• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • (Plesk for Windows):
    MySQL Connector/ODBC 3.51, 5.1, and 5.3 are no longer shipped with Plesk because they have reached end of life. MariaDB Connector/ODBC 64-bit 3.2.4 is now used instead.
  • Our UX team believes in the in the power of direct feedback and would like to invite you to participate in interviews, tests, and surveys.
    To stay in the loop and never miss an opportunity to share your thoughts, please subscribe to our UX research program. If you were previously part of the Plesk UX research program, please re-subscribe to continue receiving our invitations.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Issue WordPress Toolkit Reporting Incorrect Risk Levels Again

T

Tinpeas

New Pleskian
Server operating system version
AlmaLinux 8.10
Plesk version and microupdate number
18.0.67
Hi Guys

I while ago I reported incorrect risk values in WordPress Toolkits Vulnerability reports (as others did) and it is happening again, both of the below have risen from low to medium for no reason.

  1. WordPress Core - Informational - All known Versions - Weak Hashing Algorithm - Date: 20.06.2012
    All known versions of WordPress core use a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.
  2. WordPress Core - All Known Versions - Cleartext Storage of wp_signups.activation_key - Date: 10.10.2017
    All known versions of WordPress Core store cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability).
As a premium Wordfence customer I spoke to support about this previously and they said Plesk should be reflecting this as they are for informational purposes only, essentially non issues. Only now I have a big red dot on the security tab which is essentially reporting information that is not accurate, can we have a fix please?

Thanks in advance for your help.

Cheers

Gary
 
Tinpeas said:
Hola chicos

Hace un tiempo informé sobre valores de riesgo incorrectos en los informes de vulnerabilidad de WordPress Toolkits (como hicieron otros) y está sucediendo nuevamente, ambos valores a continuación aumentaron de bajos a medios sin ningún motivo.

  1. Núcleo de WordPress - Informativo - Todas las versiones conocidas - Algoritmo hash débil - Fecha: 20/06/2012
    Todas las versiones conocidas del núcleo de WordPress utilizan un algoritmo hash de contraseñas débil basado en MD5, lo que facilita a los atacantes determinar valores de texto plano aprovechando el acceso a los valores hash. NOTA: El enfoque para cambiar esto podría no ser totalmente compatible con ciertos casos de uso, como la migración de un sitio de WordPress de un proveedor de alojamiento web que usa una versión reciente de PHP a otro proveedor que usa PHP 5.2. Estos casos de uso son plausibles (pero muy improbables) según las estadísticas que muestran una implementación generalizada de WordPress con versiones obsoletas de PHP.
  2. Todas las versiones conocidas de WordPress Core almacenan valores wp_signups.activation_key
    en texto sin cifrar (pero almacenan los valores análogos wp_users.user_activation_key como hashes), lo que podría facilitar que atacantes remotos secuestren cuentas de usuarios no activadas aprovechando el acceso de lectura a la base de datos (como el acceso obtenido a través de una vulnerabilidad de inyección SQL no especificada).
Como cliente premium de Wordfence, hablé con el soporte técnico sobre esto anteriormente y me dijeron que Plesk debería reflejarlo, ya que es solo informativo y no representa ningún problema. Ahora tengo un gran punto rojo en la pestaña de seguridad que básicamente informa información incorrecta. ¿Podrían solucionarlo, por favor?

Gracias de antemano por su ayuda.

Salud

Gary
Click to expand...
Yeah i have the same problem
 
Thank you for the report. Our team is aware of the issue and currently investigating it. They are also planning to implement certain changes that will ensure this issue will not reoccur in the future. At this point, I cannot provide any ETA on when the issue will be sorted out, but I will keep you posted. Thank you in advance for your patience.
 
I just want to confirm that our team released an update with a permanent fix for the issue with the incorrect risk evaluation of vulnerabilities. If you notice any other issues, please let us know.
 
You must log in or register to reply here.

Similar threads

L
Resolved Vulnerability icon
Replies
6
Views
996
Sebahat.hadzhi
Sebahat.hadzhi
Rene van Lieshout
Question WordPress Vulnerabilities -> No updates available
Replies
11
Views
3K
Sebahat.hadzhi
Sebahat.hadzhi
T
Issue WP Toolkit incorrect vulnerability and version reports
Replies
4
Views
592
TurnRound
T
brother4
Question Why isn't xmlrpc.php monitored by the WordPress jail in Fail2Ban?
Replies
8
Views
1K
Maarten
M
M
Resolved Missing HTTP_HOST causes incorrect URL generation in WP Toolkit
Replies
12
Views
2K
Maarten
M
Back
Top