WordPress.org

Ready to get started?Download WordPress

Forums

PCI scan Failing (8 posts)

  1. anujtenani
    Member
    Posted 5 years ago #

    Hello everyone

    I have a wordpress blog setup at
    http://qualityprotectionproducts.com/blog

    Since i accept credit card payment online i have to pass PCI Compliance Test. But my website is failing. I have tried many times but always the scan shows that my version of wordpress is vulnerable

    Below the Error description :-

    Description : The version of WordPress on the remote host does not properly check for administrative credentials in the 'is_admin()' function in 'wp-includes/query.php'. Using a specially-crafted URL that contains the string 'wp-admin/', an attacker may be able to leverage this issue to view posts for which the status is classified as 'future', 'draft', or 'pending', which would otherwise be available only to authenticated users. See also : http://www.securityfocus.com/archive/1/4 85160/30/0/threaded http://trac.wordpress.org/ticket/5487 Solution: Unknown at this time.

    Please anyone help
    My previous version of wordpress were able to pass the test. Since i have updated wordpress to latest version it is failing.

  2. ecoactive
    Member
    Posted 4 years ago #

    I am having the same problem. Can anyone offer any sort of solution?

  3. QSAGuru
    Member
    Posted 4 years ago #

    You could try asking a friendly PCI consultancy for advice; only one I've had any joy with is Metasure http://metasure.co.uk and they did want paying (after providing some free advice) but one of their guys was quite knowledgeable about changing the permission schedules...

  4. Syoof
    Member
    Posted 4 years ago #

    Hi,

    I have the same issue here. I am using WordPress 2.8.6, can someone please advise if this issue is common in this release,and if there were any patches created to reslove it.

  5. KatrinaT
    Member
    Posted 4 years ago #

    Hi,

    I am having the same issue- Security Metrics is failing my PCI Complaince on our e-commmerce web site. I upgraded our WordPress version to 2.9.2 yesterday. Ran a new SM scan and we are still failing for the same reason:
    Description : The version of WordPress on the remote host does not properly check for administrative credentials in the 'is_admin()' function in 'wp-includes/query.php'. Using a specially-crafted URL that contains the string 'wp-admin/', an attacker may be able to leverage this issue to view posts for which the status is classified as 'future', 'draft', or 'pending', which would otherwise be available only to authenticated users. See also : http://www.securityfocus.com/archive/1/4 85160/30/0/threaded http://trac.wordpress.org/ticket/5487 Solution: Unknown at this time. Risk Factor: Medium / CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N) BID : 26885 Other references : OSVDB:39518, Secunia:28130 [More]

    Any thoughts on how to fix this would be great!

    Thanks,
    Katrina

  6. michaelsowa
    Member
    Posted 4 years ago #

    We have the exact same issue - PCI tests failing as above and no idea how to resolve this. We are using version 2.9.2 also

    Please can somebody help?

  7. scanreg
    Member
    Posted 4 years ago #

    Any solution?

    Gotta pass PCI

    Thanks

  8. Gregg Banse
    Member
    Posted 4 years ago #

    I'm researching this issue for a client. Would love to know if anyone has found a solution yet. I suspect it to be something non-WordPress related since I'm using clean URLs but I have seen that I can pass XSS hacks on the URL and they are NOT sanitized.

    See http://technet.microsoft.com/en-us/library/cc512662.aspx for more info

Topic Closed

This topic has been closed to new replies.

About this Topic