Changeset 2559208

Timestamp:

07/06/2021 10:04:03 AM (5 years ago)

Author:

ethicalhack3r

Message:

New 1.15.4 version release

Location:

wpscan

Files:

• tags/1.15.4 (copied) (copied from wpscan/trunk)
• tags/1.15.4/app/Plugin.php (modified) (3 diffs)
• tags/1.15.4/app/Settings.php (modified) (1 diff)
• tags/1.15.4/readme.txt (modified) (2 diffs)
• tags/1.15.4/security-checks/database-exports/check.php (modified) (1 diff)
• tags/1.15.4/security-checks/debuglog-files/check.php (modified) (1 diff)
• tags/1.15.4/security-checks/https/check.php (modified) (1 diff)
• tags/1.15.4/security-checks/secret-keys/check.php (modified) (1 diff)
• tags/1.15.4/security-checks/version-control/check.php (modified) (1 diff)
• tags/1.15.4/security-checks/weak-passwords/check.php (modified) (1 diff)
• tags/1.15.4/security-checks/wpconfig-backups/check.php (modified) (1 diff)
• tags/1.15.4/security-checks/xmlrpc-enabled/check.php (modified) (2 diffs)
• tags/1.15.4/views/report.php (modified) (1 diff)
• tags/1.15.4/wpscan.php (modified) (1 diff)
• trunk/app/Plugin.php (modified) (3 diffs)
• trunk/app/Settings.php (modified) (1 diff)
• trunk/readme.txt (modified) (2 diffs)
• trunk/security-checks/database-exports/check.php (modified) (1 diff)
• trunk/security-checks/debuglog-files/check.php (modified) (1 diff)
• trunk/security-checks/https/check.php (modified) (1 diff)
• trunk/security-checks/secret-keys/check.php (modified) (1 diff)
• trunk/security-checks/version-control/check.php (modified) (1 diff)
• trunk/security-checks/weak-passwords/check.php (modified) (1 diff)
• trunk/security-checks/wpconfig-backups/check.php (modified) (1 diff)
• trunk/security-checks/xmlrpc-enabled/check.php (modified) (2 diffs)
• trunk/views/report.php (modified) (1 diff)
• trunk/wpscan.php (modified) (1 diff)

wpscan/tags/1.15.4/app/Plugin.php

@@ -54 +54 @@
     public $plugin_dir = '';
 
-    // Plugin URI.
-    public $plugin_url = '';
-
     // Page.
     public $page_hook = 'toplevel_page_wpscan';
@@ -75 +72 @@
     public function __construct() {
         $this->plugin_dir = trailingslashit( str_replace( '\\', '/', dirname( WPSCAN_PLUGIN_FILE ) ) );
-        $this->plugin_url = site_url( str_replace( str_replace( '\\', '/', ABSPATH ), '', $this->plugin_dir ) );
 
         // Languages.
@@ -389 +385 @@
             'wpscan',
             array( $this->classes['report'], 'page' ),
-            $this->plugin_url . 'assets/svg/menu-icon.svg',
+            plugin_dir_url( dirname( __FILE__ ) ) . 'assets/svg/menu-icon.svg',
             null
         );

wpscan/tags/1.15.4/app/Settings.php

@@ -207 +207 @@
     public function page() {
         echo '<div class="wrap">';
-            echo '<h1><img src="' . $this->parent->plugin_url . 'assets/svg/logo.svg" alt="WPScan"></h1>';
+            echo '<h1><img src="' . plugin_dir_url( dirname( __FILE__ ) ) . 'assets/svg/logo.svg" alt="WPScan"></h1>';
 
             echo '<h2>' . __( 'Settings', 'wpscan' ) . '</h2>';

wpscan/tags/1.15.4/readme.txt

@@ -4 +4 @@
 Requires at least: 3.4
 Tested up to: 5.6
-Stable tag: 1.15.3
+Stable tag: 1.15.4
 Requires PHP: 5.5
 License: GPLv3
@@ -90 +90 @@
 
 == Changelog ==
+
+= 1.15.4 =
+* Fix images not loading on some hosted websites
+* Update remediation links
 
 = 1.15.3 =

wpscan/tags/1.15.4/security-checks/database-exports/check.php

@@ -74 +74 @@
 
                 if ( 200 === $code ) {
-                    $this->add_vulnerability( __( 'A publicly accessible database file  was found in', 'wpscan' ) . " <a href='$url' target='_blank'>$url</a>.", 'high', sanitize_title( $name ), 'https://blog.wpscan.com/2021/01/28/wordpress-database-backup-files.html' );
+                    $this->add_vulnerability( __( 'A publicly accessible database file  was found in', 'wpscan' ) . " <a href='$url' target='_blank'>$url</a>.", 'high', sanitize_title( $name ), 'https://blog.wpscan.com/wordpress-database-backup-files/' );
                 }
             }

wpscan/tags/1.15.4/security-checks/debuglog-files/check.php

@@ -69 +69 @@
 
             if ( 200 === $code ) {
-                $this->add_vulnerability( __( 'A publicly accessible debug.log file was found in', 'wpscan' ) . " <a href='$url' target='_blank'>$url</a>", 'high', sanitize_title( $file ), 'https://blog.wpscan.com/2021/03/18/wordpress-debug-log-files.html' );
+                $this->add_vulnerability( __( 'A publicly accessible debug.log file was found in', 'wpscan' ) . " <a href='$url' target='_blank'>$url</a>", 'high', sanitize_title( $file ), 'https://blog.wpscan.com/wordpress-debug-log-files/' );
             }
         }

wpscan/tags/1.15.4/security-checks/https/check.php

@@ -67 +67 @@
     if ( 'https' !== substr( $wp_url, 0, 5 ) || 'https' !== substr( $site_url, 0, 5 ) ) {
       // No HTTPS used.
-      $this->add_vulnerability( __( 'The website does not seem to be using HTTPS (SSL/TLS) encryption for communications.', 'wpscan' ), 'high', 'https', 'https://blog.wpscan.com/2021/03/23/wordpress-ssl-tls-https.html' );
+      $this->add_vulnerability( __( 'The website does not seem to be using HTTPS (SSL/TLS) encryption for communications.', 'wpscan' ), 'high', 'https', 'https://blog.wpscan.com/wordpress-ssl-tls-https-encryption/' );
     }
   }

wpscan/tags/1.15.4/security-checks/secret-keys/check.php

@@ -65 +65 @@
         foreach ( $keys as $key ) {
             if ( defined( $key ) && constant( $key ) === 'put your unique phrase here' ) {
-                $this->add_vulnerability( __( 'The ' . esc_html( $key ) . ' secret key in the wp-config.php file was the default key. It should be changed to a random value using', 'wpscan' ) . " <a href='https://api.wordpress.org/secret-key/1.1/salt/' target='_blank'>https://api.wordpress.org/secret-key/1.1/salt/</a>.", 'high', sanitize_title( $key ), 'https://blog.wpscan.com/2021/03/23/wordpress-secret-keys.html' );
+                $this->add_vulnerability( __( 'The ' . esc_html( $key ) . ' secret key in the wp-config.php file was the default key. It should be changed to a random value using', 'wpscan' ) . " <a href='https://api.wordpress.org/secret-key/1.1/salt/' target='_blank'>https://api.wordpress.org/secret-key/1.1/salt/</a>.", 'high', sanitize_title( $key ), 'https://blog.wpscan.com/wordpress-secret-keys/' );
             }
         }

wpscan/tags/1.15.4/security-checks/version-control/check.php

@@ -71 +71 @@
 
                 if ( 200 === $code ) {
-                    $this->add_vulnerability( __( 'A publicly accessible ' . esc_html( $file ) . ' file was found. The file could expose your websites\'s source code.', 'wpscan' ), 'high', sanitize_title( $file ), 'https://blog.wpscan.com/2021/03/23/wordpress-version-control-files.html' );
+                    $this->add_vulnerability( __( 'A publicly accessible ' . esc_html( $file ) . ' file was found. The file could expose your websites\'s source code.', 'wpscan' ), 'high', sanitize_title( $file ), 'https://blog.wpscan.com/wordpress-version-control-files/' );
                 }
             }

wpscan/tags/1.15.4/security-checks/weak-passwords/check.php

@@ -91 +91 @@
         }
 
-        $this->add_vulnerability( $text, 'high', 'weak-passwords', 'https://blog.wpscan.com/wpscan/2019/09/17/wpscan-brute-force.html' );
+        $this->add_vulnerability( $text, 'high', 'weak-passwords', 'https://blog.wpscan.com/wpscan-brute-force/' );
     }
   }

wpscan/tags/1.15.4/security-checks/wpconfig-backups/check.php

@@ -74 +74 @@
 
                 if ( 200 === $code ) {
-                    $this->add_vulnerability( __( 'A publicly accessible wp-config.php backup file  was found in', 'wpscan' ) . " <a href='$url' target='_blank'>$url</a>.", 'high', sanitize_title( $path ), 'https://blog.wpscan.com/2021/04/01/wordpress-wp-config-backup-file.html' );
+                    $this->add_vulnerability( __( 'A publicly accessible wp-config.php backup file  was found in', 'wpscan' ) . " <a href='$url' target='_blank'>$url</a>.", 'high', sanitize_title( $path ), 'https://blog.wpscan.com/wordpress-configuration-file-backups/' );
                 }
             }

wpscan/tags/1.15.4/security-checks/xmlrpc-enabled/check.php

@@ -76 +76 @@
         } else {
             if ( preg_match( '/<string>Incorrect username or password.<\/string>/', $authenticated_response['body'] ) ) {
-                $this->add_vulnerability( __( 'The XML-RPC interface is enabled. This significantly increases your site\'s attack surface.', 'wpscan' ), 'medium', sanitize_title( $url ), 'https://blog.wpscan.com/2021/01/25/wordpress-xmlrpc-security.html' );
+                $this->add_vulnerability( __( 'The XML-RPC interface is enabled. This significantly increases your site\'s attack surface.', 'wpscan' ), 'medium', sanitize_title( $url ), 'https://blog.wpscan.com/is-wordpress-xmlrpc-a-security-problem/' );
                 return;
             } else {
@@ -84 +84 @@
 
                 if ( preg_match( '/<string>Hello!<\/string>/', $unauthenticated_response['body'] ) ) {
-                    $this->add_vulnerability( __( 'The XML-RPC interface is partly disabled, but still allows unauthenticated requests.', 'wpscan' ), 'low', sanitize_title( $url ), 'https://blog.wpscan.com/2021/01/25/wordpress-xmlrpc-security.html' );
+                    $this->add_vulnerability( __( 'The XML-RPC interface is partly disabled, but still allows unauthenticated requests.', 'wpscan' ), 'low', sanitize_title( $url ), 'https://blog.wpscan.com/is-wordpress-xmlrpc-a-security-problem/' );
                 }
             }

wpscan/tags/1.15.4/views/report.php

@@ -9 +9 @@
 <div class="wrap">
   <h1>
-    <?php echo file_get_contents($this->parent->plugin_dir. 'assets/svg/logo.svg'); ?>
+    <?php echo file_get_contents( plugin_dir_url( dirname( __FILE__ ) ) . 'assets/svg/logo.svg'); ?>
   </h1>
   

wpscan/tags/1.15.4/wpscan.php

@@ -4 +4 @@
  * Plugin URI:    http://wordpress.org/plugins/wpscan/
  * Description:   WPScan WordPress Security Scanner. Scans your system for security vulnerabilities listed in the WPScan Vulnerability Database.
- * Version:       1.15.3
+ * Version:       1.15.4
  * Author:        WPScan Team
  * Author URI:    https://wpscan.com/

wpscan/trunk/app/Plugin.php

@@ -54 +54 @@
     public $plugin_dir = '';
 
-    // Plugin URI.
-    public $plugin_url = '';
-
     // Page.
     public $page_hook = 'toplevel_page_wpscan';
@@ -75 +72 @@
     public function __construct() {
         $this->plugin_dir = trailingslashit( str_replace( '\\', '/', dirname( WPSCAN_PLUGIN_FILE ) ) );
-        $this->plugin_url = site_url( str_replace( str_replace( '\\', '/', ABSPATH ), '', $this->plugin_dir ) );
 
         // Languages.
@@ -389 +385 @@
             'wpscan',
             array( $this->classes['report'], 'page' ),
-            $this->plugin_url . 'assets/svg/menu-icon.svg',
+            plugin_dir_url( dirname( __FILE__ ) ) . 'assets/svg/menu-icon.svg',
             null
         );

wpscan/trunk/app/Settings.php

@@ -207 +207 @@
     public function page() {
         echo '<div class="wrap">';
-            echo '<h1><img src="' . $this->parent->plugin_url . 'assets/svg/logo.svg" alt="WPScan"></h1>';
+            echo '<h1><img src="' . plugin_dir_url( dirname( __FILE__ ) ) . 'assets/svg/logo.svg" alt="WPScan"></h1>';
 
             echo '<h2>' . __( 'Settings', 'wpscan' ) . '</h2>';

wpscan/trunk/readme.txt

@@ -4 +4 @@
 Requires at least: 3.4
 Tested up to: 5.6
-Stable tag: 1.15.3
+Stable tag: 1.15.4
 Requires PHP: 5.5
 License: GPLv3
@@ -90 +90 @@
 
 == Changelog ==
+
+= 1.15.4 =
+* Fix images not loading on some hosted websites
+* Update remediation links
 
 = 1.15.3 =

wpscan/trunk/security-checks/database-exports/check.php

@@ -74 +74 @@
 
                 if ( 200 === $code ) {
-                    $this->add_vulnerability( __( 'A publicly accessible database file  was found in', 'wpscan' ) . " <a href='$url' target='_blank'>$url</a>.", 'high', sanitize_title( $name ), 'https://blog.wpscan.com/2021/01/28/wordpress-database-backup-files.html' );
+                    $this->add_vulnerability( __( 'A publicly accessible database file  was found in', 'wpscan' ) . " <a href='$url' target='_blank'>$url</a>.", 'high', sanitize_title( $name ), 'https://blog.wpscan.com/wordpress-database-backup-files/' );
                 }
             }

wpscan/trunk/security-checks/debuglog-files/check.php

@@ -69 +69 @@
 
             if ( 200 === $code ) {
-                $this->add_vulnerability( __( 'A publicly accessible debug.log file was found in', 'wpscan' ) . " <a href='$url' target='_blank'>$url</a>", 'high', sanitize_title( $file ), 'https://blog.wpscan.com/2021/03/18/wordpress-debug-log-files.html' );
+                $this->add_vulnerability( __( 'A publicly accessible debug.log file was found in', 'wpscan' ) . " <a href='$url' target='_blank'>$url</a>", 'high', sanitize_title( $file ), 'https://blog.wpscan.com/wordpress-debug-log-files/' );
             }
         }

wpscan/trunk/security-checks/https/check.php

@@ -67 +67 @@
     if ( 'https' !== substr( $wp_url, 0, 5 ) || 'https' !== substr( $site_url, 0, 5 ) ) {
       // No HTTPS used.
-      $this->add_vulnerability( __( 'The website does not seem to be using HTTPS (SSL/TLS) encryption for communications.', 'wpscan' ), 'high', 'https', 'https://blog.wpscan.com/2021/03/23/wordpress-ssl-tls-https.html' );
+      $this->add_vulnerability( __( 'The website does not seem to be using HTTPS (SSL/TLS) encryption for communications.', 'wpscan' ), 'high', 'https', 'https://blog.wpscan.com/wordpress-ssl-tls-https-encryption/' );
     }
   }

wpscan/trunk/security-checks/secret-keys/check.php

@@ -65 +65 @@
         foreach ( $keys as $key ) {
             if ( defined( $key ) && constant( $key ) === 'put your unique phrase here' ) {
-                $this->add_vulnerability( __( 'The ' . esc_html( $key ) . ' secret key in the wp-config.php file was the default key. It should be changed to a random value using', 'wpscan' ) . " <a href='https://api.wordpress.org/secret-key/1.1/salt/' target='_blank'>https://api.wordpress.org/secret-key/1.1/salt/</a>.", 'high', sanitize_title( $key ), 'https://blog.wpscan.com/2021/03/23/wordpress-secret-keys.html' );
+                $this->add_vulnerability( __( 'The ' . esc_html( $key ) . ' secret key in the wp-config.php file was the default key. It should be changed to a random value using', 'wpscan' ) . " <a href='https://api.wordpress.org/secret-key/1.1/salt/' target='_blank'>https://api.wordpress.org/secret-key/1.1/salt/</a>.", 'high', sanitize_title( $key ), 'https://blog.wpscan.com/wordpress-secret-keys/' );
             }
         }

wpscan/trunk/security-checks/version-control/check.php

@@ -71 +71 @@
 
                 if ( 200 === $code ) {
-                    $this->add_vulnerability( __( 'A publicly accessible ' . esc_html( $file ) . ' file was found. The file could expose your websites\'s source code.', 'wpscan' ), 'high', sanitize_title( $file ), 'https://blog.wpscan.com/2021/03/23/wordpress-version-control-files.html' );
+                    $this->add_vulnerability( __( 'A publicly accessible ' . esc_html( $file ) . ' file was found. The file could expose your websites\'s source code.', 'wpscan' ), 'high', sanitize_title( $file ), 'https://blog.wpscan.com/wordpress-version-control-files/' );
                 }
             }

wpscan/trunk/security-checks/weak-passwords/check.php

@@ -91 +91 @@
         }
 
-        $this->add_vulnerability( $text, 'high', 'weak-passwords', 'https://blog.wpscan.com/wpscan/2019/09/17/wpscan-brute-force.html' );
+        $this->add_vulnerability( $text, 'high', 'weak-passwords', 'https://blog.wpscan.com/wpscan-brute-force/' );
     }
   }

wpscan/trunk/security-checks/wpconfig-backups/check.php

@@ -74 +74 @@
 
                 if ( 200 === $code ) {
-                    $this->add_vulnerability( __( 'A publicly accessible wp-config.php backup file  was found in', 'wpscan' ) . " <a href='$url' target='_blank'>$url</a>.", 'high', sanitize_title( $path ), 'https://blog.wpscan.com/2021/04/01/wordpress-wp-config-backup-file.html' );
+                    $this->add_vulnerability( __( 'A publicly accessible wp-config.php backup file  was found in', 'wpscan' ) . " <a href='$url' target='_blank'>$url</a>.", 'high', sanitize_title( $path ), 'https://blog.wpscan.com/wordpress-configuration-file-backups/' );
                 }
             }

wpscan/trunk/security-checks/xmlrpc-enabled/check.php

@@ -76 +76 @@
         } else {
             if ( preg_match( '/<string>Incorrect username or password.<\/string>/', $authenticated_response['body'] ) ) {
-                $this->add_vulnerability( __( 'The XML-RPC interface is enabled. This significantly increases your site\'s attack surface.', 'wpscan' ), 'medium', sanitize_title( $url ), 'https://blog.wpscan.com/2021/01/25/wordpress-xmlrpc-security.html' );
+                $this->add_vulnerability( __( 'The XML-RPC interface is enabled. This significantly increases your site\'s attack surface.', 'wpscan' ), 'medium', sanitize_title( $url ), 'https://blog.wpscan.com/is-wordpress-xmlrpc-a-security-problem/' );
                 return;
             } else {
@@ -84 +84 @@
 
                 if ( preg_match( '/<string>Hello!<\/string>/', $unauthenticated_response['body'] ) ) {
-                    $this->add_vulnerability( __( 'The XML-RPC interface is partly disabled, but still allows unauthenticated requests.', 'wpscan' ), 'low', sanitize_title( $url ), 'https://blog.wpscan.com/2021/01/25/wordpress-xmlrpc-security.html' );
+                    $this->add_vulnerability( __( 'The XML-RPC interface is partly disabled, but still allows unauthenticated requests.', 'wpscan' ), 'low', sanitize_title( $url ), 'https://blog.wpscan.com/is-wordpress-xmlrpc-a-security-problem/' );
                 }
             }

wpscan/trunk/views/report.php

@@ -9 +9 @@
 <div class="wrap">
   <h1>
-    <?php echo file_get_contents($this->parent->plugin_dir. 'assets/svg/logo.svg'); ?>
+    <?php echo file_get_contents( plugin_dir_url( dirname( __FILE__ ) ) . 'assets/svg/logo.svg'); ?>
   </h1>
   

wpscan/trunk/wpscan.php

@@ -4 +4 @@
  * Plugin URI:    http://wordpress.org/plugins/wpscan/
  * Description:   WPScan WordPress Security Scanner. Scans your system for security vulnerabilities listed in the WPScan Vulnerability Database.
- * Version:       1.15.3
+ * Version:       1.15.4
  * Author:        WPScan Team
  * Author URI:    https://wpscan.com/