search

10up / wpcli-vulnerability-scanner

WP-CLI command for checking installed plugins and themes for vulnerabilities reported on wpvulndb.com
MIT License
278 stars 40 forks source link

wp vuln fix does not seem to actually be fixing anything #6

Closed TheLastCicada closed 7 years ago

TheLastCicada commented 8 years ago

Output from wp vuln status:

[root@single1 mu-plugins]# wp --allow-root vuln status
Plugins
+--------------------------------------------+-------------------+---------------------------------------------+----------------+
| name                                       | installed version | status                                      | fix            |
+--------------------------------------------+-------------------+---------------------------------------------+----------------+
| add-to-any                                 | 1.6.8             | No reported vulns for add-to-any            | n/a            |
| batcache                                   | 1.2               | No reported vulns for batcache              | n/a            |
| broken-link-checker                        | 1.10.9            | No vulns reported for this version of broke | n/a            |
|                                            |                   | n-link-checker                              |                |
| sem-external-links                         | 6.5.1             | No reported vulns for sem-external-links    | n/a            |
| duracelltomi-google-tag-manager            | 1.1.1             | No reported vulns for duracelltomi-google-t | n/a            |
|                                            |                   | ag-manager                                  |                |
| google-sitemap-generator                   | 4.0.8             | No reported vulns for google-sitemap-genera | n/a            |
|                                            |                   | tor                                         |                |
| restricted-site-access                     | 5.1               | No reported vulns for restricted-site-acces | n/a            |
|                                            |                   | s                                           |                |
| simple-page-ordering                       | 2.2.4             | No reported vulns for simple-page-ordering  | n/a            |
| smart-404                                  | 0.5               | No reported vulns for smart-404             | n/a            |
| verify-google-webmaster-tools              | 1.3               | No reported vulns for verify-google-webmast | n/a            |
|                                            |                   | er-tools                                    |                |
| wordpress-importer                         | 0.6.1             | No reported vulns for wordpress-importer    | n/a            |
| wp-bugherd-master                          | 0.1.0             | No reported vulns for wp-bugherd-master     | n/a            |
| wordpress-seo                     | 2.3.5             | Yoast SEO <= 3.2.4 - Subscriber Settings Se | Fixed in 3.2.5 |
|                                            |                   | nsitive Data Exposure                       |                |
| 10up-sso-client                            | 1.0.0             | No reported vulns for 10up-sso-client       | n/a            |
| index                                      |                   | No reported vulns for index                 | n/a            |
| load                                       |                   | No reported vulns for load                  | n/a            |
| vulncli                                    | 0.0.1             | No reported vulns for vulncli               | n/a            |
+--------------------------------------------+-------------------+---------------------------------------------+----------------+
Run `wp plugin update wordpress-seo`
Themes
+----------------+-------------------+-----------------------------------------------------+-----+
| name           | installed version | status                                              | fix |
+----------------+-------------------+-----------------------------------------------------+-----+
| kaazing        | 0.1.0             | No reported vulns for kaazing                       | n/a |
| root@          | 0.1.0             | No reported vulns for root@                         | n/a |
| twentyfifteen  | 1.2               | No vulns reported for this version of twentyfifteen | n/a |
| twentyfourteen | 1.4               | No reported vulns for twentyfourteen                | n/a |
| twentythirteen | 1.5               | No reported vulns for twentythirteen                | n/a |
+----------------+-------------------+-----------------------------------------------------+-----+
Nothing to update

Then, if we run wp vuln fix.....

root@single1 mu-plugins]# wp --allow-root vuln fix
Plugins
+--------------------------------------------+-------------------+---------------------------------------------+----------------+
| name                                       | installed version | status                                      | fix            |
+--------------------------------------------+-------------------+---------------------------------------------+----------------+
| add-to-any                                 | 1.6.8             | No reported vulns for add-to-any            | n/a            |
| batcache                                   | 1.2               | No reported vulns for batcache              | n/a            |
| broken-link-checker                        | 1.10.9            | No vulns reported for this version of broke | n/a            |
|                                            |                   | n-link-checker                              |                |
| sem-external-links                         | 6.5.1             | No reported vulns for sem-external-links    | n/a            |
| duracelltomi-google-tag-manager            | 1.1.1             | No reported vulns for duracelltomi-google-t | n/a            |
|                                            |                   | ag-manager                                  |                |
| google-sitemap-generator                   | 4.0.8             | No reported vulns for google-sitemap-genera | n/a            |
|                                            |                   | tor                                         |                |
| restricted-site-access                     | 5.1               | No reported vulns for restricted-site-acces | n/a            |
|                                            |                   | s                                           |                |
| simple-page-ordering                       | 2.2.4             | No reported vulns for simple-page-ordering  | n/a            |
| smart-404                                  | 0.5               | No reported vulns for smart-404             | n/a            |
| verify-google-webmaster-tools              | 1.3               | No reported vulns for verify-google-webmast | n/a            |
|                                            |                   | er-tools                                    |                |
| wordpress-importer                         | 0.6.1             | No reported vulns for wordpress-importer    | n/a            |
| wp-bugherd-master                          | 0.1.0             | No reported vulns for wp-bugherd-master     | n/a            |
| wordpress-seo                     | 2.3.5             | Yoast SEO <= 3.2.4 - Subscriber Settings Se | Fixed in 3.2.5 |
|                                            |                   | nsitive Data Exposure                       |                |
| 10up-sso-client                            | 1.0.0             | No reported vulns for 10up-sso-client       | n/a            |
| index                                      |                   | No reported vulns for index                 | n/a            |
| load                                       |                   | No reported vulns for load                  | n/a            |
| vulncli                                    | 0.0.1             | No reported vulns for vulncli               | n/a            |
+--------------------------------------------+-------------------+---------------------------------------------+----------------+
Success: Updated 0/0 plugins.
Themes
+----------------+-------------------+-----------------------------------------------------+-----+
| name           | installed version | status                                              | fix |
+----------------+-------------------+-----------------------------------------------------+-----+
| kaazing        | 0.1.0             | No reported vulns for kaazing                       | n/a |
| root@          | 0.1.0             | No reported vulns for root@                         | n/a |
| twentyfifteen  | 1.2               | No vulns reported for this version of twentyfifteen | n/a |
| twentyfourteen | 1.4               | No reported vulns for twentyfourteen                | n/a |
| twentythirteen | 1.5               | No reported vulns for twentythirteen                | n/a |
+----------------+-------------------+-----------------------------------------------------+-----+
Nothing to update

Nothing seems to actually update. I've got a good test case here, so let me know when I should retest this.

trepmal commented 8 years ago

Current implementation would be that you'd run our command to get a list of any vulnerable plugins (wp vuln plugin-status) then pass that list using --porcelain to the core wp plugin update command:

wp plugin update $(wp vuln plugin-status --porcelain)