search

wpscanteam / wpscan

WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via contact@wpscan.com
https://wpscan.com/wordpress-cli-scanner
Other
8.54k stars 1.26k forks source link

WordPress v6.4.2 wrongly detected as v6.4.1 resulting in a false positive alert #1822

Closed andrei-a-papou closed 9 months ago

andrei-a-papou commented 10 months ago

Subject of the issue

WordPress v6.4.2 wrongly detected as v6.4.1 resulting in a false positive alert and failing tests.

Your environment

Steps to reproduce

Run a scan against fully updated WordPress v6.4.2.

Expected behavior

No vulnerabilities should be reported against WordPress core.

Actual behavior

We get a false positive, namely the "WP 6.4-6.4.1 - POP Chain" vulnerability:

"vulnerabilities": [
      {
        "title": "WP 6.4-6.4.1 - POP Chain",
        "fixed_in": "6.4.2",
        "references": {
          "url": [
            "https://fenrisk.com/publications/blogpost/2023/11/22/gadgets-chain-in-wordpress/"
          ],
          "wpvulndb": [
            "2afcb141-c93c-4244-bde4-bf5c9759e8a3"
          ]
        }
      }
    ]

Version detection seems to happen by testing a checksum of a CSS file:

"version": {
    "number": "6.4.1",
    "release_date": "2023-11-09",
    "status": "insecure",
    "found_by": "Unique Fingerprinting (Aggressive Detection)",
    "confidence": 100,
    "interesting_entries": [
      "https://example.com/wp-admin/css/list-tables.css md5sum is 8cbb07fe1bb99aab41572598178101f8"
    ],
erwanlr commented 9 months ago

Whoops, we forgot to push the new fingerprints, it's done now and you can get them with wpscan --update then scan again

andrei-a-papou commented 9 months ago

Thanks, works now