Wordstress a whitebox CVE scanner for WordPress

a better whitebox scanner is found in a more recent post of mine

A.k.a. WordPress security monitoring 2. In my previous article about worpress vulnerability monitoring the tool wpscan was used. This tool is a black box scanner, which gave us too much false positives and generated a great deal of load on our server which is somewhat a waste of resources. So I went searching for a whitebox scanner to have better results and to make more efficient use of server resources. In this quest I stumbled upon Wordstress.

It came to me as a surprise that this tool isn’t actively used or downloaded. Which is a pity. I think Wordstress is greatly undervalued, because it adresses some issues which are fundamental if you take WordPress security seriously. Let me explain why by explaining the architecture, which will imply the benefits.

The Wordstress project consists of two parts:

– A WordPress plugin which exposes versions for (core, plugins and themes). Only viewable with a certain key through a GET request.
– The Wordstress Ruby gem, wich fetches all versions from the installed plugin (so you can scan remotely). The found versions are checked against the online WordPress CVE database (https://wpvulndb.com)
Console output of the ruby gem:

mdekrijger@knutsel:~/Projects/wordstress/lib$ wordstress -k 31fa45ebbc3f13ac38b0d832a29d179010dfa327 https://mysite.nl
+--------------------+-----------------------------+
| Scan summary |
+--------------------+-----------------------------+
| Wordstress version | 0.72.0 |
| Scan started | 2016-05-27 10:27:06 +0200 |
| Scan duration | 1.706 sec |
| Target | https://mysite.nl:443 |
| WordPress version | 4.5.2 |
| Scan status | Scan completed successfully |
+--------------------+-----------------------------+
+-------------------+-----------+
| Vulnerabilities found |
+-------------------+-----------+
| WordPress version | 0 |
| Plugins installed | 0 |
| Themes installed | 0 |
+-------------------+-----------+

If you cron the check, and report the output (mail, monitoring tool, chat), you’re automatically reported of new vulnerabilities in your site. We added our output to a Grafana dashboard, displaying the numer of vulnerabilitis for every of our WordPress setup.

Recently I forked the gem and updated it to use the new API v2 from wpvulndb.com and implemented some extra output methods (like Nagios with appropiate exit codes). Also did some bugfixes which adds https support and improvements on error messaging. Adding new features wasn’t that hard, so please commit your missing features as a PR’s to https://github.com/thesp0nge/wordstress Paolo will be happy to merge them.

I don’t have exact numbers here, but the majority of hacks worldwide are due to outdated software. This is why Wordstress is so important, which adresses this problem. Instead many people prefer to use only a WAF plugin like Sucuri or Ithemes. Don’t get me wrong, these tools are very helpful, and I think you should use a WAF in some way, but it doesn’t address the core problem. Good security always starts with updating software.

2 thoughts on “Wordstress a whitebox CVE scanner for WordPress

Leave a Reply

Your email address will not be published. Required fields are marked *