Site scan reports WP 6.1.1 vulnerability
-
Hello,
Site scan on WP sites running on version 6.1.1 is generating this vulnerability:
WP <= 6.1.1 – Unauthenticated Blind SSRF via DNS Rebinding
with this reference that seems to be old news.
Is this an error?
-
Hi @terry777,
If you don’t want the Site Scan notification to be send twice a day and you cannot mute the security vulnerability (for whatever reason), you can (temporarily) disable the Site Scan notification:
Security > Settings > NOTIFICATIONS > Site Scan Results
If currently ticked, untick the Enabled checkbox and click on the blue Save All button. Note after this you are also no longer automatically notified of any other detected security vulnerabilities resulting from the Site Scan. However the Site Scan continues to run twice a day and site scan results continue to be logged.
- This reply was modified 1 year, 11 months ago by nlpro.
@anotherdave Thanks for the info. This is crazy. There should be an better way for the plugin to handle this. I feel for you.
@nlpro Thanks. This is so annoying. The owner of several websites is getting notifications every time any one of these messages is sent. In the plugin settings, I’m the only one who is supposed to be getting them. I just tried to change the scan settings, but now my host’s firewall is locking me out from doing that. I think I may have to pursue an alternate plugin to iThemes. This is too annoying.
I am another user who cant see the ‘Mute’ button for iThemes free. All SSL certificates are valid, no browser plugins are blocking anything related to the sites yet I am getting the nag across all sites.
I have disabled the ‘Site Check’ feature as its “broken” in the FREE version. Also I noticed that you cant clear your log so after a while your database will be clogged up. Not a good start.
FIX it iThemes team!!!!!Hi @poppydev,
Are you referring with “the nag” to the Site Scan notification email ?
(I’m specifically asking this because there is another type of notification. It’s an alert in the Security Admin Messages).
Also I noticed that you cant clear your log so after a while your database will be clogged up.
When installed and activated the iTSec plugin creates a cron task (purge-log-entries) that maintains the log on a daily basis. By default the iTSec plugin keeps log data for (the last) 60 days. Log purging/maintenance is controlled by the DAYS TO KEEP DATABASE LOGS setting:
Security > Settings > CONFIGURE (Global Settings) -> Logging section
+++++ To prevent any confusion, I’m not iThemes +++++
I’m betting folks who are not seeing the Mute button don’t have the site fully secured. An SSL may be installed but more than likely, a search/replace needs to be performed to update any lingering URLs not using HTTPS. This is a super common issue and something that’s seen at WP Engine ALL the time.
P.S. You can make an email label or new inbox to redirect the emails. They’ll be out of site, but the paper trail will still be available if needed.How is this resolved?
Does WordPress plan on fixing this
Hi @edavis711,
Your question is more likely to be answered in the Fixing WordPress forum. Quickly reading through the last 5 pages I noticed others have already opened topics about this subject.
Hi @nlpro,
I have already made the suggested changes to all of my sites, however, I put in a bug report with WP to see if they were working on this and got a great response, pretty much the same as what has been posted already, but it appears they are working on it:
Comment (by samiamnot): The issue is rated as a medium severity issue. It seemingly requires a vulnerability chain (unless there is another vulnerability to chain together, it is not exploitable). I am sure that the WP developers are actively working on a fix. See https://nvd.nist.gov/vuln/detail/CVE-2022-3590. If you are nervous, the vulnerability is in [https://codex.www.ads-software.com/XML-RPC_Support WordPress XML-RPC] and you can turn it off via a number of [https://www.ads-software.com/plugins/search/xml-rpc/ WordPress plugins]. -- Ticket URL: <https://core.trac.www.ads-software.com/ticket/57363#comment:3> WordPress Trac <https://core.trac.www.ads-software.com/> WordPress publishing platform
Hi @edavis711,
Ah great, thank you for sharing that info with the community ??
WP <= 6.1.1 – Unauthenticated Blind SSRF via DNS Rebinding
getting this issue from last one week
and this error
Module
File Change
Type
Warning
Description11947 Added, 0 Removed, 0 Changed
File Change Warning
A file (or files) on your site have been changed. Please review the report below to verify changes are not the result of a compromise.
Scan SummaryAdded10Removed0Modified2
Does anyone have an answer to when this will be overcome? I host a bunch of WP sites and use Plesk. On the WP Toolkit, there is a bright red warning for essentially every site on every server. Having to click through regularly in order to determine if the issue is just this one, or if new warnings have appeared, is a massive time sink.
Hi,
Please help!!
We are having issues with our client websites getting hacked. Our scan shows that it was due to JavaScript and iframe injection.
We found WordPress being vulnerable since Dec. 13 and there is no new update to fix this.
We are not using any vulnerable plugins like Woocommerce, Notifications or WP Optimize in the website to ensure we don’t get it from the plugins. We scan our hosting and site regularly but the infection happens again.
Does WordPress has a fix for this? Has anyone had similar issues and contacted WordPress about this?
Marjorie
Hello,
Our website has been compromised and based on our hosting scan, WordPress is the only one prompting vulnerability. We are not using any plugins that are under malicious attack threat list.
Do we have an update on this yet?
Marjorie Stach
- The topic ‘Site scan reports WP 6.1.1 vulnerability’ is closed to new replies.