/wpcli-vulnerability-scanner

WP-CLI command for checking installed plugins and themes for vulnerabilities reported on wpvulndb.com

Primary LanguagePHPMIT LicenseMIT

WP-CLI Vulnerability Scanner

Check WordPress core, installed plugins and themes for vulnerabilities.

Support Level WordPress tested up to version MIT License Functional Tests

Installation

Global command, automatically

It can be installed as a wp-cli package via git repo which is the most preferred way to install.

wp package install 10up/wpcli-vulnerability-scanner:dev-trunk

API Access

WP-CLI Vulnerability Scanner works with WPScan, Patchstack and Wordfence Intelligence to check reported vulnerabilities; you can choose any one of these three to use. You will need to add a constant in your wp-config.php to decide which API service you want to use (by default WPScan API will be used).

To use WPScan API:

define( 'VULN_API_PROVIDER', 'wpscan' );

To use Patchstack API:

define( 'VULN_API_PROVIDER', 'patchstack' );

To use Wordfence Intelligence API:

define( 'VULN_API_PROVIDER', 'wordfence' );

Note: Authentication is not required for the Wordfence Intelligence Vulnerability API ( https://www.wordfence.com/wti-community-edition-terms-and-conditions/ ). VULN_API_TOKEN is not required if using Wordfence as your provider.

For WPScan and Patchstack you will need to register for a user account and supply an API token from the chosen API service. Once you have acquired the token, you can add it as a constant in wp-config.php as follows:

define( 'VULN_API_TOKEN', 'YOUR_TOKEN_HERE' );

Global command, manually

Clone this repo, checkout to stable branch and require wpcli-vulnerability-scanner.php from wp-cli config. E.g. in ~/.wp-cli/config.yml [other config locations]

require:
  - /path/to/this/repo/wpcli-vulnerability-scanner.php

Standard plugin

This repo can be installed as a regular plugin. There is no UI, but the command will become available.

wp plugin install --activate https://github.com/10up/wpcli-vulnerability-scanner/archive/stable.zip

After plugin installation, you can verify the command is in place with wp help vuln

Usage

wp vuln status
  • Options:
  • --test Load test data
  • --format=<format> Accepted values: table, csv, json, count, ids, yaml. Default: table
  • --nagios Output for nagios
  • --reference includes the reference link of the vulnerability within the output
wp vuln core-status
  • Options:
  • --format=<format> Accepted values: table, csv, json, count, ids, yaml. Default: table
  • --nagios Output for nagios
  • --reference includes the reference link of the vulnerability within the output
wp vuln plugin-status
  • Options:
  • --test Load test data
  • --porcelain Only print slugs of vulnerable plugins with updates
  • --format=<format> Accepted values: table, csv, json, count, ids, yaml. Default: table
  • --nagios Output for nagios
  • --reference includes the reference link of the vulnerability within the output
wp vuln theme-status
  • Options:
  • --test Load test data
  • --porcelain Only print slugs of vulnerable theme with updates
  • --format=<format> Accepted values: table, csv, json, count, ids, yaml. Default: table
  • --nagios Output for nagios
  • --reference includes the reference link of the vulnerability within the output

Example output

Checking WordPress core, plugins and themes for reported vulnerabilities:

$ wp vuln status

Vulnerability API Provider: Patchstack
WordPress 6.2.2
+-----------+-------------------+-----------------------------------------------------------+---------------+----------+----------+
| name      | installed version | status                                                    | introduced in | fixed in | severity |
+-----------+-------------------+-----------------------------------------------------------+---------------+----------+----------+
| WordPress | 6.2.2             | No vulnerabilities reported for this version of WordPress | n/a           | n/a      | n/a      |
+-----------+-------------------+-----------------------------------------------------------+---------------+----------+----------+
Plugins
+-----------------------------+-------------------+----------------------------------------------------------------------------------------------------------------+---------------+----------+---------------+
| name                        | installed version | status                                                                                                         | introduced in | fixed in | severity      |
+-----------------------------+-------------------+----------------------------------------------------------------------------------------------------------------+---------------+----------+---------------+
| simple-podcasting           | 1.5.0             | No vulnerabilities reported for this version of simple-podcasting                                              | n/a           | n/a      | n/a           |
| woocommerce                 | 7.8.2             | No vulnerabilities reported for this version of woocommerce                                                    | n/a           | n/a      | n/a           |
| wordpress-seo               | 20.2              | Wordpress Yoast SEO plugin <= 20.2 - Authenticated (Contributor+) DOM-Based Cross-Site Scripting vulnerability | <= 20.2       | 20.2.1   | Medium 6.5/10 |
+-----------------------------+-------------------+----------------------------------------------------------------------------------------------------------------+---------------+----------+---------------+
Themes
+-------------------+-------------------+-------------------------------------------------------------------+---------------+----------+----------+
| name              | installed version | status                                                            | introduced in | fixed in | severity |
+-------------------+-------------------+-------------------------------------------------------------------+---------------+----------+----------+
| twentytwentythree | 1.1               | No vulnerabilities reported for this version of twentytwentythree | n/a           | n/a      | n/a      |
+-------------------+-------------------+-------------------------------------------------------------------+---------------+----------+----------+

Using the JSON format:

$ wp vuln status --format=json

{"core":[{"name":"WordPress","installed version":"6.2.2","status":"No vulnerabilities reported for this version of WordPress","introduced in":"n\/a","fixed in":"n\/a","severity":"n\/a"}],"plugins":[{"name":"simple-podcasting","installed version":"1.5.0","status":"No vulnerabilities reported for this version of simple-podcasting","introduced in":"n\/a","fixed in":"n\/a","severity":"n\/a"},{"name":"woocommerce","installed version":"7.8.2","status":"No vulnerabilities reported for this version of woocommerce","introduced in":"n\/a","fixed in":"n\/a","severity":"n\/a"},{"name":"wordpress-seo","installed version":"20.2","status":"Wordpress Yoast SEO plugin <= 20.2 - Authenticated (Contributor+) DOM-Based Cross-Site Scripting vulnerability","introduced in":"<= 20.2","fixed in":"20.2.1","severity":"Medium 6.5\/10"}],"themes":[{"name":"twentytwentythree","installed version":"1.1","status":"No vulnerabilities reported for this version of twentytwentythree","introduced in":"n\/a","fixed in":"n\/a","severity":"n\/a"}]}

Checking any given theme:

$ wp vuln theme-check twentyfifteen --version=1.1

Vulnerability API Provider: Patchstack
+---------------+-------------------+--------------------------------------------------------------+----------+----------+
| name          | installed version | status                                                       | fixed in | severity |
+---------------+-------------------+--------------------------------------------------------------+----------+----------+
| twentyfifteen | 1.1               | WordPress Twenty Fifteen Theme <= 1.1 - Cross Site Scripting | 1.2      | n/a      |
+---------------+-------------------+--------------------------------------------------------------+----------+----------+

Using the JSON format:

$ wp vuln theme-check twentyfifteen --version=1.1 --format=json

[{"name":"twentyfifteen","installed version":"1.1","status":"WordPress Twenty Fifteen Theme <= 1.1 - Cross Site Scripting","fixed in":"1.2","severity":"n\/a"}]

Example usage

Basic

wp plugin update $(wp vuln plugin-status --porcelain)

Will simply error out if there are no slugs returned by the plugin-status command. Can suppress the output by appending &> /dev/null

wp theme update $(wp vuln theme-status --porcelain) &> /dev/null

Scheduled/Cron

0 0 * * * wp theme update $(wp vuln theme-status --porcelain) &> /dev/null
0 0 * * * wp plugin update $(wp vuln plugin-status --porcelain) &> /dev/null

0 0 * * * is everyday at midnight. For assistance creating an alternate schedule, check out http://crontab.guru/. For example, 0 0 * * 1,4 runs at midnight every Monday and Thursday.

With email notifications

Included is a sample bash script, includes/vuln.sh. This can be customized and used in a cron job so that you can be alerted when vulnerabilities are found.

  • WPCLIPATH should be the full path to your wp command. The script will attempt to discover this automatically if the given filename does not exist

  • RECIPIENT should be an email address which will receive the notifications

  • SUBJECT is the email subject

This readme does not discuss configuring the mail command on your server. To run a simple test, try

echo "This is the body text" | mail -s "Email subject" you@domain.com

Nagios

wp vuln plugin-status --nagios will give output for Nagios monitoring.

Check uninstalled themes and plugins

Check a specific version of a theme or plugin. Example:

wp vuln theme-check twentyfifteen --version=1.1

Or check several at once (cannot accept versions)

wp vuln plugin-check wppizza wordpress-seo

Running Tests

Prerequisites:

Must have environment variables for VULN_API_PROVIDER and VULN_API_TOKEN

To run tests against WPScan API:

export VULN_API_PROVIDER='wpscan'
export VULN_API_TOKEN='Your API Token Here'

To run tests against Patchstack API:

export VULN_API_PROVIDER='patchstack'
export VULN_API_TOKEN='Your API Token Here'

To run tests against Wordfence Intelligence API, VULN_API_TOKEN is not required:

export VULN_API_PROVIDER='wordfence'

Install dependencies

composer prepare-tests

Note: Not uncommon for composer to run out of memory, you may need to take steps to free up memory on your end

Run tests

WPScan API

composer behat -- features/vuln-wpscan.feature

PatchStack API

composer behat -- features/vuln-patchstack.feature

Wordfence API

composer behat -- features/vuln-wordfence.feature

Support Level

Active: 10up is actively working on this, and we expect to continue work for the foreseeable future including keeping tested up to the most recent version of WordPress. Bug reports, feature requests, questions, and pull requests are welcome.

Changelog

A complete listing of all notable changes to WP-CLI Vulnerability Scanner are documented in CHANGELOG.md.

Contributing

Please read CODE_OF_CONDUCT.md for details on our code of conduct, CONTRIBUTING.md for details on the process for submitting pull requests to us, and CREDITS.md for a listing of maintainers of, contributors to, and libraries used by WP-CLI Vulnerability Scanner.

Like what you see?