Closed jtpereyda closed 3 years ago
so I take it to mean this refers to the latest 5.5.x release
Yep, it means it's the latest in the branch
One security issue affects WordPress versions between 3.7 and 5.7. If you haven’t yet updated to 5.7, all WordPress versions since 3.7 have also been updated to fix the following security issues:
Object injection in PHPMailer, CVE-2020-36326 and CVE-2018-19296.
The last bit is very important here
If you haven’t yet updated to 5.7, all WordPress versions since 3.7 have also been updated to fix the following security issues
Meaning the 5.5.x branch was patched and v5.5.5 fixed the issue:
So the Security updates
section actually list the security issues which were fixed in that version, and not the issues affecting the version.
Unfortunately, the CPE from the CVE are wrong and do not seem to consider the patches in the branches (they just do >= 3.7 & <= 5.7
which is incorrect and even forgot the 5.7.1 which is vulnerable)
@erwanlr Thanks! I severely misread that. Sent NVD an email.
Where does WPScan get its database of patched/unpatched versions? I contacted NVD, but they don't have access to a reliable list of fixed versions.
Ah, the WPScan site has some very informative pages, e.g.: https://wpscan.com/vulnerability/4cd46653-4470-40ff-8aac-318bee2f998d
Still super curious on how/where this information is obtained.
https://wordpress.org/download/releases/ has a list of all versions in each branches, the WordPress git repository (https://github.com/WordPress/wordpress-develop) can also be checked for patches
Right, I guess I'm wondering how raw data from https://wordpress.org/download/releases/ (which doesn't list any vulnerability or security fix info) is collated into a nice list like you see on: https://wpscan.com/vulnerability/4cd46653-4470-40ff-8aac-318bee2f998d
Is it manually entered based on each new release? Or is that method part of the WPScan secret sauce? :)
Yes this is manually entered, can't be automated really, as it's possible that some branches won't receive patch/es. So it's all about reading the main release description and checking which branches received the patch/es
Cool! This really is a valuable tool; I doubt there's a more reliable and well presented source for this data anywhere.
As usual, the secret sauce is hard work.
5.5.5 Marked Latest
On a scan today (2021-06-03), with WPScan version 3.8.17, the site had a detected version of 5.5.5 which was described as Latest:
WordPress 5.5.5 is not the latest as 5.7 is out, so I take it to mean this refers to the latest 5.5.x release. However the release page https://wordpress.org/support/wordpress-version/version-5-5-5/ says:
The CVE page lists 5.5.5 as an affected CPE: https://nvd.nist.gov/vuln/detail/CVE-2020-36326/cpes?expandCpeRanges=true
Your environment
I'm using the Docker version, 3.8.17.
Steps to reproduce
Expected behavior
I would expect the scan to give an indication about this known vulnerability.
Actual behavior
The output makes it seem like this is the most recent WordPress version without any known patched vulnerabilities.
What have you already tried
N/A -- Manual research.