Vulnerability scanners are useful tools for administrators and security analysts alike. For the casual WordPress user tools like WPScan may look excessive and complicated for their knowledge, they just need their blog, web page, whatever they’re doing up and running. Any complex administration bothers them to the max, and there are good and valid reasons for that. This is why the same folks who built it, the well-known and well-reputed Sucuri company, sell security services for WordPress site’s owners. I will not link the site so no one thinks about any interest from me to talk about them. Google will tell you where they are.
So now. Let’s say you are not bothered and you want to learn how to find vulnerabilities in your WordPress with WPScan. You will have to install the tool, on your Mac or Linux box, use Kali or better yet install it on your FreeBSD. And from there just start using the tool.
If you find the articles in Adminbyaccident.com useful to you, please consider making a donation.
Use this link to get $200 credit at DigitalOcean and support Adminbyaccident.com costs.
Get $100 credit for free at Vultr using this link and support Adminbyaccident.com costs.
Mind Vultr supports FreeBSD on their VPS offer.
The first time we use WPScan it will have to update its knowledge database after issuing the following command:
[Greta@VanFleet ~]$ wpscan –url http://myfancysite.com
After that it is quite possible that if you are using a WAF (Web Application Firewall) like ModSecurity or similar, you will end up with some kind of error similar to this.
Scan Aborted: The target is responding with a 403, this might be due to a WAF. Please re-try with --random-user-agent
If that happens just use the suggestion already given to you.
[Greta@VanFleet ~]$ wpscan --random-user-agent --url http://myfancysite.com
So down below you will find a result of a scan done to a website I happen to have not updated. It is not a production site, it is a test one. It’s sitting on a FreeBSD Jail. A very useful technology similar to Docker, so you can have several instances of the OS (as guests) not touching the main one (acting as a host) and without the overhead of VMs. A very easy tool to manage with Iocage.
The first thing we do is launching the Jail containing the website we want to scan. This could be any site, a test one or a production live one.
[Greta@VanFleet ~]$ sudo iocage start mysite.clone
* Starting mysite_clone
+ Started OK
+ Using devfs_ruleset: 6
+ Starting services OK
+ Executing poststart OK
[Greta@VanFleet ~]$
Once it’s up and running we will log into it.
[Greta@VanFleet ~]$ sudo iocage console mysite.clone
Last login: Thu Dec 6 12:02:03 on pts/1
FreeBSD 11.2-RELEASE-p9 (GENERIC) #0: Tue Feb 5 15:30:36 UTC 2019
Welcome to FreeBSD!
Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories: https://www.FreeBSD.org/security/
FreeBSD Handbook: https://www.FreeBSD.org/handbook/
FreeBSD FAQ: https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums: https://forums.FreeBSD.org/
Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with: pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.
Show the version of FreeBSD installed: freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages: man man
FreeBSD directory layout: man hier
Edit /etc/motd to change this login announcement.
root@mysite:~ #
So as you can alrady see we were inside a host and now it looks like we are inside a different one. Just as in a Docker container my friends.
We now check the site is up and running.
root@mysite:~ # ps -aux | grep httpd
root 58749 0,0 0,0 14408 9632 - SsJ 23:26 0:00,01 /usr/local/sbin/httpd - DNOHTTPACCEPT
www 58784 0,0 0,0 19916 10516 - IJ 23:26 0:00,00 /usr/local/sbin/httpd - DNOHTTPACCEPT
www 58785 0,0 0,0 19916 10516 - IJ 23:26 0:00,00 /usr/local/sbin/httpd - DNOHTTPACCEPT
www 58786 0,0 0,0 19916 10516 - IJ 23:26 0:00,00 /usr/local/sbin/httpd - DNOHTTPACCEPT
root 58848 0,0 0,0 6740 2596 1 S+J 23:30 0:00,00 grep httpd
root@mysite:~ #
So yes, it is up and running.
We will now grab WPScan and perform a scan. It does not matter if you use your Ubuntu install and you have the tool there, if you are using Kali Linux (a dedicated pentesting distribution) or you are using WPScan inside FreeBSD. The commands are the same, the results, everything is the same.
Down below you will find the output information of a scan I recently did on this outdated WordPress install. An outdated site was chosen so issues will display on the scan.
Mind the good results are shown with a plus sign in the beginning. Issues are shown with a minus at the beginning of the line. Warnings are shown with an exclamation mark. There is a lot of output down here, so read carefully and take your time.
root@WPScan:~/wpscan # wpscan --random-user-agent --url http://www.mysite.com
WordPress Security Scanner by the WPScan Team
Version 3.4.5
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[+] URL: http://www.mysite.com/
[+] Started: Sun Mar 17 22:07:18 2019
Interesting Finding(s):
[+] http://www.mysite.com/
| Interesting Entries:
| - Server: Apache/2.4.37 (FreeBSD) OpenSSL/1.0.2o-freebsd
| - X-Powered-By: PHP/7.1.25
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://www.mysite.com/robots.txt
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] http://www.mysite.com/xmlrpc.php
| Found By: Link Tag (Passive Detection)
| Confidence: 100%
| Confirmed By: Direct Access (Aggressive Detection), 100% confidence
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] This site seems to be a multisite
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| Reference: http://codex.wordpress.org/Glossary#Multisite
[+] http://www.mysite.com/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.9.8 identified (Insecure, released on 2018-08-02).
| Detected By: Query Parameter In Install Page (Aggressive Detection)
| - http://www.mysite.com/wp-includes/css/buttons.min.css?ver=4.9.8
| - http://www.mysite.com/wp-admin/css/install.min.css?ver=4.9.8
| - http://www.mysite.com/wp-includes/css/dashicons.min.css?ver=4.9.8
| Confirmed By: Query Parameter In Upgrade Page (Aggressive Detection)
| - http://www.mysite.com/wp-includes/css/buttons.min.css?ver=4.9.8
| - http://www.mysite.com/wp-admin/css/install.min.css?ver=4.9.8
|
| [!] 9 vulnerabilities identified:
|
| [!] Title: WordPress <= 5.0 - Authenticated File Delete
| Fixed in: 4.9.9
| References:
| - https://wpvulndb.com/vulnerabilities/9169
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20147
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
|
| [!] Title: WordPress <= 5.0 - Authenticated Post Type Bypass
| Fixed in: 4.9.9
| References:
| - https://wpvulndb.com/vulnerabilities/9170
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20152
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
| - https://blog.ripstech.com/2018/wordpress-post-type-privilege-escalation/
|
| [!] Title: WordPress <= 5.0 - PHP Object Injection via Meta Data
| Fixed in: 4.9.9
| References:
| - https://wpvulndb.com/vulnerabilities/9171
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20148
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
|
| [!] Title: WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS)
| Fixed in: 4.9.9
| References:
| - https://wpvulndb.com/vulnerabilities/9172
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20153
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
|
| [!] Title: WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins
| Fixed in: 4.9.9
| References:
| - https://wpvulndb.com/vulnerabilities/9173
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20150
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
| - https://github.com/WordPress/WordPress/commit/fb3c6ea0618fcb9a51d4f2c1940e9efcd4a2d460
|
| [!] Title: WordPress <= 5.0 - User Activation Screen Search Engine Indexing
| Fixed in: 4.9.9
| References:
| - https://wpvulndb.com/vulnerabilities/9174
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20151
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
|
| [!] Title: WordPress <= 5.0 - File Upload to XSS on Apache Web Servers
| Fixed in: 4.9.9
| References:
| - https://wpvulndb.com/vulnerabilities/9175
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20149
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
| - https://github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a
|
| [!] Title: WordPress 3.7-5.0 (except 4.9.9) - Authenticated Code Execution
| Fixed in: 4.9.9
| References:
| - https://wpvulndb.com/vulnerabilities/9222
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8942
| - https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/
|
| [!] Title: WordPress 3.9-5.1 - Comment Cross-Site Scripting (XSS)
| Fixed in: 4.9.10
| References:
| - https://wpvulndb.com/vulnerabilities/9230
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9787
| - https://github.com/WordPress/WordPress/commit/0292de60ec78c5a44956765189403654fe4d080b
| - https://wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance-release/
| - https://blog.ripstech.com/2019/wordpress-csrf-to-rce/
[+] WordPress theme in use: news-pro
| Location: http://www.mysite.com/wp-content/themes/news-pro/
| Readme: http://www.mysite.com/wp-content/themes/news-pro/README.txt
| Style URL: http://www.mysite.com/wp-content/themes/news-pro/style.css?ver=3.0.2
| Style Name: News Pro Theme (Provided by Zazavy.com)
| Style URI: http://my.studiopress.com/themes/news/
| Description: A mobile responsive and HTML5 theme built for the Genesis Framework....
| Author: StudioPress
| Author URI: http://www.studiopress.com/
|
| Detected By: Css Style (Passive Detection)
|
| Version: 3.0.2 (80% confidence)
| Detected By: Style (Passive Detection)
| - http://www.mysite.com/wp-content/themes/news-pro/style.css?ver=3.0.2, Match: 'Version: 3.0.2'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] buddypress
| Location: http://www.mysite.com/wp-content/plugins/buddypress/
| Last Updated: 2019-02-26T18:45:00.000Z
| [!] The version is out of date, the latest version is 4.2.0
|
| Detected By: Urls In Homepage (Passive Detection)
|
| Version: 3.2.0 (100% confidence)
| Detected By: Query Parameter (Passive Detection)
| - http://www.mysite.com/wp-content/plugins/buddypress/bp-core/css/admin-bar.min.css?ver=3.2.0
| - http://www.mysite.com/wp-content/plugins/buddypress/bp-templates/bp-legacy/css/buddypress.min.css?ver=3.2.0
| - http://www.mysite.com/wp-content/plugins/buddypress/bp-core/js/confirm.min.js?ver=3.2.0
| - http://www.mysite.com/wp-content/plugins/buddypress/bp-core/js/widget-members.min.js?ver=3.2.0
| - http://www.mysite.com/wp-content/plugins/buddypress/bp-core/js/jquery-query.min.js?ver=3.2.0
| - http://www.mysite.com/wp-content/plugins/buddypress/bp-core/js/vendor/jquery-cookie.min.js?ver=3.2.0
| - http://www.mysite.com/wp-content/plugins/buddypress/bp-core/js/vendor/jquery-scroll-to.min.js?ver=3.2.0
| - http://www.mysite.com/wp-content/plugins/buddypress/bp-templates/bp-legacy/js/buddypress.min.js?ver=3.2.0
| Confirmed By:
| Readme - Stable Tag (Aggressive Detection)
| - http://www.mysite.com/wp-content/plugins/buddypress/readme.txt
| Readme - ChangeLog Section (Aggressive Detection)
| - http://www.mysite.com/wp-content/plugins/buddypress/readme.txt
[+] genesis-responsive-slider
| Location: http://www.mysite.com/wp-content/plugins/genesis-responsive-slider/
| Latest Version: 0.9.6 (up to date)
| Last Updated: 2017-11-03T21:26:00.000Z
|
| Detected By: Urls In Homepage (Passive Detection)
|
| Version: 0.9.6 (100% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
| - http://www.mysite.com/wp-content/plugins/genesis-responsive-slider/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://www.mysite.com/wp-content/plugins/genesis-responsive-slider/readme.txt
[+] recents-post-widget-extended
| Location: http://www.mysite.com/wp-content/plugins/recents-post-widget-extended/
|
| Detected By: Comment (Passive Detection)
|
| The version could not be determined.
[+] wordfence
| Location: http://www.mysite.com/wp-content/plugins/wordfence/
| Last Updated: 2019-02-28T17:12:00.000Z
| [!] The version is out of date, the latest version is 7.2.3
|
| Detected By: Javascript Var (Passive Detection)
|
| Version: 7.1.17 (100% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
| - http://www.mysite.com/wp-content/plugins/wordfence/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://www.mysite.com/wp-content/plugins/wordfence/readme.txt
[+] wordpress-seo
| Location: http://www.mysite.com/wp-content/plugins/wordpress-seo/
| Last Updated: 2019-03-12T09:35:00.000Z
| [!] The version is out of date, the latest version is 10.0
|
| Detected By: Comment (Passive Detection)
|
| Version: 9.2.1 (100% confidence)
| Detected By: Comment (Passive Detection)
| - http://www.mysite.com/, Match: 'optimized with the Yoast SEO plugin v9.2.1 -'
| Confirmed By:
| Readme - Stable Tag (Aggressive Detection)
| - http://www.mysite.com/wp-content/plugins/wordpress-seo/readme.txt
| Readme - ChangeLog Section (Aggressive Detection)
| - http://www.mysite.com/wp-content/plugins/wordpress-seo/readme.txt
[+] wp-piwik
| Location: http://www.mysite.com/wp-content/plugins/wp-piwik/
| Latest Version: 1.0.19
| Last Updated: 2018-01-09T09:13:00.000Z
|
| Detected By: Comment (Passive Detection)
|
| [!] 2 vulnerabilities identified:
|
| [!] Title: WP-Piwik <= 1.0.4 - Cross-Site Scripting (XSS)
| Fixed in: 1.0.5
| References:
| - https://wpvulndb.com/vulnerabilities/8216
| - https://github.com/braekling/WP-Piwik/commit/5110bfdb437a9f19b185ba8af33776fcb5e19940
|
| [!] Title: WP-Piwik <= 1.0.10 - Unauthenticated Stored Cross-Site Scripting (XSS)
| Fixed in: 1.0.10
| References:
| - https://wpvulndb.com/vulnerabilities/8613
| - https://www.pluginvulnerabilities.com/2016/08/29/persistent-cross-site-scripting-xss-vulnerability-in-wp-piwik/
| - https://plugins.trac.wordpress.org/changeset/1489152/wp-piwik
|
| The version could not be determined.
[+] wptouch
| Location: http://www.mysite.com/wp-content/plugins/wptouch/
| Last Updated: 2019-02-13T02:32:00.000Z
| [!] The version is out of date, the latest version is 4.3.35
|
| Detected By: Comment (Passive Detection)
|
| Version: 4.3.34 (100% confidence)
| Detected By: Comment (Passive Detection)
| - http://www.mysite.com/, Match: 'Powered by WPtouch: 4.3.34'
| Confirmed By: Readme - Stable Tag (Aggressive Detection)
| - http://www.mysite.com/wp-content/plugins/wptouch/readme.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:01 <=========================================================================> (21 / 21) 100.00% Time: 00:00:01
[i] No Config Backups Found.
[+] Finished: Sun Mar 17 22:07:26 2019
[+] Requests Done: 82
[+] Cached Requests: 4
[+] Data Sent: 20.567 KB
[+] Data Received: 2.06 MB
[+] Memory used: 142.73 MB
[+] Elapsed time: 00:00:07
root@WPScan:~/wpscan #
If you are still here, and reading, thank you and congratulations. To summarize the scan found 9 vulnerabilities. This site hasn’t been updated in a couple of months. And 9 issues have arisen. This is one of the reasons why security analyst keep on pushing everyone to update and do it frequently. It is a matter of culture, not just a matter of time.
It this is your first time looking at vulnerabilities keep on reading. To make it short, almost all vulnerabilities receive a CVE, which is a code number to track them. From time to time one vulnerability gets a name, such as Spectre and Meltdown, but that rarely happens, only when things are bad, really bad. To understand how bad a vulnerability is there is a standard scale called CVSS (Common Vulnerability Scoring System). This scale or system tackles several angles of the vulnerability to determine how bad it is. Things from the attack vector, the exploitation difficulty, if any privileges are required, if it needs user interaction, if it changes the scope of its execution, and what impact it has on confidentiality, integrity and availability of the affected system, among others. A detailed guide on CVSS can be found here.
So for our scan the following list of vulnerabilities was found:
CVE-2018-20147
CVE-2018-20152
CVE-2018-20148
CVE-2018-20153
CVE-2018-20150
CVE-2018-20151
CVE-2018-20149
CVE-2019-8942
CVE-2019-9787
To find information about each one there are several websites one can check to get information. One of the most relevant and useful ones is the US National Vulnerability Database. You can search in there for those vulnerabilities and check out how bad they are. Don’t be fooled by low or medium results. Anything can be used to exploit a system, get a foot inside a system, dump a database full of usernames, emails, passwords, credit cards?
The worst vulnerability of this lot is CVE-2018-20148 which scores 9.8 out of 10. So it is a pretty ugly vulnerability. And there are two other high rated vulnerabilities (higher than 6.9), both scoring 8.8 and they are CVE-2019-8942 and CVE-2019-9787.
Let’s concentrate on CVE-2018-20148. What the score tells us is this is a vulnerability that can be accessed through the network, it is easy to perform an attack. The attacker doesn’t need any priviliges on the system, so anyone with an internet connection able to reach that site’s ip could perform an attack. There is no need of user interaction to perform the attack, so the attacker doesn’t need anyone to click on a button, open a file or do anything. The scope is not changed (this saves it from being a 10 out of 10), so it does not affect the OS kernel but you can execute php code inside that box like if it were your own server, having the highest possible impact on confidentiality (the attacker can get any information), on integrity (the attacker can add or remove content) and on availability (the attacker can disable functionality or the whole website).
This is all for the base score. What about the temporal score? What does temporal score mean? Well… the time from when a vulnerability is disclosed to the patch being released should be the shortest possible. Typically researchers, users and analysts tend to warn the original developers of the software and wait to tell anyone else before a solution is found and released. This is called responsible disclosure. However if a vulnerability is found being exploited in the wild or details about it are released before a patch is available, this is called a zero day vulnerability. However not having a patch is ugly, but having exploitable code available makes things much worst. And this is what the temporal score is all about. If the vulnerability is known, but there is an available patch and no malicious code (not even a proof of concept) is available, the temporal score is not very high, typically a whole point or more under the base score. However if things turn ugly it can be almost as high as the base initial score.
Patching is not only a good practice. It is something that has to be understood as a part of the job, a routine. Things can get ugly pretty quickly. A vulnerability can be found one day and just a few weeks later a module for the Metasploit suite can be released. All the sudden an easy to use exploit is available at the fingertips of many people. Pentesters will make good use of this by doing their security assessments for their clients, and hopefully patching systems quickly. Cyber criminals will take advantage of those sites that are left unpatched.
This is all for this how to find vulnerabilities in your WordPress with WPScan. I hope you can enjoyed it and learnt something if you’ve never detalt with vulnerabilities.
If you find the articles in Adminbyaccident.com useful to you, please consider making a donation.
Use this link to get $200 credit at DigitalOcean and support Adminbyaccident.com costs.
Get $100 credit for free at Vultr using this link and support Adminbyaccident.com costs.
Mind Vultr supports FreeBSD on their VPS offer.