WordPress Version 5.5.5 Marked "Latest" but has known vunlerabilities

[jtpereyda]

5.5.5 Marked Latest

On a scan today (2021-06-03), with WPScan version 3.8.17, the site had a detected version of 5.5.5 which was described as Latest:

[+] WordPress version 5.5.5 identified (Latest, released on 2021-05-12).
 | Found By: Style Etag (Aggressive Detection)
 |  - https://REDACTED/wp-admin/load-styles.php, Match: '5.5.5'
 | Confirmed By: Query Parameter In Install Page (Aggressive Detection)
 |  - https://REDACTED/wp-includes/css/dashicons.min.css?ver=5.5.5
 |  - https://REDACTED/wp-includes/css/buttons.min.css?ver=5.5.5
 |  - https://REDACTED/wp-admin/css/forms.min.css?ver=5.5.5
 |  - https://REDACTED/wp-admin/css/l10n.min.css?ver=5.5.5
 |  - https://REDACTED/wp-admin/css/install.min.css?ver=5.5.5

WordPress 5.5.5 is not the latest as 5.7 is out, so I take it to mean this refers to the latest 5.5.x release. However the release page https://wordpress.org/support/wordpress-version/version-5-5-5/ says:

One security issue affects WordPress versions between 3.7 and 5.7. If you haven’t yet updated to 5.7, all WordPress versions since 3.7 have also been updated to fix the following security issues:

Object injection in PHPMailer, CVE-2020-36326 and CVE-2018-19296.

The CVE page lists 5.5.5 as an affected CPE: https://nvd.nist.gov/vuln/detail/CVE-2020-36326/cpes?expandCpeRanges=true

Your environment

I'm using the Docker version, 3.8.17.

• Version of WPScan: 3.8.17
• Version of Ruby: (not sure how to check)
• Operating System (OS): Ubuntu 20.04.2

Steps to reproduce

sudo docker run -it --rm wpscanteam/wpscan --url REDACTED --api-token REDACTED -f cli-no-color

Expected behavior

I would expect the scan to give an indication about this known vulnerability.

Actual behavior

The output makes it seem like this is the most recent WordPress version without any known patched vulnerabilities.

What have you already tried

N/A -- Manual research.

[erwanlr]

so I take it to mean this refers to the latest 5.5.x release

Yep, it means it's the latest in the branch

One security issue affects WordPress versions between 3.7 and 5.7. If you haven’t yet updated to 5.7, all WordPress versions since 3.7 have also been updated to fix the following security issues:

Object injection in PHPMailer, CVE-2020-36326 and CVE-2018-19296.

The last bit is very important here

If you haven’t yet updated to 5.7, all WordPress versions since 3.7 have also been updated to fix the following security issues

Meaning the 5.5.x branch was patched and v5.5.5 fixed the issue:

• https://github.com/WordPress/wordpress-develop/commits/5.5.5
• And the patch in the 5.5.x is https://github.com/WordPress/wordpress-develop/commit/afb164c2e34d71c5fcd45f5015797b2f20c37144

So the Security updates section actually list the security issues which were fixed in that version, and not the issues affecting the version.

Unfortunately, the CPE from the CVE are wrong and do not seem to consider the patches in the branches (they just do >= 3.7 & <= 5.7 which is incorrect and even forgot the 5.7.1 which is vulnerable)

[jtpereyda]

@erwanlr Thanks! I severely misread that. Sent NVD an email.

[jtpereyda]

Where does WPScan get its database of patched/unpatched versions? I contacted NVD, but they don't have access to a reliable list of fixed versions.

[jtpereyda]

Ah, the WPScan site has some very informative pages, e.g.: https://wpscan.com/vulnerability/4cd46653-4470-40ff-8aac-318bee2f998d

Still super curious on how/where this information is obtained.

[erwanlr]

https://wordpress.org/download/releases/ has a list of all versions in each branches, the WordPress git repository (https://github.com/WordPress/wordpress-develop) can also be checked for patches

[jtpereyda]

Right, I guess I'm wondering how raw data from https://wordpress.org/download/releases/ (which doesn't list any vulnerability or security fix info) is collated into a nice list like you see on: https://wpscan.com/vulnerability/4cd46653-4470-40ff-8aac-318bee2f998d

Is it manually entered based on each new release? Or is that method part of the WPScan secret sauce? :)

[erwanlr]

Yes this is manually entered, can't be automated really, as it's possible that some branches won't receive patch/es. So it's all about reading the main release description and checking which branches received the patch/es

[jtpereyda]

Cool! This really is a valuable tool; I doubt there's a more reliable and well presented source for this data anywhere.

As usual, the secret sauce is hard work.