Closed truesamurai closed 4 years ago
the version given by wpscan is wrong.
I don't see the version given in the output, could you paste it please ?
the version given by wpscan is wrong.
I don't see the version given in the output, could you paste it please ?
[+] monarch | Location: xxxxxxxxx |
---|---|
Found By: Urls In Homepage (Passive Detection) | |
Confirmed By: Urls In 404 Page (Passive Detection) | |
[!] 1 vulnerability identified: | |
[!] Title: ElegantThemes - Privilege Escalation | |
Fixed in: 1.2.7 | |
References: | |
- https://wpvulndb.com/vulnerabilities/8394 | |
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-11002 | |
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-11003 | |
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-11004 | |
- http://www.pritect.net/blog/elegant-themes-security-vulnerability | |
- http://wptavern.com/critical-security-vulnerability-discovered-in-elegant-themes-products | |
The version could not be determined. |
So it says the version could not be determined, but it says fixed in version 1.2.7 while I have 1.4.12
| The version could not be determined.
So there is why. WPScan could not determine the version, hence the vulnerability being output.
I've added version detection for this plugin. Just update wpscan DB with wpscan --update
to get it.
Please note that success will vary depending on the hardening of the blog and CLI option used to scan (especially the --plugins-version-detection
one).
False positive on Monarch (divi plugin by elegant themes)
When doing wpscan on my company website I get a vulnerability identified on Monarch plugin. It says: [+] monarch | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection)
But when I check my website then I see I already have version 1.4.12 of this plugin. So the wpscan i giving a false positive
Your environment
Steps to reproduce
I scanned my company website for vulnerabilities
Expected behavior
I should not says that Monarch is vulnerable, the version given by wpscan is wrong.
Actual behavior
It gives me a false positive
What have you already tried
scanned again , checked i was using API for sure
Things you have tried (where relevant):