ethicalhack3r
Forum Replies Created
-
Forum: Plugins
In reply to: [WPScan - WordPress Security Scanner] Set time for scanningHi Erik,
Currently there is no way to set the hour.
I will open a ticket on our internal bug tracker and assign it to a developer.
Thank you for your feedback!
Ryan
Forum: Plugins
In reply to: [WPScan - WordPress Security Scanner] PHP Constant for Disabling ScanningHi Erik,
Thank you for your feedback.
Currently, there’s no way to disable to scanning interval.
I have opened a ticker on our internal bug tracker and will assign a developer to it.
We’ll update this ticket once it has been implmeneted.
Thanks again,
RyanForum: Plugins
In reply to: [WPScan - WordPress Security Scanner] Create filter to ignore custom pluginsHi Christy,
Thank you for the suggestion. I have opened a ticket on our internal development tracker to be able to mark plugins that you do not want to be checked. I’m not sure how long it will take to implement as we have some other priorities right now, but it is recorded and we will get around to it.
Your daily API request limit will depend on your type of account, you can view them here; https://wpvulndb.com/api
Let’s assume that you have a Free account, that gives you 50 daily API requests. We use one API request for the WordPress version, one for each plugin installed, and one for each theme installed. Your limit is reset daily.
Let me know if you have any further questions.
Thanks,
RyanForum: Plugins
In reply to: [WPScan - WordPress Security Scanner] Criticality of vulnerabilitiesHi,
The severity ratings are only available to Enterprise API users at the moment.
Can I ask what type of user you have right now?
Thanks,
RyanForum: Plugins
In reply to: [EU Cookie Law for GDPR/CCPA] Security waring by Shield SecurityGreat, thanks! We’ve updated our entry to reflect the new changes.
Forum: Plugins
In reply to: [EU Cookie Law for GDPR/CCPA] Security waring by Shield SecurityHi, Ryan here from wpvulndb.com.
We have been tracking the issue here; https://wpvulndb.com/vulnerabilities/9918
Your fix in version 3.1 was not sufficient and could trivially be bypassed.
You would at least need to use WordPress’ esc_html() function.
If you could make that small change, we could mark it as fixed on our side.
Although, I agree, this issue is extremely low risk, as only an administrator user take advantage of it, and the form has CSRF tokens in place.
Thanks!
Forum: Plugins
In reply to: [WPScan - WordPress Security Scanner] What is API token?Hi! The API token is used to authenticate to our remote vulnerability database, to be able to download the vulnerability data in real time.
Forum: Plugins
In reply to: [Yoast Duplicate Post] Cross Site Scripting / XSS vulnerabilityThe forums aren’t the place to discuss security issues, but since there’s an existing discussion and the issue has already been patched, I thought I’d share my thoughts.
The risk of this issue is very low.
The affected POST request that updates the settings contains a CSRF nonce that is validated by the server. Additionally, the settings page is not accessible to Author or Contributor users (users that don’t have the unfiltered_html capability).
Even if the risk is very low, it would have been helpful for others if it were mentioned as being patched in the change log. To prevent this very discussion and other confusion.
Forum: Reviews
In reply to: [WPScan - WordPress Security Scanner] Very useful!Thanks Chris! 🙂
Forum: Reviews
In reply to: [WPScan - WordPress Security Scanner] Unusable and much expensiveHi,
50 free daily API requests should be more than enough for a single WordPress website.
If you run a business, and require to use our plugin on more than one website, then €25 per month for 250 daily API requests seems more than reasonable to us.
Ryan
Another SiteGround user tested for us and reported no issues and we were unable to replicate locally.
The AJAX requests are coming from a web browser on the 87.125.38.221 external IP visiting the /wp-admin/admin.php?page=wpscan page. This IP is from Spain. According to @hristo-sg around 500 times per day.
I don’t know what else to suggest, sorry.
@humaniza are you hitting the /wp-admin/admin.php?page=wpscan page with some kind of script/browser on a regular basis?
Hi @hristo-sg,
Thanks for helping.
Could you provide some details on how/why SiteGround attributed excessive /wp-admin/admin-ajax.php AJAX calls to the WPScan WordPress plugin?
The POST body would be useful, as this would give us the “action” being used.
How many requests a minute are you seeing from the WPScan plugin to categorise it as excessive?
I was unable to reproduce locally, so just trying to figure out what the issue might be.
Again, many thanks for your help.
Ryan
I’ve had a look into it and there aren’t any excessive calls to admin-ajax.php that I could see.
There are a couple of calls, but nothing that I would describe as excessive.
Perhaps SiteGround has attributed the calls to the wrong plugin, or maybe I wasn’t using the WPScan plugin in a way that would trigger the excessive calls.
It would be good if SiteGround could provide the logs, or some other information, on how/why they attributed it to WPScan, so that we could do further investigation.
Interesting. We’ll investigate the excessive calls to admin-ajax.php and see if we can find a solution.