Run wpscan on vhosts #33
Comments
|
Blocker: wpscan refuses to say if the plugins are vulnerable or not without a subscription to their API It still detects old/vulnerable Wordpress versions for free, and I found a few of those manually. Maybe it'd be worth getting started with that first. |
|
@cg505 Had a whole stream where he tried to set this up, @nikhiljha you should inquire with him |
|
I mean it pretty much failed for the reason nikhil stated... |
|
If wpscan doesn't work out we can at least relax the requirement a little and turn it into something like making sure people's sites are updated, they don't have weak passwords etc. |
|
TL;DR from summer meeting notes:
Also see #45 |
|
In lieu of WPScan, we could try running https://github.com/swisskyrepo/Wordpresscan, which seems to be a re-implementation of some of the simpler tests. |
Someone should create a script that runs wpscan on all OCF vhosts. It should enumerate vulnerable plugins and themes. If one is detected, create an rt ticket for security@. Have the entire thing run in a container and deploy in Kuberenetes Cron.
The text was updated successfully, but these errors were encountered: