Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WordPress Version 5.5.5 Marked "Latest" but has known vunlerabilities #1649

Closed
jtpereyda opened this issue Jun 4, 2021 · 8 comments
Closed

WordPress Version 5.5.5 Marked "Latest" but has known vunlerabilities #1649

jtpereyda opened this issue Jun 4, 2021 · 8 comments

Comments

@jtpereyda
Copy link

5.5.5 Marked Latest

On a scan today (2021-06-03), with WPScan version 3.8.17, the site had a detected version of 5.5.5 which was described as Latest:

[+] WordPress version 5.5.5 identified (Latest, released on 2021-05-12).
 | Found By: Style Etag (Aggressive Detection)
 |  - https://REDACTED/wp-admin/load-styles.php, Match: '5.5.5'
 | Confirmed By: Query Parameter In Install Page (Aggressive Detection)
 |  - https://REDACTED/wp-includes/css/dashicons.min.css?ver=5.5.5
 |  - https://REDACTED/wp-includes/css/buttons.min.css?ver=5.5.5
 |  - https://REDACTED/wp-admin/css/forms.min.css?ver=5.5.5
 |  - https://REDACTED/wp-admin/css/l10n.min.css?ver=5.5.5
 |  - https://REDACTED/wp-admin/css/install.min.css?ver=5.5.5

WordPress 5.5.5 is not the latest as 5.7 is out, so I take it to mean this refers to the latest 5.5.x release. However the release page https://wordpress.org/support/wordpress-version/version-5-5-5/ says:

One security issue affects WordPress versions between 3.7 and 5.7. If you haven’t yet updated to 5.7, all WordPress versions since 3.7 have also been updated to fix the following security issues:

Object injection in PHPMailer, CVE-2020-36326 and CVE-2018-19296.

The CVE page lists 5.5.5 as an affected CPE: https://nvd.nist.gov/vuln/detail/CVE-2020-36326/cpes?expandCpeRanges=true

Your environment

I'm using the Docker version, 3.8.17.

  • Version of WPScan: 3.8.17
  • Version of Ruby: (not sure how to check)
  • Operating System (OS): Ubuntu 20.04.2

Steps to reproduce

sudo docker run -it --rm wpscanteam/wpscan --url REDACTED --api-token REDACTED -f cli-no-color

Expected behavior

I would expect the scan to give an indication about this known vulnerability.

Actual behavior

The output makes it seem like this is the most recent WordPress version without any known patched vulnerabilities.

What have you already tried

N/A -- Manual research.
@erwanlr
Copy link
Member

erwanlr commented Jun 4, 2021

so I take it to mean this refers to the latest 5.5.x release

Yep, it means it's the latest in the branch

One security issue affects WordPress versions between 3.7 and 5.7. If you haven’t yet updated to 5.7, all WordPress versions since 3.7 have also been updated to fix the following security issues:

Object injection in PHPMailer, CVE-2020-36326 and CVE-2018-19296.

The last bit is very important here

If you haven’t yet updated to 5.7, all WordPress versions since 3.7 have also been updated to fix the following security issues

Meaning the 5.5.x branch was patched and v5.5.5 fixed the issue:

So the Security updates section actually list the security issues which were fixed in that version, and not the issues affecting the version.

Unfortunately, the CPE from the CVE are wrong and do not seem to consider the patches in the branches (they just do >= 3.7 & <= 5.7 which is incorrect and even forgot the 5.7.1 which is vulnerable)

@erwanlr erwanlr closed this as completed Jun 4, 2021
erwanlr added a commit that referenced this issue Jun 4, 2021
@erwanlr
Updates WP version output to handle future latest-in-branch status - …
52e3e25 
…Ref #1649
@jtpereyda
Copy link
Author

@erwanlr Thanks! I severely misread that. Sent NVD an email.

@jtpereyda
Copy link
Author

Where does WPScan get its database of patched/unpatched versions? I contacted NVD, but they don't have access to a reliable list of fixed versions.

@jtpereyda
Copy link
Author

Ah, the WPScan site has some very informative pages, e.g.: https://wpscan.com/vulnerability/4cd46653-4470-40ff-8aac-318bee2f998d

Still super curious on how/where this information is obtained.

@erwanlr
Copy link
Member

erwanlr commented Jun 11, 2021

https://wordpress.org/download/releases/ has a list of all versions in each branches, the WordPress git repository (https://github.com/WordPress/wordpress-develop) can also be checked for patches

@jtpereyda
Copy link
Author

Right, I guess I'm wondering how raw data from https://wordpress.org/download/releases/ (which doesn't list any vulnerability or security fix info) is collated into a nice list like you see on: https://wpscan.com/vulnerability/4cd46653-4470-40ff-8aac-318bee2f998d

Is it manually entered based on each new release? Or is that method part of the WPScan secret sauce? :)

@erwanlr
Copy link
Member

erwanlr commented Jun 11, 2021

Yes this is manually entered, can't be automated really, as it's possible that some branches won't receive patch/es. So it's all about reading the main release description and checking which branches received the patch/es

@jtpereyda
Copy link
Author

Cool! This really is a valuable tool; I doubt there's a more reliable and well presented source for this data anywhere.

As usual, the secret sauce is hard work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jtpereyda @erwanlr