• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question WordPress Vulnerabilities -> No updates available

Rene van Lieshout

Rene van Lieshout

Basic Pleskian
Server operating system version
n/a
Plesk version and microupdate number
18.0.60
Hi,

The Wordpress Security Status shows a few issues that don't have a fix. Does anybody here know if there is a way to ignore those? They are reported in mails too.

1: WordPress Core - Informational - All known Versions - Weak Hashing Algorithm - All known versions of WordPress core use a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions. - Date: 20.06.2012 | Source: Wordfence
2. WordPress Core - All Known Versions - Cleartext Storage of wp_signups.activation_key - All known versions of WordPress Core store cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability). - Date: 10.10.2017 | Source: Wordfence
 
Which WP Toolkit version do you have? In 6.3 version you have a feature to ignore vulnerabilities by CVSS Score (it means that you don't receive notification about these vulnerabilities and your site isn't marked as vulnerable), In 6.4 we have improved version of this feature that helps you to ignore these never fixable vulnerabilities. So just wait for a new version of WP Toolkit :cool:
 
Version 6.4 hasn't been released yet. There's no ETA yet, but release is expected this month.
 
I've upgraded to 6.4 on one site, but don't see a feature to do as you cited.
Is this ok, or should I do something about them and if so, what?
1717682001758.png
 
@Robert Alexander there seems to be some confusion here. It's not about Wordpress version 6.4, but about version WP Toolkit version 6.4 (which hasn't been released yet).
 
Ah. My bad then Kaspar. Thanks for clarifying. So I guess now it's June that it's expected as opposed to May when you posted your expectation? Any update on that please? Thanks
 
I've checked my server and it says I'm on WP Toolkit version: 6.4.0-8486
Why I've been looking at this, is that Cloud Linux who support me on Imunify360, suggest that WP Toolkit may be sending out emails to their support email address. Why this is a problem itself, is that it's creating tickets with them, via my account when there are Lets Encrypt Messages or Plugin Security Messages.
This results in quite a lot of unnecessary Tickets and I'm trying to find out what's causing it.
My Plesk Notification Settings are off and the only setting in WP Toolkit that is in force is "Allow Customers to use Sets when they install Wordpress"

I've run out of ideas at the moment?
 
Hello, @aguileraDavid . Thank you for the report. Our team is aware of the issue and currently investigating it. They are also planning to implement certain changes that will ensure this issue will not reoccur in the future. At this point, I cannot provide any ETA on when the issue will be sorted out, but I will keep you posted. Thank you in advance for your patience.
 
You must log in or register to reply here.

Similar threads

T
Resolved WordPress Toolkit Reporting Incorrect Risk Levels Again
Replies
5
Views
1K
Sebahat.hadzhi
Sebahat.hadzhi
L
Resolved Vulnerability icon
Replies
6
Views
1K
Sebahat.hadzhi
Sebahat.hadzhi
Camel Design
wordpress update error with the last version
Replies
15
Views
6K
Camel Design
Camel Design
TimReeves
Forwarded to devs Nginx-only php location does not work for WordPress permalinks
Replies
11
Views
6K
Hockeychap
H
N
Issue Plesk Obsidian 18.0.29 update makes my Wordpress sites malfunction - [UPDATE] issue is related with restrict symbolic links setting enabled PPPM-5348
Replies
14
Views
5K
Necroman
N
Back
Top