Identifying WordPress Vulnerabilities-WPScan-II


In the last blog we were discussed about Exploring WordPress Vulnerabilities using WPScan and how a scanning perform to identifying WordPress vulnerable themes,plugins,users etc. 

 

This time we explore the risks that WPScan can identify and some of the reporting methods offered by the WPScan team.

 Firstly we can focus the symbols that can display on a WPScan result.


        [!] - specific component of a site is being vulnerable to exploitation

        [!] - Warning

        [i] - Informational

        [+] - Sections

        [*] - chapter xyz(No color,bold) 

        [?] -Question/ Interaction

As you can see red color symbol  is dangerous, because it is refers to a specific component of a site being vulnerable to exploitation.

Normally  WPScan shows number of identified vulnerabilities in the scan result.

 

We can use that to verify our site contain vulnerable components.

All right.Now we know the result background.Let's examine some examples to identify vulnerabilities.

In this example you can see red color [!] alert which specify components that can being vulnerable.

This time WPScan identified two vulnerabilities in the Yoast SEO plugin.

First one is for "Authenticated Race Condition" and according to the changelog, "Race Condition which leads to command execution, by users with SEO Manager roles." According to WPScan database this issue was fixed in 9.2.

Second one is for "Authenticated Stored XSS" and it is describe vulnerability in Cross-Site Scripting. 


In this example there is another two vulnerabilities and those are based on "Social Warfare" plugin. WPScan offers a bunch of references related to this/specific vulnerability and exploit. For this “Social Warfare” on one of the references we can see that this vulnerability/exploit affects all versions up to 3.5.2. But in the version 3.5.3 this issues was fixed and it also notified in the result. 

It’s important to note that even when WPScan cannot determine a version of a specific plugin and it will print out a list of all potential vulnerabilities. It is beneficial to take the time to review, visit the reference sites individually, and execute these exploits to determine whether the target site is vulnerable to them or not. Just because a plugin version cannot be determined does not mean the site is not vulnerable.
 
You can use following sites yo conduct research for potential vulnerabilities.
 In addition you can use following command to save WPScan search result to specific output file format.

wpscan --url <URL> --output <FILENAME> --format <FORMAT> --api-token 
<YOUR_API_TOKEN>
example:
wpscan --url https://wfh.lk --output scan.json --format json --api-token <API>
 
 

References

[1] https://github.com/wpscanteam/wpscan

[2] https://github.com/wpscanteam/wpscan/wiki/WPScan-User-Documentation

[3] https://www.exploit-db.com/docs

 

4 Comments