{"id":19433225,"url":"https://github.com/ssnepenthe/soter-command","last_synced_at":"2025-02-25T06:19:06.695Z","repository":{"id":118784739,"uuid":"90673322","full_name":"ssnepenthe/soter-command","owner":"ssnepenthe","description":"WP-CLI command for checking a WordPress site against the WPScan Vulnerability Database.","archived":false,"fork":false,"pushed_at":"2017-10-31T06:51:29.000Z","size":56,"stargazers_count":1,"open_issues_count":5,"forks_count":2,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-01-07T20:35:06.486Z","etag":null,"topics":["php","vulnerability","wordpress","wp-cli-package","wpscan-vulnerability-database","wpvulndb"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ssnepenthe.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-05-08T21:18:31.000Z","updated_at":"2019-02-27T19:12:27.000Z","dependencies_parsed_at":"2023-03-27T11:18:27.852Z","dependency_job_id":null,"html_url":"https://github.com/ssnepenthe/soter-command","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ssnepenthe%2Fsoter-command","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ssnepenthe%2Fsoter-command/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ssnepenthe%2Fsoter-command/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ssnepenthe%2Fsoter-command/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ssnepenthe","download_url":"https://codeload.github.com/ssnepenthe/soter-command/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240612996,"owners_count":19829108,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["php","vulnerability","wordpress","wp-cli-package","wpscan-vulnerability-database","wpvulndb"],"created_at":"2024-11-10T14:38:49.950Z","updated_at":"2025-02-25T06:19:06.667Z","avatar_url":"https://github.com/ssnepenthe.png","language":"PHP","readme":"ssnepenthe/soter-command\n========================\n\nEasily check your plugins, themes and core against the WPScan API from the command line.\n\n## Installation\n\nInstalling this package requires WP-CLI v1.1 or greater. Update to the latest stable release with `wp cli update`.\n\nOnce you've done so, you can install this package with:\n\n    wp package install git@github.com:ssnepenthe/soter-command.git\n\n## Usage\n\nThe following commands are available:\n\n```\nwp soter check-plugin \u003cslug\u003e [\u003cversion\u003e] [--format=\u003cformat\u003e] [--fields=\u003cfields\u003e]\nwp soter check-plugins [--format=\u003cformat\u003e] [--fields=\u003cfields\u003e] [--ignore=\u003cignore\u003e]\n\nwp soter check-site [--format=\u003cformat\u003e] [--fields=\u003cfields\u003e] [--ignore=\u003cignore\u003e]\n\nwp soter check-theme \u003cslug\u003e [\u003cversion\u003e] [--format=\u003cformat\u003e] [--fields=\u003cfields\u003e]\nwp soter check-themes [--format=\u003cformat\u003e] [--fields=\u003cfields\u003e] [--ignore=\u003cignore\u003e]\n\nwp soter check-wordpress \u003cversion\u003e [--format=\u003cformat\u003e] [--fields=\u003cfields\u003e]\nwp soter check-wordpresses [--format=\u003cformat\u003e] [--fields=\u003cfields\u003e] [--ignore=\u003cignore\u003e]\n```\n\n`\u003cslug\u003e` is the plugin or theme slug.\n\n`\u003cversion\u003e` is the version string you wish to check.\n\n`\u003cformat\u003e` can be any of `count`, `csv`, `ids`, `json`, `table` or `yaml` - default is `table`. If set to `ids`, it will print a space-separated list of vulnerability IDs as given by the WPScan API.\n\n`\u003cfields\u003e` should be a comma-separated list of fields. Valid fields are `package_slug`, `package_type`, `package_version`, `id`, `title`, `created_at`, `updated_at`, `published_date`, `vuln_type`, `fixed_in` - default is `package_type,package_slug,title,vuln_type,fixed_in`.\n\n`\u003cignore\u003e` should be a comma-separated list of installed package slugs that should not be checked.\n\n## Examples\n\n**Full site check formatted as a table**\n\n```\nvagrant@vvv:/srv/www/wordpress-default/public_html$ wp soter check-site\n\nChecking 24 packages  100% [==============================================================================] 0:00 / 0:00\n+--------------+----------------+---------------------------------------------------------------+------------+---------------+\n| package_type | package_slug   | title                                                         | vuln_type  | fixed_in      |\n+--------------+----------------+---------------------------------------------------------------+------------+---------------+\n| plugin       | contact-form-7 | Contact Form 7 \u003c= 3.7.1 - Security Bypass                     | AUTHBYPASS | 3.7.2         |\n| plugin       | contact-form-7 | Contact Form 7 \u003c= 3.5.2 - File Upload Remote Code Execution   | UPLOAD     | 3.5.3         |\n| theme        | twentyfifteen  | Twenty Fifteen Theme \u003c= 1.1 - DOM Cross-Site Scripting (XSS)  | XSS        | 1.2           |\n| wordpress    | 475            | WordPress 2.3-4.7.5 - Host Header Injection in Password Reset | UNKNOWN    | NOT FIXED YET |\n+--------------+----------------+---------------------------------------------------------------+------------+---------------+\n```\n\n**Plugin check: All versions of Contact Form 7 formatted as CSV**\n\n```\nvagrant@vvv:/srv/www/wordpress-default/public_html$ wp soter check-plugin contact-form-7 --format=csv\npackage_type,package_slug,title,vuln_type,fixed_in\nplugin,contact-form-7,\"Contact Form 7 \u003c= 3.7.1 - Security Bypass\",AUTHBYPASS,3.7.2\nplugin,contact-form-7,\"Contact Form 7 \u003c= 3.5.2 - File Upload Remote Code Execution\",UPLOAD,3.5.3\n```\n\n**Theme check: Version 1.1 of twentyfifteen, formatted as JSON, display title, vulnerability type and fixed in version**\n\n```\nvagrant@vvv:/srv/www/wordpress-default/public_html$ wp soter check-theme twentyfifteen 1.1 --format=json --fields=title,vuln_type,fixed_in\n[{\"title\":\"Twenty Fifteen Theme \u003c= 1.1 - DOM Cross-Site Scripting (XSS)\",\"vuln_type\":\"XSS\",\"fixed_in\":\"1.2\"}]\n```\n\n**WordPress check: Version 4.7.5, format as YAML, display id, title and fixed in version**\n\n```\nvagrant@vvv:/srv/www/wordpress-default/public_html$ wp soter check-wordpress 4.7.5 --format=yaml --fields=id,title,fixed_in\n---\n-\n  id: 8807\n  title: 'WordPress 2.3-4.7.5 - Host Header Injection in Password Reset'\n  fixed_in: null\n```\n\n## Extending\n\nA number of actions are available which allow plugins to implement custom behavior in response to individual checks (logging, notifications, etc.).\n\n`soter_command_package_check_complete`: This action is triggered after every individual package has been checked. Callbacks receive a `Soter_Core\\Vulnerabilities` object as the first param and a `Soter_Core\\Response` object as the second.\n\n`soter_command_{$command}_results`: This action is triggered within each command before the results are displayed. `$command` is the name of the command (check-plugin, check-themes, etc.) with `-` replaced with `_` (e.g. `soter_command_check_site_results`). Callbacks receive a `Soter_Core\\Vulnerabilities` object.\n\n## API Errors\n\nIt is recommended to occasionally run a full site check with `--debug=soter-command`.\n\nThis will notify you if you have received any error responses from the API:\n\n```\nvagrant@vvv:/srv/www/wordpress-default/public_html$ wp soter check-site --debug=soter-command\nChecking 28 packages  3  % [===\u003e                                                                                              ] 0:00 / 0:00\nDebug: Error checking plugin recaptcha-for-wp: Non-200 status code received [HTTP 404] (1.279s)\nDebug: Error checking plugin terms-archive: Non-200 status code received [HTTP 404] (1.282s)\nDebug: Error checking plugin wp-hashids: Non-200 status code received [HTTP 404] (1.283s)\nDebug: Error checking theme tf-child: Non-200 status code received [HTTP 404] (1.285s)\nChecking 28 packages  100% [==================================================================================================] 0:00 / 0:00\n+--------------+--------------+---------------------------------------------------------------+-----------+---------------+\n| package_type | package_slug | title                                                         | vuln_type | fixed_in      |\n+--------------+--------------+---------------------------------------------------------------+-----------+---------------+\n| wordpress    | 482          | WordPress 2.3-4.8.2 - Host Header Injection in Password Reset | UNKNOWN   | NOT FIXED YET |\n+--------------+--------------+---------------------------------------------------------------+-----------+---------------+\n```\n\nPossible errors include a non-200 status code, a non-JSON response body, an invalid JSON response body and a response that does not match the requested package.\n\nNon-200 status codes tend to pop up for (but are not limited to) custom plugins and themes. When that is the case, they should be ignored via the `ignore` option via either the command line (e.g. `--ignore=comma,separated,slugs`) or by overriding the command defaults in `wp-cli.yml`.\n\nIt is unlikely that you will ever see any of the other errors, but if you do, please report them to the [WPScan team](https://wpvulndb.com/contact).\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fssnepenthe%2Fsoter-command","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fssnepenthe%2Fsoter-command","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fssnepenthe%2Fsoter-command/lists"}