• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved WordPress Toolkit Reporting Incorrect Risk Levels Again

T

Tinpeas

New Pleskian
Server operating system version
AlmaLinux 8.10
Plesk version and microupdate number
18.0.67
Hi Guys

I while ago I reported incorrect risk values in WordPress Toolkits Vulnerability reports (as others did) and it is happening again, both of the below have risen from low to medium for no reason.

  1. WordPress Core - Informational - All known Versions - Weak Hashing Algorithm - Date: 20.06.2012
    All known versions of WordPress core use a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.
  2. WordPress Core - All Known Versions - Cleartext Storage of wp_signups.activation_key - Date: 10.10.2017
    All known versions of WordPress Core store cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability).
As a premium Wordfence customer I spoke to support about this previously and they said Plesk should be reflecting this as they are for informational purposes only, essentially non issues. Only now I have a big red dot on the security tab which is essentially reporting information that is not accurate, can we have a fix please?

Thanks in advance for your help.

Cheers

Gary
 
Tinpeas said:
Hola chicos

Hace un tiempo informé sobre valores de riesgo incorrectos en los informes de vulnerabilidad de WordPress Toolkits (como hicieron otros) y está sucediendo nuevamente, ambos valores a continuación aumentaron de bajos a medios sin ningún motivo.

  1. Núcleo de WordPress - Informativo - Todas las versiones conocidas - Algoritmo hash débil - Fecha: 20/06/2012
    Todas las versiones conocidas del núcleo de WordPress utilizan un algoritmo hash de contraseñas débil basado en MD5, lo que facilita a los atacantes determinar valores de texto plano aprovechando el acceso a los valores hash. NOTA: El enfoque para cambiar esto podría no ser totalmente compatible con ciertos casos de uso, como la migración de un sitio de WordPress de un proveedor de alojamiento web que usa una versión reciente de PHP a otro proveedor que usa PHP 5.2. Estos casos de uso son plausibles (pero muy improbables) según las estadísticas que muestran una implementación generalizada de WordPress con versiones obsoletas de PHP.
  2. Todas las versiones conocidas de WordPress Core almacenan valores wp_signups.activation_key
    en texto sin cifrar (pero almacenan los valores análogos wp_users.user_activation_key como hashes), lo que podría facilitar que atacantes remotos secuestren cuentas de usuarios no activadas aprovechando el acceso de lectura a la base de datos (como el acceso obtenido a través de una vulnerabilidad de inyección SQL no especificada).
Como cliente premium de Wordfence, hablé con el soporte técnico sobre esto anteriormente y me dijeron que Plesk debería reflejarlo, ya que es solo informativo y no representa ningún problema. Ahora tengo un gran punto rojo en la pestaña de seguridad que básicamente informa información incorrecta. ¿Podrían solucionarlo, por favor?

Gracias de antemano por su ayuda.

Salud

Gary
Click to expand...
Yeah i have the same problem
 
Thank you for the report. Our team is aware of the issue and currently investigating it. They are also planning to implement certain changes that will ensure this issue will not reoccur in the future. At this point, I cannot provide any ETA on when the issue will be sorted out, but I will keep you posted. Thank you in advance for your patience.
 
I just want to confirm that our team released an update with a permanent fix for the issue with the incorrect risk evaluation of vulnerabilities. If you notice any other issues, please let us know.
 
Hi, humm... where is the fix?
I can't see any updates pending and my WP Toolkit is complaining for vulnerabilities in plugins that I already update to the fixed versions, like this for example:

1744252616461.png

and the installed plugin version as I said, is the fixed one:
1744252704332.png

Thanks.
 
Hello, @Baltasar . There isn't an actual extension upgrade for this particular fix. The database that was updated is not built-in, but external.

As far as I can see the plugin in question doesn't have a release after version 7.2.5 and the vulnerability notice indicates that the issue is detected in version below or equal to 7.2.5 and the suggested fix is not to upgrade the plugin, but to deactivated. It doesn't look like there is something wrong with the risk evaluation in WP-Toolkit in this case.
 
You must log in or register to reply here.

Similar threads

L
Resolved Vulnerability icon
Replies
6
Views
1K
Sebahat.hadzhi
Sebahat.hadzhi
Rene van Lieshout
Question WordPress Vulnerabilities -> No updates available
Replies
11
Views
3K
Sebahat.hadzhi
Sebahat.hadzhi
V
Issue WordPress Toolkit vulnerability report unclear
Replies
2
Views
2K
avatolin
avatolin
G
High risk bug report | Wordpress Extension copying unknown database credentials
Replies
5
Views
1K
Bitpalast
Bitpalast
E
How to Set up Your WordPress Website Security
Replies
0
Views
2K
Elvis Plesky
E
Back
Top