passive_detection version number results

[mgites]

I tested wpscan on a couple of sites and it shows version numbers on certain plugins using passive_detection and no version for some others. This wasn't strange until I did some research to figure out why it couldn't get the version data for some of the plugins that it did find. I seem to have stumbled on a perhaps interesting issue. Basically, from analyzing the passive_detection function in WpPlugins, it's super (in WpItems) and its helpers (from_header and from_content), there are only a 3 plugins that are hard coded for version extraction: w3-total-cache, all-in-one-seo-pack, and wordpress-seo; see: https://github.com/wpscanteam/wpscan/blob/b328dc4ff98cd2f5ea9f5dd933109df4de88a866/lib/common/collections/wp_plugins/detectable.rb

The question now is: how is passive scan able to find the version number for more that these 3 hardcoded plugins yet there seems to be no code outside of that for these 4 plugins that would find version numbers. I did a search for "version" in passive_detection and it's helpers and there is no case of that term existing outside of: wp_plugins.add('w3-total-cache', version: matches[1]) wp_plugins.add('all-in-one-seo-pack', version: $1) wp_plugins.add('wordpress-seo', version: $1)

Is there some code that I'm just not looking at? I've traced through the passive scanning part of the code several times.

TLDR; Where is the code that wpscan uses in passive_detection that gets the version number of a plugin that is not one of the following 3: w3-total-cache, all-in-one-seo-pack, and wordpress-seo ?? How would wpscan use passive scanning to, for example, find the version number of: Name: contact-form-7 - v4.4.1 Name: loginradius-for-wordpress - v7.2 Name: mailchimp-for-wp - v3.1.6 Name: woocommerce-bulk-discount - v2.4.1

Thank you

[ethicalhack3r]

Hi! We find the information from the plugin's readme file. Has this piece of functionality caused any issues? Something you're trying to debug, or enhance we can help you with?

[mgites]

I've been looking at the code to find ways to help. My recent focus has been passive scanning. I found, for example, that when you detect Yoast (i.e. wordpress-seo), the regex should be updated. In line 65 here https://github.com/wpscanteam/wpscan/blob/b328dc4ff98cd2f5ea9f5dd933109df4de88a866/lib/common/collections/wp_plugins/detectable.rb ... you have: if body =~ /<!-- This site is optimized with the Yoast WordPress SEO plugin v([^\s]+) -/i

I learned that some versions of the plugin do not have "WordPress" in the string. That is, the following is possible: "!-- This site is optimized with the Yoast SEO plugin"

wpscan should be updated to make the WordPress optional

As I move on to find other possible contributions,\ it became unclear to me where the version numbers of the non-hard-coded plugins found through passive_detection get discovered**. My ability to follow ruby code must be weak, so I guess I'm asking is when this call in wpscan.rb is called: wp_plugins = WpPlugins.passive_detection(wp_target)

were are the version numbers discovered between when the function is called and when wp_plugins is assigned the return value? You mentioned that you look using readmes, but I only see readme lookups in the aggressive scanning process. Is there a link that I'm missing?

[mgites]

Looking deeper, there seems to be overriding of to_s in Versionable: def to_s item_version = self.version "#{@name}#{' - v' + item_version.strip if item_version}" end

I guess i missed that clever trick.

[mgites]

This thread can be closed but I do think the devs might want to look at enhancing the regex relating to Yoast that I mentioned a couple messages above.

[ethicalhack3r]

If you proxy WPScan's traffic through Burp/ZAP, you should be able to see the requests to the plugin's readme file.

Thanks for the info re the WordPress SEO regex. Before we implement the change I think it would be useful to download all past versions of the plugin (can be done via SVN) and check the code which generates this HTML comment to see how it has changed. Would be a nice contribution to WPScan if you have the time :)