Всем доброго времени суток, имеется сайт на WP, собственно уже прошелся по большей части из ниже перечисленно, ничего особо не вышло, не считая DOS), ниже будет отчет из WPscan, есть идеи?
Хочу подметить, что мои знания не столь велики в сфере VAPT (даже не ламер).
Хочу подметить, что мои знания не столь велики в сфере VAPT (даже не ламер).
Код:
WordPress version 4.8.2:
1) Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset
References:
- https://wpvulndb.com/vulnerabilities/8807
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
- https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
- http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
- https://core.trac.wordpress.org/ticket/25239
2) Title: WordPress <= 4.8.2 - $wpdb->prepare() Weakness
Fixed in: 4.8.3
References:
- https://wpvulndb.com/vulnerabilities/8941
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16510
- https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/
-https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d
- https://twitter.com/ircmaxell/status/923662170092638208
- https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html
3) Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
Fixed in: 4.8.4
Description:
wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file.
References:
- https://wpvulndb.com/vulnerabilities/8966
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
- https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
-https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
4) Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
Fixed in: 4.8.4
Description:
wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL.
References:
- https://wpvulndb.com/vulnerabilities/8967
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
- https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
-https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
5) Title: WordPress 4.3.0-4.9 - HTML Language Attribute Escaping
Fixed in: 4.8.4
Description:
wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site.
References:
- https://wpvulndb.com/vulnerabilities/8968
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093
- https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
-https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a
6) Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string.
Fixed in: 4.8.4
References:
- https://wpvulndb.com/vulnerabilities/8969
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
- https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
-https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
7) Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
Fixed in: 4.8.5
WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).
References:
- https://wpvulndb.com/vulnerabilities/9006
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
-https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
- https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
- https://core.trac.wordpress.org/ticket/42720
8) Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.
References:
- https://wpvulndb.com/vulnerabilities/9021
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389
- https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
- https://github.com/quitten/doser.py
- https://thehackernews.com/2018/02/wordpress-dos-exploit.html
9) Title: WordPress 3.7-4.9.4 - Remove localhost Default
Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.
Fixed in: 4.8.6
References:
- https://wpvulndb.com/vulnerabilities/9053
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10101
- https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
-https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216
10) Title: WordPress 3.7-4.9.4 - Use Safe Redirect for Login
Fixed in: 4.8.6
Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS.
References:
- https://wpvulndb.com/vulnerabilities/9054
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10100
- https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
-https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e
11) Title: WordPress 3.7-4.9.4 - Escape Version in Generator Tag
Fixed in: 4.8.6
Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.
References:
- https://wpvulndb.com/vulnerabilities/9055
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10102
- https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
-https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d
12) Title: WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion
Fixed in: 4.8.7
This can lead to code execution if the wp-config.php file is deleted, forcing WordPress to start the installation process.
Can be exploited by any user who is able to edit uploaded media.
References:
- https://wpvulndb.com/vulnerabilities/9100
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12895
- https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/
-http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/
-https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd
- https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/
-https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/
13) Title: WordPress <= 5.0 - Authenticated File Delete
Fixed in: 5.0.1
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files.
References:
- https://wpvulndb.com/vulnerabilities/9169
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20147
- https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
14) Title: WordPress <= 5.0 - Authenticated Post Type Bypass
Fixed in: 4.8.8
References:
- https://wpvulndb.com/vulnerabilities/9170
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20152
- https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
- https://blog.ripstech.com/2018/wordpress-post-type-privilege-escalation/
15) Title: WordPress <= 5.0 - PHP Object Injection via Meta Data
Fixed in: 4.8.8
References:
- https://wpvulndb.com/vulnerabilities/9171
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20148
- https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
16) Title: WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS)
Fixed in: 4.8.8
References:
- https://wpvulndb.com/vulnerabilities/9172
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20153
- https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
17) Title: WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins
Fixed in: 4.8.8
References:
- https://wpvulndb.com/vulnerabilities/9173
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20150
- https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
-https://github.com/WordPress/WordPress/commit/fb3c6ea0618fcb9a51d4f2c1940e9efcd4a2d460
18) Title: WordPress <= 5.0 - User Activation Screen Search Engine Indexing
Fixed in: 4.8.8
References:
- https://wpvulndb.com/vulnerabilities/9174
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20151
- https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
19) Title: WordPress <= 5.0 - File Upload to XSS on Apache Web Servers
Fixed in: 4.8.8
References:
- https://wpvulndb.com/vulnerabilities/9175
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20149
- https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
-https://github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a
20) Title: WordPress 3.7-5.0 (except 4.9.9) - Authenticated Code Execution
Fixed in: 5.0.1
References:
- https://wpvulndb.com/vulnerabilities/9222
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8942
- https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/
21) Title: WordPress 3.9-5.1 - Comment Cross-Site Scripting (XSS)
Fixed in: 4.8.9
References:
- https://wpvulndb.com/vulnerabilities/9230
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9787
-https://github.com/WordPress/WordPress/commit/0292de60ec78c5a44956765189403654fe4d080b
- https://wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance-release/
- https://blog.ripstech.com/2019/wordpress-csrf-to-rce/
google-analytics-for-wordpress
The version is out of date, the latest version is 7.5.0
[!] 1 vulnerability identified:
1) Title: Google Analytics by Monster Insights <= 7.1.0 - Authenticated Stored Cross-Site Scripting (XSS)
Fixed in: 7.2.0
References:
- https://wpvulndb.com/vulnerabilities/9157
- https://www.ripstech.com/php-security-calendar-2018/
wordpress-seo
The version is out of date, the latest version is 10.1.1
[!] 2 vulnerabilities identified:
1) Title: Yoast SEO <= 5.7.1 - Authenticated Cross-Site Scripting (XSS)
Fixed in: 5.8
References:
- https://wpvulndb.com/vulnerabilities/8960
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16842
-https://plugins.trac.wordpress.org/changeset/1766831/wordpress-seo/trunk/admin/google_search_console/class-gsc-table.php
- https://packetstormsecurity.com/files/145080/WordPress-Yoast-SEO-Cross-Site-Scripting.html
2) Title: Yoast SEO <= 9.1 - Authenticated Race Condition
Fixed in: 9.2
References:
- https://wpvulndb.com/vulnerabilities/9150
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19370
- https://plugins.trac.wordpress.org/changeset/1977260/wordpress-seo
- https://www.youtube.com/watch?v=nL141dcDGCY
- http://packetstormsecurity.com/files/150497/
-https://github.com/Yoast/wordpress-seo/pull/11502/commits/3bfa70a143f5ea3ee1934f3a1703bb5caf139ffa