Message from the plugin:
Failed to query wpvulndb, status code does not indicate success: 500
Maybe they changed the API. They changed the domain.
Since 2 days i get this error on all my websites.
Can you look for the error?
]]>Hello !
Since I updated the plugin in Version 2.0.1 and registered with the API, I get this error message by mail :
” Plugin Security Scan 13 ao?t 2019
Failed to query wpvulndb, status code does not indicate success: 403
”
(I have 2 sites)
I do not understand, can you explain to me?
Thank you
]]>Hi,
after I registered an account and entered the API code I still receive emails daily telling me to:
“You must enter an API token in order to use the scanner. Register a user at the following URL and then copy the API token into the the Plugin Security Scanner settings: https://wpvulndb.com/users/sign_up”
Under tools it says: “Scan completed: 0 vulnerabilities found.” So it’s working, right?
Under settings it still says: “To use the API you need to register a user and get the API token from your profile page.”
But the API is entered and saved in the field, so that should be ok?
I’m confused ?? Please advise.
Cheers
Dorian
It seems as though the scanner is running more than once a day. It seems every day, late in the day I start getting error reports and when I look it shows my API daily limit has been reached. Should not be happening with the limited number of installs I have.
]]>Hello,
In the administration area, when I go to “Settings” > “Plugin Security Scanner” and save, I get this error at the top of the page :
Notice: Undefined index: webhook_notification in /var/www/mywebsite/wp-content/plugins/plugin-security-scanner/plugin-security-scanner.php on line 158
Could you fix this ?
]]>PHP Fatal error: cURL error 28: Connection timed out after 5000 milliseconds in /xxxx/wp-content/plugins/plugin-security-scanner/plugin-security-scanner.php on line 215
]]>I have your plugin installed on 2 instances. Both run 4.9.6. Your plugin is reporting this vulnerability on one instance but not the other. The instance reporting the vulnerability is a test site, vanilla install with demo content. The one not reporting it is the active blog. Any reason for the discrepancy?
]]>Fatal error: cURL error 35: OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to wpvulndb.com:443 in /home/mysite/public_html/test/v3/wp-content/plugins/plugin-security-scanner/plugin-security-scanner.php on line 244
Running PHP7 and WordPress 4.9.6
Some paid plugins like Beaver Builder, BackupBuddy etc.
Second scan didn’t reproduce the error.
]]>Hi, I get this message:
Vulnerability found: WordPress <= 4.9.4 – Application Denial of Service (DoS) (unpatched) [* note: no fix currently exists for this issue *] — View details
Scan completed: 1 vulnerability found.
And ‘view details’ links to https://wpvulndb.com/vulnerabilities/9021
What’s wrong?
Thanks
I’m getting email notifications every day from this plugin on a client site saying:
Vulnerability found: bbPress – Unauthenticated SQL Injection
The scan result page in the WP dashboard shows the same notice and links to this URL: https://wpvulndb.com/vulnerabilities/8958
But that URL clearly states:
… requires anonymous posting option to be enabled and WordPress version < 4.8.3″
The linked Sucuri page also states:
Not patched by bbPress / Updating to WordPress 4.8.3 fixes this issue
The site in question is running WordPress version 4.9.1 and bbPress 2.5.14 (latest versions as of this writing) and anonymous posting is disabled in bbPress.
And, in any case, bbPress 2.5.13 was actually supposed to have done the necessary sanitization to anonymous user data to close this vulnerability even for users running WP < 4.8.3 and bbPress anonymous posting allowed.
So, why is Plugin Security Scanner still saying there’s a vulnerability present? Is this Unauthenticated SQL Injection vulnerability really present in a WP 4.9.1 and bbPress 2.5.14 setup with anonymous posting disabled? Or is this a case of false alarm?
]]>Thank you for this plugin!
I don’t seem to be receiving emails from the plugin though. Email address set correctly in Settings > General.
Also, what time is this supposed to run? Can it be set somehow?
]]>Hi,
I need to send this notifications from my sites and from other clients websites.
Sometimes the email I want this notification to be send is not the main admin from the website, as that is the one used for new comments, so it must go to the owner.
Adding a box to choose a custom email will fix this and make the plugin more useful to more people.
Thanks for a great plugin!
]]>Hi
I use your good plugin now with WP v4.8.3 … since the included security fix I do no more receive any messages.
BUT: I have only an “empty” page now (only the title “Plugin Security Scanner” is there) … is this okay?? Should I not receive something like “0 vulnerabilities found” or so?
Thank you very much and greetings from Switzerland
Alpengreis
]]>Please add a function to disable email alerts for known security issues.
f.e. the current issue:
“Vulnerability found: WordPress 2.3-4.8.2 – Host Header Injection in Password Reset”
I don’t need to get a mail about the same issue every day, but also – I don’t want to disable the plugin.
So, it would be nice to have a function (a checkbox or something like this) which you can mark and then, the notification for this vulnerability will be disabled.
Or: just increase the email alert to once a week f.e. (if possible)
]]>Hi, I’m just new to this plugin – and also the last WordPress I’ve used is long time ago…^^
Now, I just found the settings for Webhook notification and asked myself, what URL I should provide for this setting.
Sorry for this – maybe stupid question… ^^
Thanks and with best regards,
Christoph
Hello,
I’ve received this notification for all my sites today: “Vulnerability found: WordPress 2.3-4.8.2 – Host Header Injection in Password Reset”
But this vulnerability has been fixed with WP 4.8.2, no?
Best regards,
Sonia.
Hello,
Your plugin detects jQuery Mega Menu in version 1.0 while it’s in its latest version (1.6). I cannot explain why. I looked at the CSS, php and js files without finding any mention of version 1.0 (version 1.6 is specified). It’s annoying because I’m receiving an email notification from your plugin every week about this.
Thanks in advance for your help.
Best regards,
Richard.
Hello, Plugin Security Scanner reported about two vulnerabilitys in Slider revolution, I had uninstalled(deactivate, delete) Revslider plugin but two vulnerabilitys still in report.
I tryed install/uninstall newest version revslider, it did not help, but vulnerabilitys duplicated, now there are 4.
Can you help me? Thanx!
Hello!
I receive an email every day about vulnerabilities with the plugin Pretty Link Lite. The developper told me this error was fixed in a previous version.
To be clear, I receive: Vulnerability found: Pretty Link Lite <= 1.6.1 – Cross-Site Scripting (XSS) Vulnerability found: pretty-link – XSS in SWF
But I am using the 1.6.9. version which has the XSS fixed.
Can you do something?
]]>Hi,
Plugin reports the vulnerability above, however I am running a later version of the framework that patches this. The patch was released 4 years ago.
Google results for this topic title have several relevant pages.
Hi, I see an alert about a Theme Vulnerability but the version I have seems superior so seems to be not affected, in this case I should not see vulnerability in the plug in and should be not alerted via email.
I cannot share here the name of the theme and in public vulnerability but if you need more details please tell me where contact you privately.
I don’t like to have vulnerability listed on your plug in when the theme or plug in (in this case theme) is updated to the last version where vulnerability seems fixed.
]]>Thanks for plugin.
It’d be valuable to have the themes checked for known vulnerabilities as well. Is there any appetite to extend the functionality to cover themes, as well as the plugins?
There’s an API endpoint available from wpvulndb, e.g.:
https://wpvulndb.com/api/v2/themes/divi
I’m happy to work on this if it’s something you’d be interested in adding.
]]>Hello, I’ve successfully used your plugin on several websites, thanks! But now I get this error on one of them when trying to run it:
Fatal error: Cannot use object of type WP_Error as array in /home/mysite/public_html/wp-content/plugins/plugin-security-scanner/plugin-security-scanner.php on line 93
I’ve tried deactivating, re-activating, re-installing, etc. to no avail.
My setup:
PHP Version 5.3.28
Server: Litespeed
WordPress version 4.3.1Any ideas? Thank you.
]]>Does this work on a multisite?
]]>Thank you for this plugin!
Would be nice to have the option to send the notifications to a custom email address and not to the administrators email address.
]]>eg:
Vulnerability found: LayerSlider 4.6.1 – Style Editing CSRF Vulnerability found: LayerSlider 4.6.1 – Remote Path Traversal File Access
The above message would be fine if I wasn’t running LayerSlider 5.5.1
Can we check the version number of the plugin?
]]>I have a suggestion/feature request. When you go to the plugin’s page under Tools, it starts the scan automatically. Could you consider changing that to not start the scan until the user presses a button on that page? The way it is now, it feels broken, because the page doesn’t load fully until the scan is complete.
Thanks for considering.
]]>hello,
This plugin tells me that there are security vulnerabilities in versions of plugins that i dont have installed. For instance, I have the 3.9.6 All In One WP Security & Firewall installed. However, I get this:
Vulnerability found: All In One WP Security & Firewall <= 3.8.7 – SQL Injection — View details
Vulnerability found: All In One WP Security & Firewall <= 3.8.9 – CSRF — View details
Vulnerability found: All In One WP Security & Firewall <= 3.9.0 – Blind SQL Injection — View details
So, who cares about the vulnerabilities in versions Im not using?
thank you
]]>We manage a large number of custom WordPress sites, each with their own update cycles and their own sets of plugins. It would be extremely helpful to be able to monitor, from our central Nagios server, which of them have critical out of date plugins. We already have a custom Nagios task to check the version of WordPress itself against the most recently reported critical vulnerability.
That said, making this information visible to the general public would be a bad thing. I’m generally not of the school that believes in obscuring what server technology you’re using, on the grounds that attackers generally don’t care. But publishing a nice tidy list of the specific vulnerabilities you’re subject to can’t be a good thing.
The Nagios agent runs on the machine itself as a system user without any WordPress credentials, so it can’t normally see anything in wp-admin. So can you think of a safe way of making the vulnerabilities in this accessible to Nagios?
Notice: ob_flush() [ref.outcontrol]: failed to flush buffer. No buffer to flush. in <path>\wp-content\plugins\plugin-security-scanner\plugin-security-scanner.php on line 79
Several lines of such message.
]]>