Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/ssnepenthe/soter-command

WP-CLI command for checking a WordPress site against the WPScan Vulnerability Database.
https://github.com/ssnepenthe/soter-command

php vulnerability wordpress wp-cli-package wpscan-vulnerability-database wpvulndb

Last synced: 3 months ago
JSON representation

WP-CLI command for checking a WordPress site against the WPScan Vulnerability Database.

Awesome Lists containing this project

README 

        
ssnepenthe/soter-command

========================



Easily check your plugins, themes and core against the WPScan API from the command line.



## Installation



Installing this package requires WP-CLI v1.1 or greater. Update to the latest stable release with `wp cli update`.



Once you've done so, you can install this package with:



    wp package install [email protected]:ssnepenthe/soter-command.git



## Usage



The following commands are available:



```

wp soter check-plugin  [] [--format=] [--fields=]

wp soter check-plugins [--format=] [--fields=] [--ignore=]



wp soter check-site [--format=] [--fields=] [--ignore=]



wp soter check-theme  [] [--format=] [--fields=]

wp soter check-themes [--format=] [--fields=] [--ignore=]



wp soter check-wordpress  [--format=] [--fields=]

wp soter check-wordpresses [--format=] [--fields=] [--ignore=]

```



`` is the plugin or theme slug.



`` is the version string you wish to check.



`` can be any of `count`, `csv`, `ids`, `json`, `table` or `yaml` - default is `table`. If set to `ids`, it will print a space-separated list of vulnerability IDs as given by the WPScan API.



`` should be a comma-separated list of fields. Valid fields are `package_slug`, `package_type`, `package_version`, `id`, `title`, `created_at`, `updated_at`, `published_date`, `vuln_type`, `fixed_in` - default is `package_type,package_slug,title,vuln_type,fixed_in`.



`` should be a comma-separated list of installed package slugs that should not be checked.



## Examples



**Full site check formatted as a table**



```

vagrant@vvv:/srv/www/wordpress-default/public_html$ wp soter check-site



Checking 24 packages  100% [==============================================================================] 0:00 / 0:00

+--------------+----------------+---------------------------------------------------------------+------------+---------------+

| package_type | package_slug   | title                                                         | vuln_type  | fixed_in      |

+--------------+----------------+---------------------------------------------------------------+------------+---------------+

| plugin       | contact-form-7 | Contact Form 7 <= 3.7.1 - Security Bypass                     | AUTHBYPASS | 3.7.2         |

| plugin       | contact-form-7 | Contact Form 7 <= 3.5.2 - File Upload Remote Code Execution   | UPLOAD     | 3.5.3         |

| theme        | twentyfifteen  | Twenty Fifteen Theme <= 1.1 - DOM Cross-Site Scripting (XSS)  | XSS        | 1.2           |

| wordpress    | 475            | WordPress 2.3-4.7.5 - Host Header Injection in Password Reset | UNKNOWN    | NOT FIXED YET |

+--------------+----------------+---------------------------------------------------------------+------------+---------------+

```



**Plugin check: All versions of Contact Form 7 formatted as CSV**



```

vagrant@vvv:/srv/www/wordpress-default/public_html$ wp soter check-plugin contact-form-7 --format=csv

package_type,package_slug,title,vuln_type,fixed_in

plugin,contact-form-7,"Contact Form 7 <= 3.7.1 - Security Bypass",AUTHBYPASS,3.7.2

plugin,contact-form-7,"Contact Form 7 <= 3.5.2 - File Upload Remote Code Execution",UPLOAD,3.5.3

```



**Theme check: Version 1.1 of twentyfifteen, formatted as JSON, display title, vulnerability type and fixed in version**



```

vagrant@vvv:/srv/www/wordpress-default/public_html$ wp soter check-theme twentyfifteen 1.1 --format=json --fields=title,vuln_type,fixed_in

[{"title":"Twenty Fifteen Theme <= 1.1 - DOM Cross-Site Scripting (XSS)","vuln_type":"XSS","fixed_in":"1.2"}]

```



**WordPress check: Version 4.7.5, format as YAML, display id, title and fixed in version**



```

vagrant@vvv:/srv/www/wordpress-default/public_html$ wp soter check-wordpress 4.7.5 --format=yaml --fields=id,title,fixed_in

---

-

  id: 8807

  title: 'WordPress 2.3-4.7.5 - Host Header Injection in Password Reset'

  fixed_in: null

```



## Extending



A number of actions are available which allow plugins to implement custom behavior in response to individual checks (logging, notifications, etc.).



`soter_command_package_check_complete`: This action is triggered after every individual package has been checked. Callbacks receive a `Soter_Core\Vulnerabilities` object as the first param and a `Soter_Core\Response` object as the second.



`soter_command_{$command}_results`: This action is triggered within each command before the results are displayed. `$command` is the name of the command (check-plugin, check-themes, etc.) with `-` replaced with `_` (e.g. `soter_command_check_site_results`). Callbacks receive a `Soter_Core\Vulnerabilities` object.



## API Errors



It is recommended to occasionally run a full site check with `--debug=soter-command`.



This will notify you if you have received any error responses from the API:



```

vagrant@vvv:/srv/www/wordpress-default/public_html$ wp soter check-site --debug=soter-command

Checking 28 packages  3  % [===>                                                                                              ] 0:00 / 0:00

Debug: Error checking plugin recaptcha-for-wp: Non-200 status code received [HTTP 404] (1.279s)

Debug: Error checking plugin terms-archive: Non-200 status code received [HTTP 404] (1.282s)

Debug: Error checking plugin wp-hashids: Non-200 status code received [HTTP 404] (1.283s)

Debug: Error checking theme tf-child: Non-200 status code received [HTTP 404] (1.285s)

Checking 28 packages  100% [==================================================================================================] 0:00 / 0:00

+--------------+--------------+---------------------------------------------------------------+-----------+---------------+

| package_type | package_slug | title                                                         | vuln_type | fixed_in      |

+--------------+--------------+---------------------------------------------------------------+-----------+---------------+

| wordpress    | 482          | WordPress 2.3-4.8.2 - Host Header Injection in Password Reset | UNKNOWN   | NOT FIXED YET |

+--------------+--------------+---------------------------------------------------------------+-----------+---------------+

```



Possible errors include a non-200 status code, a non-JSON response body, an invalid JSON response body and a response that does not match the requested package.



Non-200 status codes tend to pop up for (but are not limited to) custom plugins and themes. When that is the case, they should be ignored via the `ignore` option via either the command line (e.g. `--ignore=comma,separated,slugs`) or by overriding the command defaults in `wp-cli.yml`.



It is unlikely that you will ever see any of the other errors, but if you do, please report them to the [WPScan team](https://wpvulndb.com/contact).