Exploit Attempts

https://make.www.ads-software.com/core/handbook/testing/reporting-security-vulnerabilities/

Generally, anyone who looks at their logs will see such things. So don’t worry too much about it. Be assured that the big security vendors are running numerous honeypots to record these behaviors.

You can install something like Wordfence and enable it’s application firewall to block some of them.

That information won’t be enough for the security team to take action or investigate whether there is a vulnerability. I wouldn’t recommend reporting it.

Hm, okay. I just thought if 236 IPs tried to get into a file, the vulnerability may be real. I have WordFence and Sucuri. At times it blocks the IP. Other times one IP tries 50 tines.

If I see them trying to exploit wp-cron, Akismet, or other files, I’ll ignore it. Right now I have six sites to check and see what they are looking for. Too many plugins seem exploitable.

If they turn out to be exploitable, I’ll know I tried.

Generally, they’re probing for un-updated stuff. See what plugins/themes they’re going after and check https://wpvulndb.com/

A lot of those attempts are trying to exploit malicious code that might be on a website due to another attack, so they wouldn’t be of any use in terms of protecting against vulnerabilities in the WordPress core, plugins, or themes.

As for the claim of numerous honeypots at big security vendors to record these behaviors, they either don’t exist or they are not useful in catching many vulnerabilities being exploited in the current versions of WordPress plugins at the very least, as we are the only ones that are spotting many of those vulnerabilities. It isn’t that we are just faster at spotting them and making sure that something is done about them, since before we started doing that there were many not being spotted, as we have found vulnerabilities that existed in the current version of plugins that hackers were likely exploiting for a year or more before we started doing that. It would probably be good for WordPress to start monitoring for that type of activity, since relying on a single company to do that is far from ideal.

As for the claim that the probing is for un-updated stuff, it would be great if that was true as well, but in many cases it isn’t. We are currently seeing a lot of probing for plugins from a set intentionally malicious plugins that were in the Plugin Directory several years ago. Since they were intentionally malicious, they were never going to get fixed by the developer and WordPress hasn’t fixed them in the years since they were discovered, so anyone still using them (and there are websites still using at least some of them recently) is open to be exploited.

As for the data on wpvulndb.com, it is important to note that there are a lot of known vulnerabilities that are not included in their data, so just checking there won’t provide a full listing of vulnerabilities that have existed in a plugin. Also the vulnerabilities are not tested when added to their data, so among other issues, the vulnerability might be listed as being fixed in a certain version despite that not being true. So when looking at their data you should double check that the vulnerability has actually been fixed or use a data source that actual does that checking for you.