• The ImunifyAV extension is now deprecated and no longer available for installation.
    Existing ImunifyAV installations will continue operating for three months, and after that will automatically be replaced with the new Imunify extension. We recommend that you manually replace any existing ImunifyAV installations with Imunify at your earliest convenience.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Issue WP Toolkit incorrect vulnerability and version reports

T

TurnRound

New Pleskian
Server operating system version
AlmaLinux 9.5 (Teal Serval)
Plesk version and microupdate number
Plesk Obsidian 18.0.66 Update #2,
Today I received an email from Plesk notifying me of new vulnerabilities in one of my WordPress sites.

However, upon checking these vulnerabilities out, they were for old versions of plugins and WordPress core, and even for some plugins I've not got installed anymore.

WP Toolkit seems to be mis-identifying the currently installed versions of plugins and WordPress, and even remembering no longer installed plugins. It shows the wrong version numbers of plugins and WordPress in the Plesk UI and offers to update them, even though in reality they are already up-to-date.

How do I fix this? I tried clearing the WP Toolkit cache with this command
Code: 
plesk ext wp-toolkit --clear-wpt-cache
but it made no difference.

Thank you.
 
Hi,
If you manage assets somewhere out of WP-Toolkit, by default WP Toolkit updates site's cache on daily basis, so you can see outdated info during a day.

So during that day if a new vulnerability is published -> you will receive the email, even if that asset was updated or removed (without WP-Toolkit).

Is this your case? Could you say, how do you manage assets?

P.S. --clear-wpt-cache has no sense in this case because it cleans wp-toolkit own cache, not site's cache. You need to use --clear-cache command instead.
 
Last edited:
Yes, I have seen the issue that assets that are updated independently of WP-Toolkit are not reported as being up-to-date until the next day. However, this was reporting out of date assets from months ago.

Looking into it further I found an old backup copy of the domains httpdocs (web root) directory in the directory above httpdocs. It seems this is where WP-Toolkit was finding out-of-date plugins and the WordPress installation. So WP-Toolkit must be scanning the httpdocs parent directory and its child directories for assets, and reporting those as being part of the main site. I'm not sure if this is the intending behaviour but it is resulting in files not within httpdocs as being flagged as out-of-date.
 
WP-Toolkit works with files on fs, so if something looks like WordPress it may be registered in WP-Toolkit as a site (if "scan" was run).

If you "detach" this "old-backup" site and it will never be added back again and never cause such notifications.
 
This "old backup" site wasn't appearing in the WP-Toolkit UI in Plesk as a separate site, so couldn't be detached from there. Only the main (correct) site in httpdocs was showing, however, deleting the backup site and refreshing the main site has removed the incorrect plugin & WordPress versions and it is now showing as everything up-to-date.

Thank you.
 
You must log in or register to reply here.

Similar threads

S
I can't install Wordpress with Wp Toolkit
Replies
1
Views
423
vbelozerov
V
L
Resolved Vulnerability icon
Replies
4
Views
715
lifehacker
L
T
WordPress NextGEN Gallery Plugin <= 0.96 - XSS Vulnerability
Replies
0
Views
761
Tinpeas
T
H
Question WP toolkit -> Plugins is regulary outdated (wrong version and name of plugins)
Replies
0
Views
7K
harmut
H
D
Resolved problem with alert about a vulnerability in a plugin that's already fixed
Replies
1
Views
1K
Daniel-spain
D
Back
Top