Comments (4)
domwhewell-sage
commented on June 22, 2024
2
Hey, just an update on this as I've been writing a module for this...
I'm currently doing a comparison of cmseek, wpscan and the existing nuclei module on a damn vulnerable wordpress container
They all do similar things but it looks to me as though nuclei already detects everything wpscan/cmseek do already.
Could you elaborate on the specific things this module should do, given vulns and information about the wordpress install are already detected by the nuclei module?
nuclei
just the wordpress related findings
[VULNERABILITY] {"description": "template: [CVE-2017-5487], name: [WordPress Core <4.7.1 - Username Enumeration] Extracted Data: [admin]", "host": "172.29.64.1", "severity": "MEDIUM", "url": "http://172.29.64.1:31337/"} nuclei (in-scope, medium)
[VULNERABILITY] {"description": "template: [wp-user-enum], name: [WordPress REST API User Enumeration] Extracted Data: [admin]", "host": "172.29.64.1", "severity": "LOW", "url": "http://172.29.64.1:31337/"} nuclei (in-scope, low)
[VULNERABILITY] {"description": "template: [CVE-2020-8772], name: [WordPress InfiniteWP <1.9.4.5 - Authorization Bypass]", "host": "172.29.64.1", "severity": "CRITICAL", "url": "http://172.29.64.1:31337/"} nuclei (critical, in-scope)
[VULNERABILITY] {"description": "template: [CVE-2019-9978], name: [WordPress Social Warfare <3.5.3 - Cross-Site Scripting]", "host": "172.29.64.1", "severity": "MEDIUM", "url": "http://172.29.64.1:31337/wp-admin/admin-post.php"} nuclei (in-scope, medium)
[FINDING] {"description": "template: [wordpress-login], name: [WordPress Login Panel - Detect]", "host": "172.29.64.1", "url": "http://172.29.64.1:31337/wp-login.php"} nuclei (in-scope)
[FINDING] {"description": "template: [wordpress-readme-file], name: [WordPress Readme File]", "host": "172.29.64.1", "url": "http://172.29.64.1:31337/readme.html"} nuclei (in-scope)
[VULNERABILITY] {"description": "template: [wordpress-weak-credentials], name: [WordPress - Weak Credentials]", "host": "172.29.64.1", "severity": "CRITICAL", "url": "http://172.29.64.1:31337/wp-login.php"} nuclei (critical, in-scope)
[FINDING] {"description": "template: [wordpress-xmlrpc-listmethods], name: [Wordpress XML-RPC List System Methods]", "host": "172.29.64.1", "url": "http://172.29.64.1:31337/xmlrpc.php"}nuclei (in-scope)
[FINDING] {"description": "template: [wp-license-file], name: [WordPress license file disclosure]", "host": "172.29.64.1", "url": "http://172.29.64.1:31337/license.txt"} nuclei (in-scope)
[VULNERABILITY] {"description": "template: [wordpress-xmlrpc-brute-force], name: [Wordpress XMLRPC.php username and password Bruteforcer]", "host": "172.29.64.1", "severity": "HIGH", "url": "http://172.29.64.1:31337/xmlrpc.php"} nuclei (high, in-scope)
[FINDING] {"description": "template: [wordpress-xmlrpc-file], name: [WordPress xmlrpc]", "host": "172.29.64.1", "url": "http://172.29.64.1:31337/xmlrpc.php"} nuclei (in-scope)
[FINDING] {"description": "template: [wordpress-plugins-detect], name: [WordPress Plugins Detection] Extracted Data: [InfiniteWP Client]", "host": "172.29.64.1", "url": "http://172.29.64.1:31337/wp-content/plugins/iwp-client/readme.txt"} nuclei (in-scope)
[FINDING] {"description": "template: [wordpress-plugins-detect], name: [WordPress Plugins Detection] Extracted Data: [WordPress Social Sharing Plugin - Social Warfare,3.5.2]", "host": "172.29.64.1", "url": "http://172.29.64.1:31337/wp-content/plugins/social-warfare/readme.txt"} nuclei (in-scope)
[FINDING] {"description": "template: [wordpress-plugins-detect], name: [WordPress Plugins Detection] Extracted Data: [WordPress WP-Advanced-Search]", "host": "172.29.64.1", "url": "http://172.29.64.1:31337/wp-content/plugins/wp-advanced-search/readme.txt"} nuclei (in-scope)
[FINDING] {"description": "template: [wordpress-plugins-detect], name: [WordPress Plugins Detection] Extracted Data: [Wordpress File Upload]", "host": "172.29.64.1", "url": "http://172.29.64.1:31337/wp-content/plugins/wp-file-upload/readme.txt"} nuclei (in-scope)
[FINDING] {"description": "template: [wordpress-plugins-detect], name: [WordPress Plugins Detection] Extracted Data: [Backup and Staging by WP Time Capsule,1.21.15]", "host": "172.29.64.1", "url": "http://172.29.64.1:31337/wp-content/plugins/wp-time-capsule/readme.txt"} nuclei (in-scope)cmseek
{
"cms_id": "wp",
"cms_name": "WordPress",
"cms_url": "https://wordpress.org",
"detection_param": "generator",
"last_scanned": "2024-05-31 15:48:08.479127",
"url": "http://172.29.64.1:31337",
"wp_license": "http://172.29.64.1:31337/license.txt",
"wp_plugins": "wp-advanced-search Version 1.0,wp-file-upload Version 5.3,social-warfare Version 3.5.2,",
"wp_readme_file": "http://172.29.64.1:31337/readme.html",
"wp_themes": "twentytwenty Version 1.0,",
"wp_version": "5.3"
}wpscan
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.38 (Debian)
| - X-Powered-By: PHP/7.1.33
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://172.29.64.1:31337/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://172.29.64.1:31337/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://172.29.64.1:31337/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.3 identified (Insecure, released on 2019-11-12).
| Found By: Emoji Settings (Passive Detection)
| - http://172.29.64.1:31337/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.3'
| Confirmed By: Meta Generator (Passive Detection)
| - http://172.29.64.1:31337/, Match: 'WordPress 5.3'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] social-warfare
| Location: http://172.29.64.1:31337/wp-content/plugins/social-warfare/
| Last Updated: 2024-04-07T19:32:00.000Z
| [!] The version is out of date, the latest version is 4.4.6.3
|
| Found By: Comment (Passive Detection)
|
| Version: 3.5.2 (100% confidence)
| Found By: Comment (Passive Detection)
| - http://172.29.64.1:31337/, Match: 'Social Warfare v3.5.2'
| Confirmed By:
| Readme - Stable Tag (Aggressive Detection)
| - http://172.29.64.1:31337/wp-content/plugins/social-warfare/readme.txt
| Readme - ChangeLog Section (Aggressive Detection)
| - http://172.29.64.1:31337/wp-content/plugins/social-warfare/readme.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:30 <=========================================================================================================================> (137 / 137) 100.00% Time: 00:00:30
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri May 31 15:11:40 2024
[+] Requests Done: 167
[+] Cached Requests: 4
[+] Data Sent: 56.133 KB
[+] Data Received: 298.913 KB
[+] Memory used: 313.848 MB
[+] Elapsed time: 00:01:07from bbot.
domwhewell-sage
commented on June 22, 2024
2
Ah yes wpscan and an API key is finding more vulnerabilities than cmseek or nuclei
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.38 (Debian)
| - X-Powered-By: PHP/7.1.33
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://172.29.64.1:31337/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://172.29.64.1:31337/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://172.29.64.1:31337/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.3 identified (Insecure, released on 2019-11-12).
| Found By: Emoji Settings (Passive Detection)
| - http://172.29.64.1:31337/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.3'
| Confirmed By: Meta Generator (Passive Detection)
| - http://172.29.64.1:31337/, Match: 'WordPress 5.3'
|
| [!] 52 vulnerabilities identified:
|
| [!] Title: WordPress <= 5.3 - Authenticated Improper Access Controls in REST API
| Fixed in: 5.3.1
| References:
| - https://wpscan.com/vulnerability/4a6de154-5fbd-4c80-acd3-8902ee431bd8
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20043
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16788
| - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw
|
| [!] Title: WordPress <= 5.3 - Authenticated Stored XSS via Crafted Links
| Fixed in: 5.3.1
| References:
| - https://wpscan.com/vulnerability/23553517-34e3-40a9-a406-f3ffbe9dd265
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20042
| - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
| - https://hackerone.com/reports/509930
| - https://github.com/WordPress/wordpress-develop/commit/1f7f3f1f59567e2504f0fbebd51ccf004b3ccb1d
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xvg2-m2f4-83m7
|
| [!] Title: WordPress <= 5.3 - Authenticated Stored XSS via Block Editor Content
| Fixed in: 5.3.1
| References:
| - https://wpscan.com/vulnerability/be794159-4486-4ae1-a5cc-5c190e5ddf5f
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16781
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16780
| - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v
|
| [!] Title: WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass
| Fixed in: 5.3.1
| References:
| - https://wpscan.com/vulnerability/8fac612b-95d2-477a-a7d6-e5ec0bb9ca52
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20041
| - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
| - https://github.com/WordPress/wordpress-develop/commit/b1975463dd995da19bb40d3fa0786498717e3c53
|
| [!] Title: WordPress < 5.4.1 - Password Reset Tokens Failed to Be Properly Invalidated
| Fixed in: 5.3.3
| References:
| - https://wpscan.com/vulnerability/7db191c0-d112-4f08-a419-a1cd81928c4e
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11027
| - https://wordpress.org/news/2020/04/wordpress-5-4-1/
| - https://core.trac.wordpress.org/changeset/47634/
| - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-ww7v-jg8c-q6jw
|
| [!] Title: WordPress < 5.4.1 - Unauthenticated Users View Private Posts
| Fixed in: 5.3.3
| References:
| - https://wpscan.com/vulnerability/d1e1ba25-98c9-4ae7-8027-9632fb825a56
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11028
| - https://wordpress.org/news/2020/04/wordpress-5-4-1/
| - https://core.trac.wordpress.org/changeset/47635/
| - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xhx9-759f-6p2w
|
| [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in Customizer
| Fixed in: 5.3.3
| References:
| - https://wpscan.com/vulnerability/4eee26bd-a27e-4509-a3a5-8019dd48e429
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11025
| - https://wordpress.org/news/2020/04/wordpress-5-4-1/
| - https://core.trac.wordpress.org/changeset/47633/
| - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4mhg-j6fx-5g3c
|
| [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in Search Block
| Fixed in: 5.3.3
| References:
| - https://wpscan.com/vulnerability/e4bda91b-067d-45e4-a8be-672ccf8b1a06
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11030
| - https://wordpress.org/news/2020/04/wordpress-5-4-1/
| - https://core.trac.wordpress.org/changeset/47636/
| - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-vccm-6gmc-qhjh
|
| [!] Title: WordPress < 5.4.1 - Cross-Site Scripting (XSS) in wp-object-cache
| Fixed in: 5.3.3
| References:
| - https://wpscan.com/vulnerability/e721d8b9-a38f-44ac-8520-b4a9ed6a5157
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11029
| - https://wordpress.org/news/2020/04/wordpress-5-4-1/
| - https://core.trac.wordpress.org/changeset/47637/
| - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-568w-8m88-8g2c
|
| [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in File Uploads
| Fixed in: 5.3.3
| References:
| - https://wpscan.com/vulnerability/55438b63-5fc9-4812-afc4-2f1eff800d5f
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11026
| - https://wordpress.org/news/2020/04/wordpress-5-4-1/
| - https://core.trac.wordpress.org/changeset/47638/
| - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-4656-pfr2
| - https://hackerone.com/reports/179695
|
| [!] Title: WordPress < 5.4.2 - Authenticated XSS in Block Editor
| Fixed in: 5.3.4
| References:
| - https://wpscan.com/vulnerability/831e4a94-239c-4061-b66e-f5ca0dbb84fa
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4046
| - https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rpwf-hrh2-39jf
| - https://pentest.co.uk/labs/research/subtle-stored-xss-wordpress-core/
| - https://www.youtube.com/watch?v=tCh7Y8z8fb4
|
| [!] Title: WordPress < 5.4.2 - Authenticated XSS via Media Files
| Fixed in: 5.3.4
| References:
| - https://wpscan.com/vulnerability/741d07d1-2476-430a-b82f-e1228a9343a4
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4047
| - https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-8q2w-5m27-wm27
|
| [!] Title: WordPress < 5.4.2 - Open Redirection
| Fixed in: 5.3.4
| References:
| - https://wpscan.com/vulnerability/12855f02-432e-4484-af09-7d0fbf596909
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4048
| - https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/10e2a50c523cf0b9785555a688d7d36a40fbeccf
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-q6pw-gvf4-5fj5
|
| [!] Title: WordPress < 5.4.2 - Authenticated Stored XSS via Theme Upload
| Fixed in: 5.3.4
| References:
| - https://wpscan.com/vulnerability/d8addb42-e70b-4439-b828-fd0697e5d9d4
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4049
| - https://www.exploit-db.com/exploits/48770/
| - https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-87h4-phjv-rm6p
| - https://hackerone.com/reports/406289
|
| [!] Title: WordPress < 5.4.2 - Misuse of set-screen-option Leading to Privilege Escalation
| Fixed in: 5.3.4
| References:
| - https://wpscan.com/vulnerability/b6f69ff1-4c11-48d2-b512-c65168988c45
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4050
| - https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/dda0ccdd18f6532481406cabede19ae2ed1f575d
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4vpv-fgg2-gcqc
|
| [!] Title: WordPress < 5.4.2 - Disclosure of Password-Protected Page/Post Comments
| Fixed in: 5.3.4
| References:
| - https://wpscan.com/vulnerability/eea6dbf5-e298-44a7-9b0d-f078ad4741f9
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25286
| - https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/c075eec24f2f3214ab0d0fb0120a23082e6b1122
|
| [!] Title: WordPress 4.7-5.7 - Authenticated Password Protected Pages Exposure
| Fixed in: 5.3.7
| References:
| - https://wpscan.com/vulnerability/6a3ec618-c79e-4b9c-9020-86b157458ac5
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29450
| - https://wordpress.org/news/2021/04/wordpress-5-7-1-security-and-maintenance-release/
| - https://blog.wpscan.com/2021/04/15/wordpress-571-security-vulnerability-release.html
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pmmh-2f36-wvhq
| - https://core.trac.wordpress.org/changeset/50717/
| - https://www.youtube.com/watch?v=J2GXmxAdNWs
|
| [!] Title: WordPress 3.7 to 5.7.1 - Object Injection in PHPMailer
| Fixed in: 5.3.8
| References:
| - https://wpscan.com/vulnerability/4cd46653-4470-40ff-8aac-318bee2f998d
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36326
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19296
| - https://github.com/WordPress/WordPress/commit/267061c9595fedd321582d14c21ec9e7da2dcf62
| - https://wordpress.org/news/2021/05/wordpress-5-7-2-security-release/
| - https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9
| - https://www.wordfence.com/blog/2021/05/wordpress-5-7-2-security-release-what-you-need-to-know/
| - https://www.youtube.com/watch?v=HaW15aMzBUM
|
| [!] Title: WordPress < 5.8.2 - Expired DST Root CA X3 Certificate
| Fixed in: 5.3.10
| References:
| - https://wpscan.com/vulnerability/cc23344a-5c91-414a-91e3-c46db614da8d
| - https://wordpress.org/news/2021/11/wordpress-5-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/ticket/54207
|
| [!] Title: WordPress < 5.8 - Plugin Confusion
| Fixed in: 5.8
| References:
| - https://wpscan.com/vulnerability/95e01006-84e4-4e95-b5d7-68ea7b5aa1a8
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44223
| - https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwned/
|
| [!] Title: WordPress < 5.8.3 - SQL Injection via WP_Query
| Fixed in: 5.3.11
| References:
| - https://wpscan.com/vulnerability/7f768bcf-ed33-4b22-b432-d1e7f95c1317
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21661
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84
| - https://hackerone.com/reports/1378209
|
| [!] Title: WordPress < 5.8.3 - Author+ Stored XSS via Post Slugs
| Fixed in: 5.3.11
| References:
| - https://wpscan.com/vulnerability/dc6f04c2-7bf2-4a07-92b5-dd197e4d94c8
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21662
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-699q-3hj9-889w
| - https://hackerone.com/reports/425342
| - https://blog.sonarsource.com/wordpress-stored-xss-vulnerability
|
| [!] Title: WordPress 4.1-5.8.2 - SQL Injection via WP_Meta_Query
| Fixed in: 5.3.11
| References:
| - https://wpscan.com/vulnerability/24462ac4-7959-4575-97aa-a6dcceeae722
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21664
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jp3p-gw8h-6x86
|
| [!] Title: WordPress < 5.8.3 - Super Admin Object Injection in Multisites
| Fixed in: 5.3.11
| References:
| - https://wpscan.com/vulnerability/008c21ab-3d7e-4d97-b6c3-db9d83f390a7
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21663
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h
| - https://hackerone.com/reports/541469
|
| [!] Title: WordPress < 5.9.2 - Prototype Pollution in jQuery
| Fixed in: 5.3.12
| References:
| - https://wpscan.com/vulnerability/1ac912c1-5e29-41ac-8f76-a062de254c09
| - https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/
|
| [!] Title: WP < 6.0.2 - Reflected Cross-Site Scripting
| Fixed in: 5.3.13
| References:
| - https://wpscan.com/vulnerability/622893b0-c2c4-4ee7-9fa1-4cecef6e36be
| - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/
|
| [!] Title: WP < 6.0.2 - Authenticated Stored Cross-Site Scripting
| Fixed in: 5.3.13
| References:
| - https://wpscan.com/vulnerability/3b1573d4-06b4-442b-bad5-872753118ee0
| - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/
|
| [!] Title: WP < 6.0.2 - SQLi via Link API
| Fixed in: 5.3.13
| References:
| - https://wpscan.com/vulnerability/601b0bf9-fed2-4675-aec7-fed3156a022f
| - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/
|
| [!] Title: WP < 6.0.3 - Stored XSS via wp-mail.php
| Fixed in: 5.3.14
| References:
| - https://wpscan.com/vulnerability/713bdc8b-ab7c-46d7-9847-305344a579c4
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/abf236fdaf94455e7bc6e30980cf70401003e283
|
| [!] Title: WP < 6.0.3 - Open Redirect via wp_nonce_ays
| Fixed in: 5.3.14
| References:
| - https://wpscan.com/vulnerability/926cd097-b36f-4d26-9c51-0dfab11c301b
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/506eee125953deb658307bb3005417cb83f32095
|
| [!] Title: WP < 6.0.3 - Email Address Disclosure via wp-mail.php
| Fixed in: 5.3.14
| References:
| - https://wpscan.com/vulnerability/c5675b59-4b1d-4f64-9876-068e05145431
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/5fcdee1b4d72f1150b7b762ef5fb39ab288c8d44
|
| [!] Title: WP < 6.0.3 - Reflected XSS via SQLi in Media Library
| Fixed in: 5.3.14
| References:
| - https://wpscan.com/vulnerability/cfd8b50d-16aa-4319-9c2d-b227365c2156
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/8836d4682264e8030067e07f2f953a0f66cb76cc
|
| [!] Title: WP < 6.0.3 - CSRF in wp-trackback.php
| Fixed in: 5.3.14
| References:
| - https://wpscan.com/vulnerability/b60a6557-ae78-465c-95bc-a78cf74a6dd0
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/a4f9ca17fae0b7d97ff807a3c234cf219810fae0
|
| [!] Title: WP < 6.0.3 - Stored XSS via the Customizer
| Fixed in: 5.3.14
| References:
| - https://wpscan.com/vulnerability/2787684c-aaef-4171-95b4-ee5048c74218
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/2ca28e49fc489a9bb3c9c9c0d8907a033fe056ef
|
| [!] Title: WP < 6.0.3 - Stored XSS via Comment Editing
| Fixed in: 5.3.14
| References:
| - https://wpscan.com/vulnerability/02d76d8e-9558-41a5-bdb6-3957dc31563b
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/89c8f7919460c31c0f259453b4ffb63fde9fa955
|
| [!] Title: WP < 6.0.3 - Content from Multipart Emails Leaked
| Fixed in: 5.3.14
| References:
| - https://wpscan.com/vulnerability/3f707e05-25f0-4566-88ed-d8d0aff3a872
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/3765886b4903b319764490d4ad5905bc5c310ef8
|
| [!] Title: WP < 6.0.3 - SQLi in WP_Date_Query
| Fixed in: 5.3.14
| References:
| - https://wpscan.com/vulnerability/1da03338-557f-4cb6-9a65-3379df4cce47
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/d815d2e8b2a7c2be6694b49276ba3eee5166c21f
|
| [!] Title: WP < 6.0.3 - Stored XSS via RSS Widget
| Fixed in: 5.3.14
| References:
| - https://wpscan.com/vulnerability/58d131f5-f376-4679-b604-2b888de71c5b
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/929cf3cb9580636f1ae3fe944b8faf8cca420492
|
| [!] Title: WP < 6.0.3 - Data Exposure via REST Terms/Tags Endpoint
| Fixed in: 5.3.14
| References:
| - https://wpscan.com/vulnerability/b27a8711-a0c0-4996-bd6a-01734702913e
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/ebaac57a9ac0174485c65de3d32ea56de2330d8e
|
| [!] Title: WP < 6.0.3 - Multiple Stored XSS via Gutenberg
| Fixed in: 5.3.14
| References:
| - https://wpscan.com/vulnerability/f513c8f6-2e1c-45ae-8a58-36b6518e2aa9
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/gutenberg/pull/45045/files
|
| [!] Title: WP <= 6.2 - Unauthenticated Blind SSRF via DNS Rebinding
| References:
| - https://wpscan.com/vulnerability/c8814e6e-78b3-4f63-a1d3-6906a84c1f11
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3590
| - https://blog.sonarsource.com/wordpress-core-unauthenticated-blind-ssrf/
|
| [!] Title: WP < 6.2.1 - Directory Traversal via Translation Files
| Fixed in: 5.3.15
| References:
| - https://wpscan.com/vulnerability/2999613a-b8c8-4ec0-9164-5dfe63adf6e6
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2745
| - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/
|
| [!] Title: WP < 6.2.1 - Thumbnail Image Update via CSRF
| Fixed in: 5.3.15
| References:
| - https://wpscan.com/vulnerability/a03d744a-9839-4167-a356-3e7da0f1d532
| - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/
|
| [!] Title: WP < 6.2.1 - Contributor+ Stored XSS via Open Embed Auto Discovery
| Fixed in: 5.3.15
| References:
| - https://wpscan.com/vulnerability/3b574451-2852-4789-bc19-d5cc39948db5
| - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/
|
| [!] Title: WP < 6.2.2 - Shortcode Execution in User Generated Data
| Fixed in: 5.3.15
| References:
| - https://wpscan.com/vulnerability/ef289d46-ea83-4fa5-b003-0352c690fd89
| - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/
| - https://wordpress.org/news/2023/05/wordpress-6-2-2-security-release/
|
| [!] Title: WP < 6.2.1 - Contributor+ Content Injection
| Fixed in: 5.3.15
| References:
| - https://wpscan.com/vulnerability/1527ebdb-18bc-4f9d-9c20-8d729a628670
| - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/
|
| [!] Title: WP < 6.3.2 - Denial of Service via Cache Poisoning
| Fixed in: 5.3.16
| References:
| - https://wpscan.com/vulnerability/6d80e09d-34d5-4fda-81cb-e703d0e56e4f
| - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
|
| [!] Title: WP < 6.3.2 - Subscriber+ Arbitrary Shortcode Execution
| Fixed in: 5.3.16
| References:
| - https://wpscan.com/vulnerability/3615aea0-90aa-4f9a-9792-078a90af7f59
| - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
|
| [!] Title: WP < 6.3.2 - Contributor+ Comment Disclosure
| Fixed in: 5.3.16
| References:
| - https://wpscan.com/vulnerability/d35b2a3d-9b41-4b4f-8e87-1b8ccb370b9f
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39999
| - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
|
| [!] Title: WP < 6.3.2 - Unauthenticated Post Author Email Disclosure
| Fixed in: 5.3.16
| References:
| - https://wpscan.com/vulnerability/19380917-4c27-4095-abf1-eba6f913b441
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5561
| - https://wpscan.com/blog/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2/
| - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
|
| [!] Title: WordPress < 6.4.3 - Deserialization of Untrusted Data
| Fixed in: 5.3.17
| References:
| - https://wpscan.com/vulnerability/5e9804e5-bbd4-4836-a5f0-b4388cc39225
| - https://wordpress.org/news/2024/01/wordpress-6-4-3-maintenance-and-security-release/
|
| [!] Title: WordPress < 6.4.3 - Admin+ PHP File Upload
| Fixed in: 5.3.17
| References:
| - https://wpscan.com/vulnerability/a8e12fbe-c70b-4078-9015-cf57a05bdd4a
| - https://wordpress.org/news/2024/01/wordpress-6-4-3-maintenance-and-security-release/
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] social-warfare
| Location: http://172.29.64.1:31337/wp-content/plugins/social-warfare/
| Last Updated: 2024-04-07T19:32:00.000Z
| [!] The version is out of date, the latest version is 4.4.6.3
|
| Found By: Comment (Passive Detection)
|
| [!] 7 vulnerabilities identified:
|
| [!] Title: Social Warfare <= 3.5.2 - Unauthenticated Arbitrary Settings Update
| Fixed in: 3.5.3
| References:
| - https://wpscan.com/vulnerability/32085d2d-1235-42b4-baeb-bc43172a4972
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9978
| - https://wordpress.org/support/topic/malware-into-new-update/
| - https://www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/
| - https://threatpost.com/wordpress-plugin-removed-after-zero-day-discovered/143051/
| - https://twitter.com/warfareplugins/status/1108826025188909057
| - https://www.wordfence.com/blog/2019/03/recent-social-warfare-vulnerability-allowed-remote-code-execution/
|
| [!] Title: Social Warfare <= 3.5.2 - Unauthenticated Remote Code Execution (RCE)
| Fixed in: 3.5.3
| References:
| - https://wpscan.com/vulnerability/7b412469-cc03-4899-b397-38580ced5618
| - https://www.webarxsecurity.com/social-warfare-vulnerability/
|
| [!] Title: Social Warfare < 4.3.1 - Subscriber+ Post Meta Deletion
| Fixed in: 4.3.1
| References:
| - https://wpscan.com/vulnerability/5116068f-4b84-42ad-a88d-03e46096b41c
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0402
|
| [!] Title: Social Warfare < 4.4.0 - Post Meta Deletion via CSRF
| Fixed in: 4.4.0
| References:
| - https://wpscan.com/vulnerability/7140abf5-5966-4361-bd51-ee29d3071a30
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0403
|
| [!] Title: Social Sharing Plugin - Social Warfare < 4.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
| Fixed in: 4.4.4
| References:
| - https://wpscan.com/vulnerability/ab221b58-369e-4010-ae36-be099b2f4c9b
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4842
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/8f5b9aff-0833-4887-ae59-df5bc88c7f91
|
| [!] Title: Social Sharing Plugin – Social Warfare < 4.4.6.2 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
| Fixed in: 4.4.6.2
| References:
| - https://wpscan.com/vulnerability/26ad138e-990a-4401-84e4-ea694ccf6e7f
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1959
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/1016f16c-0ab2-4cac-a7a5-8d93a37e7894
|
| [!] Title: Social Sharing Plugin – Social Warfare < 4.4.6 - Cross-Site Request Forgery
| Fixed in: 4.4.6
| References:
| - https://wpscan.com/vulnerability/acb8b33c-6b74-4d65-a3a5-5cad0c1ea8b0
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34825
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/f105bee6-21b2-4014-bb0a-9e53c49e29b0
|
| Version: 3.5.2 (100% confidence)
| Found By: Comment (Passive Detection)
| - http://172.29.64.1:31337/, Match: 'Social Warfare v3.5.2'
| Confirmed By:
| Readme - Stable Tag (Aggressive Detection)
| - http://172.29.64.1:31337/wp-content/plugins/social-warfare/readme.txt
| Readme - ChangeLog Section (Aggressive Detection)
| - http://172.29.64.1:31337/wp-content/plugins/social-warfare/readme.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:01 <=========================> (137 / 137) 100.00% Time: 00:00:01
[i] No Config Backups Found.
[+] WPScan DB API OK
| Plan: free
| Requests Done (during the scan): 2
| Requests Remaining: 21
[+] Finished: Fri May 31 17:45:09 2024
[+] Requests Done: 171
[+] Cached Requests: 4
[+] Data Sent: 57.123 KB
[+] Data Received: 335.552 KB
[+] Memory used: 299.891 MB
[+] Elapsed time: 00:00:05Some findings may be duplicated with nuclei if you have that enabled aswell. But overall I think a wpscan module is worth it as your getting alot of vulnerabilities discovered with it.
Watch this space! PR loading...
from bbot.
domwhewell-sage
commented on June 22, 2024
I believe this discussion is relevant here #731 cmseek seems to duplicate all the findings of wpscan
from bbot.
amiremami
commented on June 22, 2024
Hey @domwhewell-sage thanks for working on this 🙏 I have not used them personally, but the things I might need are these:
Detecting of theme + plugins and their versions + finding any CVE for them if exist + Sensitive endpoints
It seems Nuclei is doing these according to your result, maybe except the detection of plugin versions?
from bbot.
Related Issues (20)
- Kill Multiple Modules
- Sponsor Upstream Dependencies
- IPv6 regex pattern incorrectly matches non-IPv6 addresses, no testing is being done for IP related regex patterns HOT 5
- pre-commit git hooks described in contribution.md, but no example .pre-commit-config.yaml provided
- Utilise DNS CAA records, extract authorised CAA's as affiliates, extract emails and URL's from any IODEF reporting destinations HOT 3
- Filedownload.handle_event (url_unverified) HOT 1
- Badsecrets taking a long time HOT 3
- Git clone interacting with console HOT 1
- SSLCert: duplicate malformed certificates HOT 1
- Bug in IIS Shortnames HOT 1
- Bug in BadDNS HOT 1
- Stdout dies mid-scan HOT 4
- ASN Error HOT 1
- Ability to set timeout on individual modules
- Option to Raise FILESYSTEM and WEBSCREENSHOTs as Base64 Blobs HOT 4
- Optimize scan status message HOT 1
- Better discovery path tracking for dnsbrute_mutations
- New Module: Apache Tika & `RAW_DATA` events HOT 11
- InternetDB: option to display open ports HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bbot.