Wordpress Wordpress Checksum Verification

I have found a wonderful tool which can help detect unauthorized changes to wordpress core and plugin files.

---

I have set it up to test all files daily in a cron job and send email to users. It would be a great addition to CMM.

GitHub - eriktorsner/wp-checksum: wp-cli subcommand to verify checksums for themes and plugins

 

I think commandline scan is much more efficent and easy for reporting... Here is an exmaple from one of my servers:

Code:

[root@server public]# wp checksum all --details
Checking plugin all-in-one-wp-security-and-firewall
Checking plugin cloudflare
Checking plugin disable-comments
Checking plugin limit-login-attempts
Checking plugin super-static-cache
Checking plugin wordfence
Checking plugin wp-optimize
Checking plugin wordpress-seo
Checking theme twentyfifteen
+--------+-------------------------------------+-----------+---------+------------------+---------------------------+
| Type   | Slug                                | Status    | Version | Result           | Issues                    |
+--------+-------------------------------------+-----------+---------+------------------+---------------------------+
| plugin | all-in-one-wp-security-and-firewall | Unchecked | 4.2.7   |                  |                           |
| plugin | cloudflare                          | Checked   | 3.2.1   | Ok               |                           |
| plugin | disable-comments                    | Checked   | 1.6     | Ok               |                           |
| plugin | limit-login-attempts                | Checked   | 1.7.1   | Ok               |                           |
| plugin | super-static-cache                  | Checked   | 3.3.3   | Changes detected | {"readme.txt":"MODIFIED"} |
| plugin | wordfence                           | Checked   | 6.3.8   | Ok               |                           |
| plugin | wp-optimize                         | Checked   | 2.1.1   | Ok               |                           |
| plugin | wordpress-seo                       | Checked   | 4.7.1   | Ok               |                           |
| theme  | twentyfifteen                       | Checked   | 1.7     | Ok               |                           |
+--------+-------------------------------------+-----------+---------+------------------+---------------------------+

[root@server public]# 

 

Here is another goodie I just found: GitHub - markri/wp-sec: Wp-sec is an exentsion for wp-cli which checks for Wordpress CVE security issues at wpvulndb.com

Wp-sec is an exentsion for wp-cli which checks for Wordpress CVE security issues at wpvulndb.com

Code:

#wp wp-sec check

-----------------------------------------------
Checking core vulnerabilities for version 4.7
-----------------------------------------------


Found 19 core vulnerabilities:
-----------------------------
Title: WordPress 4.3-4.7 - Potential Remote Code Execution (RCE) in PHPMailer
Fixed in: 4.7.1
-----------------------------
Title: WordPress 4.7 - User Information Disclosure via REST API
CVE's: 2017-5487
Fixed in: 4.7.1
-----------------------------
Title: WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php
CVE's: 2017-5488
Fixed in: 4.7.1
-----------------------------
Title: WordPress 4.7 - Cross-Site Request Forgery (CSRF) via Flash Upload
CVE's: 2017-5489
Fixed in: 4.7.1
-----------------------------
Title: WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback
CVE's: 2017-5490
Fixed in: 4.7.1
-----------------------------
Title: WordPress <= 4.7 - Post via Email Checks mail.example.com by Default
CVE's: 2017-5491
Fixed in: 4.7.1
-----------------------------
Title: WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)
CVE's: 2017-5492
Fixed in: 4.7.1
-----------------------------
Title: WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CVE's: 2017-5493
Fixed in: 4.7.1
-----------------------------
Title: WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users
CVE's: 2017-5610
Fixed in: 4.7.2
-----------------------------
Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection
CVE's: 2017-5611
Fixed in: 4.7.2
-----------------------------
Title: WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table
CVE's: 2017-5612
Fixed in: 4.7.2
-----------------------------
Title: WordPress 4.7.0-4.7.1 - Unauthenticated Page/Post Content Modification via REST API
Fixed in: 4.7.2
-----------------------------
Title: WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata
CVE's: 2017-6814
Fixed in: 4.7.3
-----------------------------
Title: WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation
CVE's: 2017-6815
Fixed in: 4.7.3
-----------------------------
Title: WordPress 4.7.0-4.7.2 - Authenticated Unintended File Deletion in Plugin Delete
CVE's: 2017-6816
Fixed in: 4.7.3
-----------------------------
Title: WordPress  4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds
CVE's: 2017-6817
Fixed in: 4.7.3
-----------------------------
Title: WordPress 4.7-4.7.2 - Cross-Site Scripting (XSS) via Taxonomy Term Names
CVE's: 2017-6818
Fixed in: 4.7.3
-----------------------------
Title: WordPress 4.2-4.7.2 - Press This CSRF DoS
CVE's: 2017-6819
Fixed in: 4.7.3
-----------------------------
Title: WordPress 2.3-4.7.4 - Host Header Injection in Password Reset
CVE's: 2017-8295
Fixed in: 

-------------------------------
Checking plugin vulnerabilities
-------------------------------

Vulnerabilities:
No known plugin vulnerabilities found

------------------------------
Checking theme vulnerabilities
------------------------------

Vulnerabilities:
No known theme vulnerabilities found
-----------------------------------------------

Error: 19 core, 0 plugin and 0 theme vulnerabilities found