Open kkuehlz opened 4 years ago
Blocker: wpscan refuses to say if the plugins are vulnerable or not without a subscription to their API
It still detects old/vulnerable Wordpress versions for free, and I found a few of those manually. Maybe it'd be worth getting started with that first.
@cg505 Had a whole stream where he tried to set this up, @nikhiljha you should inquire with him
I mean it pretty much failed for the reason nikhil stated...
If wpscan doesn't work out we can at least relax the requirement a little and turn it into something like making sure people's sites are updated, they don't have weak passwords etc.
TL;DR from summer meeting notes:
Also see #45
In lieu of WPScan, we could try running https://github.com/swisskyrepo/Wordpresscan, which seems to be a re-implementation of some of the simpler tests.
Someone should create a script that runs wpscan on all OCF vhosts. It should enumerate vulnerable plugins and themes. If one is detected, create an rt ticket for security@. Have the entire thing run in a container and deploy in Kuberenetes Cron.