Site scan reports WP 6.1.1 vulnerability

I’m wondering about this as well — I just got the same warnings.

It also appears from the linked article that this vulnerability can be mitigated by disabling XML-RPC and/or turning off pingbacks, which seems like it would be good information to include with such a blood pressure-raising warning.

@ate-up-with-motor

All those sites I’m getting this alert at have XML-RPC disabled and pingbacks are off. But still getting the alert.

This false-positive just started occurring last night on all of the sites I manage as well. Both free version and Pro / Paid version. Regardless of the fact that on most I have XMLRPC and Pingbacks / Trackbacks disabled, doesn’t matter – iThemes thinks the latest version of WordPress 6.1.1 is vulnerable. Crazy.

@anotherdave The source is Sonar Blog. Security blogs love to make headlines like this. They filed a CVE on this existing issue which core has known about for years, and now it’s a thing.

@atxmatt – Thanks for the tip! Although the question is – why would iThemes Security PRO (Paid) be using them as their source and generating all of these false alarms? ??

@anotherdave Glad to help where I can. iThemes Security doesn’t use this blog as a source; the blog is a reference to whom filed the CVE, so you can rest easy.

I’m no security extraordinaire, but you can use your preferred search engine to learn more about how CVEs are submitted.

FWIW According to the iThemes Security Pro Site Scan page:

Your website’s plugins, themes, and WordPress core versions are checked against the WPScan Vulnerability Database for the latest vulnerability disclosures.

Powered by the most comprehensive vulnerability database available
iThemes Security checks your site for known vulnerabilities to alert you to potential problems before hackers can find them. We partner with expert security researchers at WPScan that curate a database of over 30,000 vulnerabilities so you’ll always be the first to know, and the first to take action.

So let’s head over to the WPScan WordPress vulnerabilities page.

Yup, there it’s listed since Dec 13th. Definately not a false positive.
Severity score: 5.4 (Medium).

My guess is the iTSec (Pro) plugin Site Scan feature will continue to alert you about this WordPress core vulnerability until a WordPress security fix (>6.1.1) is made available AND applied to your WordPress install.

The Site Scan feature is unaware of whether XMLRPC/pingbacks is disabled or not on your site.

iThemes released a blog post pertaining to this CVE. https://ithemes.com/blog/unpatched-vulnerability-in-wordpress-core/

Hi WordPress,

Are you working on this? My customers are freaking out!

As far as I can see, the free plugin supported here doesn’t provide any option to mute the notification, and it sounds like the WordPress core team doesn’t consider this a priority, so… users of the free version of the iThemes Security plugin will just have to put up with getting this notification (of a vulnerability that doesn’t affect anyone who’s turned off XML-RPC) indefinitely, with no way to mute it or resolve it?

This seems like bad security culture, frankly.

@ate-up-with-motor

In fact, muting does work with the free version and I had the same problem as you until I found out how it does work…

If you follow the instructions here you won’t see the “mute” link for a couple of seconds and you need to wait a while until it shows up. Some kind of protection for people that click anywhere without reading labels I guess.

• This reply was modified 1 year, 11 months ago by tobifjellner (Tor-Bjorn “Tobi” Fjellner).
• This reply was modified 1 year, 11 months ago by tobifjellner (Tor-Bjorn “Tobi” Fjellner). Reason: removed incorrect link

John, the mute link doesn’t appear for me on iThemes free.
I have no choice than to disable scheduled site scans.
Our department will be flooded with these notifications otherwise.
Thanks for starting the topic. The information helped.

It seems I posted a wrong link in my previous message and it has been edited by mods.

Here is the correct one and you have to scroll down a bit for the “mute” section:
https://help.ithemes.com/hc/en-us/articles/360046334433-iThemes-Security-Pro-Site-Scanner

@mastermessengers – are you sure you waited enough for the “must” link to appear as shown here? otherwise, read the chapter below explaining the reasons why it doesn’t display..

@john,

Yes, I waited for a few minutes. Tried 3 Browsers as well.
SSL is definitely implemented, enabled and active and “forced” in iThemes as well.
Until they release a fix, I will keep the scheduled scans disabled.

Thanks,

@dsl225 Ahh, I see what you’re saying. I was able to get it to work this time. Thanks!