.org/CVERecord?id=CVE-2023-5692
\_ [en] WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.4.3 via the redirect_guess_404_permalink function. This can allow unauthenticated attackers to expose the slug of a custom post whose 'publicly_queryable' post status has been set to 'false'.
\_ CWE: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
\_ The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
\_Score: 5.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
[2] ----------
\_ CVE: CVE-2024-4439 https://www.cve.org/CVERecord?id=CVE-2024-4439
\_ [en] WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar.
\_ CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
\_ The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
\_Score: 7.2 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
./wpscanner --plugin limit-login-attempts-reloaded --details --version 2.25.25
Plugin: Limit Login Attempts Reloaded - https://wordpress.org/plugins/limit-login-attempts-reloaded/
[1] ----------
\_ CVE: CVE-2020-35589 https://www.cve.org/CVERecord?id=CVE-2020-35589 Patched: Yes [ Version 2.25.25 is greater than 2.17.4 ]
\_ [en] The limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows wp-admin/options-general.php?page=limit-login-attempts&tab= XSS. A malicious user can cause an administrator user to supply dangerous content to the vulnerable page, which is then reflected back to the user and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims.
\_ CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
\_ The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
[2] ----------
\_ CVE: CVE-2020-35590 https://www.cve.org/CVERecord?id=CVE-2020-35590 Patched: Yes [ Version 2.25.25 is greater than 2.17.4 ]
\_ [en] LimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate limits because the X-Forwarded-For header can be forged. When the plugin is configured to accept an arbitrary header for the client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does not ever reach the maximum allowed retries.
\_ CWE: CWE-307 Improper Restriction of Excessive Authentication Attempts
\_ The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.
[2] ----------
\_ CVE: CVE-2023-5525 https://www.cve.org/CVERecord?id=CVE-2023-5525 Patched: No [ Version 2.25.25 is not greater than 2.25.26 ]
\_ [en] The Limit Login Attempts Reloaded WordPress plugin before 2.25.26 is missing authorization on the `toggle_auto_update` AJAX action, allowing any user with a valid nonce to toggle the auto-update status of the plugin.
\_ CWE: CWE-862 Missing Authorization
\_ The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
[2] ----------
\_ CVE: CVE-2023-6934 https://www.cve.org/CVERecord?id=CVE-2023-6934 Patched: No [ Version 2.25.25 is not greater than 2.25.27 ]
\_ [en] The Limit Login Attempts Reloaded plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 2.25.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
\_ CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
\_ The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
\_Score: 6.4 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
There are 2 known vulnerabilities for the limit-login-attempts-reloaded WordPress Plugin.
\_ Of which 2 are patched and 2 are not patched.
./wpscanner --plugin limit-login-attempts-reloaded --details --version 2.25.27
Plugin: Limit Login Attempts Reloaded - https://wordpress.org/plugins/limit-login-attempts-reloaded/
[1] ----------
\_ CVE: CVE-2020-35589 https://www.cve.org/CVERecord?id=CVE-2020-35589 Patched: Yes [ Version 2.25.27 is greater than 2.17.4 ]
\_ [en] The limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows wp-admin/options-general.php?page=limit-login-attempts&tab= XSS. A malicious user can cause an administrator user to supply dangerous content to the vulnerable page, which is then reflected back to the user and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims.
\_ CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
\_ The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
[2] ----------
\_ CVE: CVE-2020-35590 https://www.cve.org/CVERecord?id=CVE-2020-35590 Patched: Yes [ Version 2.25.27 is greater than 2.17.4 ]
\_ [en] LimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate limits because the X-Forwarded-For header can be forged. When the plugin is configured to accept an arbitrary header for the client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does not ever reach the maximum allowed retries.
\_ CWE: CWE-307 Improper Restriction of Excessive Authentication Attempts
\_ The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.
[3] ----------
\_ CVE: CVE-2023-5525 https://www.cve.org/CVERecord?id=CVE-2023-5525 Patched: Yes [ Version 2.25.27 is greater than 2.25.26 ]
\_ [en] The Limit Login Attempts Reloaded WordPress plugin before 2.25.26 is missing authorization on the `toggle_auto_update` AJAX action, allowing any user with a valid nonce to toggle the auto-update status of the plugin.
\_ CWE: CWE-862 Missing Authorization
\_ The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
[3] ----------
\_ CVE: CVE-2023-6934 https://www.cve.org/CVERecord?id=CVE-2023-6934 Patched: No [ Version 2.25.27 is not greater than 2.25.27 ]
\_ [en] The Limit Login Attempts Reloaded plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 2.25.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
\_ CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
\_ The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
\_Score: 6.4 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
There are 3 known vulnerabilities for the limit-login-attempts-reloaded WordPress Plugin.
\_ Of which 3 are patched and 1 is not patched.
You can add this to your .bashrc file
alias wpscanner="/usr/local/cpanel/3rdparty/bin/perl <(curl -s https://raw.githubusercontent.com/CpanelInc/tech-wpscanner/master/wpscanner) "
Then you can just call it as follows:
wpscanner --core 6.4.4
About
No description, website, or topics provided.
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published