Check WordPress core, installed plugins and themes for vulnerabilities.
It can be installed as a wp-cli package via git repo which is the most preferred way to install.
wp package install 10up/wpcli-vulnerability-scanner:dev-trunk
WP-CLI Vulnerability Scanner works with WPScan, Patchstack and Wordfence Intelligence to check reported vulnerabilities; you can choose any one of these three to use. You will need to add a constant in your wp-config.php
to decide which API service you want to use (by default WPScan API will be used).
To use WPScan API:
define( 'VULN_API_PROVIDER', 'wpscan' );
To use Patchstack API:
define( 'VULN_API_PROVIDER', 'patchstack' );
To use Wordfence Intelligence API:
define( 'VULN_API_PROVIDER', 'wordfence' );
Note: Authentication is not required for the Wordfence Intelligence Vulnerability API ( https://www.wordfence.com/wti-community-edition-terms-and-conditions/ ). VULN_API_TOKEN is not required if using Wordfence as your provider.
For WPScan and Patchstack you will need to register for a user account and supply an API token from the chosen API service. Once you have acquired the token, you can add it as a constant in wp-config.php as follows:
define( 'VULN_API_TOKEN', 'YOUR_TOKEN_HERE' );
Clone this repo, checkout to stable branch and require wpcli-vulnerability-scanner.php
from wp-cli config. E.g. in ~/.wp-cli/config.yml
[other config locations]
require:
- /path/to/this/repo/wpcli-vulnerability-scanner.php
This repo can be installed as a regular plugin. There is no UI, but the command will become available.
wp plugin install --activate https://github.com/10up/wpcli-vulnerability-scanner/archive/stable.zip
After plugin installation, you can verify the command is in place with wp help vuln
wp vuln status
- Options:
--test
Load test data--format=<format>
Accepted values: table, csv, json, count, ids, yaml. Default: table--nagios
Output for nagios--reference
includes the reference link of the vulnerability within the output
wp vuln core-status
- Options:
--format=<format>
Accepted values: table, csv, json, count, ids, yaml. Default: table--nagios
Output for nagios--reference
includes the reference link of the vulnerability within the output
wp vuln plugin-status
- Options:
--test
Load test data--porcelain
Only print slugs of vulnerable plugins with updates--format=<format>
Accepted values: table, csv, json, count, ids, yaml. Default: table--nagios
Output for nagios--reference
includes the reference link of the vulnerability within the output
wp vuln theme-status
- Options:
--test
Load test data--porcelain
Only print slugs of vulnerable theme with updates--format=<format>
Accepted values: table, csv, json, count, ids, yaml. Default: table--nagios
Output for nagios--reference
includes the reference link of the vulnerability within the output
$ wp vuln status
Vulnerability API Provider: Patchstack
WordPress 6.2.2
+-----------+-------------------+-----------------------------------------------------------+---------------+----------+----------+
| name | installed version | status | introduced in | fixed in | severity |
+-----------+-------------------+-----------------------------------------------------------+---------------+----------+----------+
| WordPress | 6.2.2 | No vulnerabilities reported for this version of WordPress | n/a | n/a | n/a |
+-----------+-------------------+-----------------------------------------------------------+---------------+----------+----------+
Plugins
+-----------------------------+-------------------+----------------------------------------------------------------------------------------------------------------+---------------+----------+---------------+
| name | installed version | status | introduced in | fixed in | severity |
+-----------------------------+-------------------+----------------------------------------------------------------------------------------------------------------+---------------+----------+---------------+
| simple-podcasting | 1.5.0 | No vulnerabilities reported for this version of simple-podcasting | n/a | n/a | n/a |
| woocommerce | 7.8.2 | No vulnerabilities reported for this version of woocommerce | n/a | n/a | n/a |
| wordpress-seo | 20.2 | Wordpress Yoast SEO plugin <= 20.2 - Authenticated (Contributor+) DOM-Based Cross-Site Scripting vulnerability | <= 20.2 | 20.2.1 | Medium 6.5/10 |
+-----------------------------+-------------------+----------------------------------------------------------------------------------------------------------------+---------------+----------+---------------+
Themes
+-------------------+-------------------+-------------------------------------------------------------------+---------------+----------+----------+
| name | installed version | status | introduced in | fixed in | severity |
+-------------------+-------------------+-------------------------------------------------------------------+---------------+----------+----------+
| twentytwentythree | 1.1 | No vulnerabilities reported for this version of twentytwentythree | n/a | n/a | n/a |
+-------------------+-------------------+-------------------------------------------------------------------+---------------+----------+----------+
Using the JSON format:
$ wp vuln status --format=json
{"core":[{"name":"WordPress","installed version":"6.2.2","status":"No vulnerabilities reported for this version of WordPress","introduced in":"n\/a","fixed in":"n\/a","severity":"n\/a"}],"plugins":[{"name":"simple-podcasting","installed version":"1.5.0","status":"No vulnerabilities reported for this version of simple-podcasting","introduced in":"n\/a","fixed in":"n\/a","severity":"n\/a"},{"name":"woocommerce","installed version":"7.8.2","status":"No vulnerabilities reported for this version of woocommerce","introduced in":"n\/a","fixed in":"n\/a","severity":"n\/a"},{"name":"wordpress-seo","installed version":"20.2","status":"Wordpress Yoast SEO plugin <= 20.2 - Authenticated (Contributor+) DOM-Based Cross-Site Scripting vulnerability","introduced in":"<= 20.2","fixed in":"20.2.1","severity":"Medium 6.5\/10"}],"themes":[{"name":"twentytwentythree","installed version":"1.1","status":"No vulnerabilities reported for this version of twentytwentythree","introduced in":"n\/a","fixed in":"n\/a","severity":"n\/a"}]}
$ wp vuln theme-check twentyfifteen --version=1.1
Vulnerability API Provider: Patchstack
+---------------+-------------------+--------------------------------------------------------------+----------+----------+
| name | installed version | status | fixed in | severity |
+---------------+-------------------+--------------------------------------------------------------+----------+----------+
| twentyfifteen | 1.1 | WordPress Twenty Fifteen Theme <= 1.1 - Cross Site Scripting | 1.2 | n/a |
+---------------+-------------------+--------------------------------------------------------------+----------+----------+
Using the JSON format:
$ wp vuln theme-check twentyfifteen --version=1.1 --format=json
[{"name":"twentyfifteen","installed version":"1.1","status":"WordPress Twenty Fifteen Theme <= 1.1 - Cross Site Scripting","fixed in":"1.2","severity":"n\/a"}]
Basic
wp plugin update $(wp vuln plugin-status --porcelain)
Will simply error out if there are no slugs returned by the plugin-status
command. Can suppress the output by appending &> /dev/null
wp theme update $(wp vuln theme-status --porcelain) &> /dev/null
Scheduled/Cron
0 0 * * * wp theme update $(wp vuln theme-status --porcelain) &> /dev/null
0 0 * * * wp plugin update $(wp vuln plugin-status --porcelain) &> /dev/null
0 0 * * *
is everyday at midnight. For assistance creating an alternate schedule, check out http://crontab.guru/. For example, 0 0 * * 1,4
runs at midnight every Monday and Thursday.
With email notifications
Included is a sample bash script, includes/vuln.sh
. This can be customized and used in a cron job so that you can be alerted when vulnerabilities are found.
-
WPCLIPATH
should be the full path to your wp command. The script will attempt to discover this automatically if the given filename does not exist -
RECIPIENT
should be an email address which will receive the notifications -
SUBJECT
is the email subject
This readme does not discuss configuring the mail
command on your server. To run a simple test, try
echo "This is the body text" | mail -s "Email subject" you@domain.com
Nagios
wp vuln plugin-status --nagios
will give output for Nagios monitoring.
Check a specific version of a theme or plugin. Example:
wp vuln theme-check twentyfifteen --version=1.1
Or check several at once (cannot accept versions)
wp vuln plugin-check wppizza wordpress-seo
Must have environment variables for VULN_API_PROVIDER and VULN_API_TOKEN
To run tests against WPScan API:
export VULN_API_PROVIDER='wpscan'
export VULN_API_TOKEN='Your API Token Here'
To run tests against Patchstack API:
export VULN_API_PROVIDER='patchstack'
export VULN_API_TOKEN='Your API Token Here'
To run tests against Wordfence Intelligence API, VULN_API_TOKEN is not required:
export VULN_API_PROVIDER='wordfence'
composer prepare-tests
Note: Not uncommon for composer to run out of memory, you may need to take steps to free up memory on your end
WPScan API
composer behat -- features/vuln-wpscan.feature
PatchStack API
composer behat -- features/vuln-patchstack.feature
Wordfence API
composer behat -- features/vuln-wordfence.feature
Active: 10up is actively working on this, and we expect to continue work for the foreseeable future including keeping tested up to the most recent version of WordPress. Bug reports, feature requests, questions, and pull requests are welcome.
A complete listing of all notable changes to WP-CLI Vulnerability Scanner are documented in CHANGELOG.md.
Please read CODE_OF_CONDUCT.md for details on our code of conduct, CONTRIBUTING.md for details on the process for submitting pull requests to us, and CREDITS.md for a listing of maintainers of, contributors to, and libraries used by WP-CLI Vulnerability Scanner.