| 开发者 |
closetechnology
davidperez javiercasares lbonomo alexclassroom |
|---|---|
| 更新时间 | 2026年7月9日 14:33 |
| PHP版本: | 7.0 及以上 |
| WordPress版本: | 7.1 |
| 版权: | GPL-3.0-or-later |
| 版权网址: | 版权信息 |
/wp-content/plugins/wpvulnerability/ directory. Once uploaded, it will appear in your plugin list.The origin is in the WPVulnerability.com API. The vulnerabilities that appear in this API come from different sources, such as CVEs.
No. Never. Your privacy is very important to us. We do not commercialize with your data.
Vulnerabilities in WordPress Core, Plugins, Themes, PHP, Apache HTTPD, nginx, MariaDB, MySQL, ImageMagick, curl, memcached, Redis, and SQLite are documented.
First of all, peace of mind. Investigate what the vulnerability is and, above all, check that you have the latest version of the compromised element. We actively recommend that you keep all your WordPress and its plugins up to date. Contact your hosting provider to patch non-WordPress vulnerabilities (like web server, databases, and other software).
weekly cron schedule was registered only at init while the on-load scheduling runs earlier. The weekly/daily schedule registration moved to the always-loaded scheduler so weekly notifications schedule correctly.wpvulnerability-analyze), so deactivating and reactivating reset which components were hidden. Analysis settings are now preserved on deactivation (only uninstall removes them).wpvulnerability_send_notification instead of wpvulnerability_notification).wpvulnerability-logs option that is never written; it now reads the most recent API log entry.close() twice on the success path (once in the try block, once in finally); the redundant close was removed.0 instead of reading the stored option.is_email() for strict validation, matching the multisite behaviour.wpvulnerability_sanitize_messages callback and its setting registration, and an unused $tools_action variable in the multisite admin.wpvulnerability_validate_shell_command() now uses exact in_array() match instead of stripos() substring matching for the shell-command allowlist (defense-in-depth).wpvulnerability_detect_php(), wpvulnerability_detect_curl(), and wpvulnerability_detect_webserver() now route through wpvulnerability_safe_shell_exec(), so every software-detection shell call is validated and recorded in the Shell Execution Audit Log. Previously these called shell_exec() directly, bypassing the wrapper and the audit log. As a side effect this also fixes nginx/angie version detection: escapeshellcmd() was escaping the 2>&1 redirect, so stderr (where nginx prints its version) was never captured.Uncaught Error: Undefined constant "WPVULNERABILITY_PLUGIN_BASE" when "Delete all plugin data on uninstall" was enabled. uninstall.php now defines the constant before loading wpvulnerability-run.php.WPVULNERABILITY_HIDE_* constants now stop shell_exec detection for hidden components during scheduled scans and in the admin "Software Detection Methods" panel. Previously they only hid the results from the UI, so the audit log kept filling with "command not found" entries for components the administrator had explicitly deactivated.wpvulnerability_detect_webserver() no longer shell-probes a hidden web server via the sibling path: WPVULNERABILITY_HIDE_NGINX and WPVULNERABILITY_HIDE_APACHE now fully isolate the hidden server.2>/dev/null (which the shell-command validator rejected), caddy was added to the allowlist, and which output is validated as a real path so "command not found" messages are not mistaken for a detection.Network: true added to the plugin header to declare network-aware multisite behaviour.$plugin_status parameter from wpvulnerability_plugin_info_after(); the PHPCS suite now passes with zero warnings.wp-admin/network/site-health.php, which does not exist (Site Health is a per-site screen). It now links to the main site's wp-admin/site-health.php.wp_cache_flush() removed from the plugin/theme update hook and the plugin reset routine. The function was wiping the entire Object Cache (Redis, Memcached, APCu) on every update, causing CPU spikes on high-traffic sites. The targeted transient cleanup that already runs before it is sufficient.ssvc.exploitation field displayed: poc → "⚡ Public exploit" badge; active → included in the "Actively exploited" KEV label.ssvc.automatable: yes → "⚙ Automatable" badge alongside KEV/PoC.ssvc.kev_date → date appended to the "Actively exploited" label (e.g. "⚠ Actively exploited · 2024-03-15").epss field → "EPSS X.X%" badge on the same line as the CVSS score badge.source[].description) now displayed for all vulnerability types: plugins, themes, core, and server software. Language prefix (e.g. [en-US]) stripped automatically.update-core.php now rendered with the same badges, description, and pills as plugin/theme rows (replaces the old plain table).wp_prepare_themes_for_js filter and a JS template patch. Shows the same version range + badge + description + references layout as the plugin rows.- or * stripped when there is no lower bound (e.g. - < 1.3.28 → < 1.3.28).wpvulnerability-process.php: wpvulnerability_source_css_slug(), wpvulnerability_render_source_pills(), wpvulnerability_render_score_badge(), wpvulnerability_clean_version_range(), wpvulnerability_get_source_description().wpvulnerability-themes.php: wpvulnerability_theme_modal_html(), wpvulnerability_filter_prepare_themes_for_js(), wpvulnerability_theme_modal_template_patch().impact.ssvc.kev for plugins/themes/core; impact.kev for server software).cvss3.severity ("critical", "high", "medium", "low") when available, falling back to the legacy single-character cvss.severity code.source[].date field from the API).data.status, data.date_end fields from the API).uuid, kev (boolean), ssvc block, and severity from cvss3. Source entries include a date field.wpvulnerability-adminms.php: config form handler now requires manage_network_options capability (via current_user_can()) in addition to the nonce check. Previously a user with a valid nonce could update plugin options without the required capability.core, plugins, themes, and all software components) and all config commands (hide, email, cache, log-retention, period) now require manage_options / manage_network_options. Commands abort with a clear error and --user=<admin_login> hint if the check fails.true) to base64_decode() when parsing the HTTP Basic Authorization header. A malformed or padding-stripped token is immediately rejected instead of decoding unpredictable bytes.wpvulnerability_safe_shell_exec() wrapper, ensuring WPVULNERABILITY_DISABLE_SHELL_EXEC, security mode, command whitelist, and audit logging are respected even when WP_DEBUG is enabled.wpvulnerability_create_admin_page, wpvulnerability_admin_dashboard_content) now include explicit current_user_can() / wp_die() guards as defense-in-depth, per the WordPress Plugin Handbook.E_WARNING on PHP 7.x or a TypeError on PHP 8.x.determine_locale() call is now guarded by function_exists() instead of version_compare(), which is more forward-compatible and correctly recognised by static analysis.preg_replace() return values in the HTML-to-plain-text converter are now handled safely when null is returned on error.DOMDocument::$documentElement null check added in the HTML-to-plain-text converter.json_decode() throughout the codebase.cron_schedules callbacks now use did_action('init') guard before __(), eliminating the textdomain-too-early notice introduced in WordPress 6.7.config period monthly now returns a proper error. Valid periods: daily, weekly, never.uninstall.php created. Plugin data is preserved by default; a new "Delete all plugin data on uninstall" checkbox in the Tools tab allows opting in to full removal.autoload=false, preventing unnecessary loading of JSON blobs on every WordPress request.??) used throughout for improved type safety requires PHP 7.0. PHP 5.6 reached end-of-life in December 2018.wp_timezone(), wp_date(), and determine_locale() without version guards.wpvulnerability_get_cron_snapshot() now uses only public WordPress Cron API functions (wp_next_scheduled(), wp_get_schedule()); _get_cron_array() (private WP API) removed.composer.json, phpstan.neon (level 9), phpcs.xml, phpunit.xml.dist, bin/deploy.sh, docs/.cron row in wp_options on every WordPress request. The boot-time call now verifies the current schedule with wp_get_schedule() and only clears or reschedules the wpvulnerability_notification event when the desired period actually differs from the currently scheduled one. This eliminates 1-2 unnecessary UPDATE wp_options queries per page load, removing lock contention under concurrent load and the corresponding entries from the MariaDB/MySQL slow query log.wpvulnerability_schedule_notification_event() gained an optional $force parameter (default true, backwards compatible). The boot-time invocation passes false to opt into the idempotent path; all other callers (admin save handlers, WP-CLI config command, update flow, repair helpers) keep the default and continue forcing a reschedule so that changes to hour/minute/day still update the next-run timestamp.WPVULNERABILITY_DISABLE_SHELL_EXEC, WPVULNERABILITY_SECURITY_MODE, WPVULNERABILITY_SHELL_EXEC_WHITELIST.wpvulnerability_ajax_test_api() for API testing with nonce verification and capability checks.wpvulnerability_debug_get_log_file_info(), wpvulnerability_debug_detect_webserver(), wpvulnerability_debug_get_system_info(), wpvulnerability_debug_get_component_status(), wpvulnerability_debug_test_api_component(), wpvulnerability_debug_get_cron_status(), wpvulnerability_debug_export_info(), wpvulnerability_debug_clear_all_caches(), wpvulnerability_debug_reset_signatures(), wpvulnerability_debug_get_option_names().wpvulnerability_render_admin_tab_debug(), wpvulnerability_render_debug_section_system_info(), wpvulnerability_render_debug_section_components(), wpvulnerability_render_debug_section_config(), wpvulnerability_render_debug_section_cron(), wpvulnerability_render_debug_section_api_testing(), wpvulnerability_render_debug_section_database_options(), wpvulnerability_render_debug_section_quick_actions().wpvulnerability_wpdb_last_error action while keeping the legacy hook deprecated..wpv- to full prefix .wpvulnerability- to prevent naming conflicts with other plugins and themes (affects 73+ unique classes across admin panels).name attribute (wpvulnerability_submit) for backend processing.network_admin_url() instead of single-site admin_url() for correct URL generation.manage_options for single sites, manage_network_options for multisite) in addition to authentication.