• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • (Plesk for Windows):
    MySQL Connector/ODBC 3.51, 5.1, and 5.3 are no longer shipped with Plesk because they have reached end of life. MariaDB Connector/ODBC 64-bit 3.2.4 is now used instead.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Issue WP Toolkit incorrect vulnerability and version reports

T

TurnRound

New Pleskian
Server operating system version
AlmaLinux 9.5 (Teal Serval)
Plesk version and microupdate number
Plesk Obsidian 18.0.66 Update #2,
Today I received an email from Plesk notifying me of new vulnerabilities in one of my WordPress sites.

However, upon checking these vulnerabilities out, they were for old versions of plugins and WordPress core, and even for some plugins I've not got installed anymore.

WP Toolkit seems to be mis-identifying the currently installed versions of plugins and WordPress, and even remembering no longer installed plugins. It shows the wrong version numbers of plugins and WordPress in the Plesk UI and offers to update them, even though in reality they are already up-to-date.

How do I fix this? I tried clearing the WP Toolkit cache with this command
Code: 
plesk ext wp-toolkit --clear-wpt-cache
but it made no difference.

Thank you.
 
Hi,
If you manage assets somewhere out of WP-Toolkit, by default WP Toolkit updates site's cache on daily basis, so you can see outdated info during a day.

So during that day if a new vulnerability is published -> you will receive the email, even if that asset was updated or removed (without WP-Toolkit).

Is this your case? Could you say, how do you manage assets?

P.S. --clear-wpt-cache has no sense in this case because it cleans wp-toolkit own cache, not site's cache. You need to use --clear-cache command instead.
 
Last edited:
Yes, I have seen the issue that assets that are updated independently of WP-Toolkit are not reported as being up-to-date until the next day. However, this was reporting out of date assets from months ago.

Looking into it further I found an old backup copy of the domains httpdocs (web root) directory in the directory above httpdocs. It seems this is where WP-Toolkit was finding out-of-date plugins and the WordPress installation. So WP-Toolkit must be scanning the httpdocs parent directory and its child directories for assets, and reporting those as being part of the main site. I'm not sure if this is the intending behaviour but it is resulting in files not within httpdocs as being flagged as out-of-date.
 
WP-Toolkit works with files on fs, so if something looks like WordPress it may be registered in WP-Toolkit as a site (if "scan" was run).

If you "detach" this "old-backup" site and it will never be added back again and never cause such notifications.
 
This "old backup" site wasn't appearing in the WP-Toolkit UI in Plesk as a separate site, so couldn't be detached from there. Only the main (correct) site in httpdocs was showing, however, deleting the backup site and refreshing the main site has removed the incorrect plugin & WordPress versions and it is now showing as everything up-to-date.

Thank you.
 
You must log in or register to reply here.

Similar threads

S
I can't install Wordpress with Wp Toolkit
Replies
1
Views
570
vbelozerov
V
L
Resolved Vulnerability icon
Replies
4
Views
860
lifehacker
L
T
WordPress NextGEN Gallery Plugin <= 0.96 - XSS Vulnerability
Replies
0
Views
801
Tinpeas
T
H
Question WP toolkit -> Plugins is regulary outdated (wrong version and name of plugins)
Replies
0
Views
7K
harmut
H
D
Resolved problem with alert about a vulnerability in a plugin that's already fixed
Replies
1
Views
1K
Daniel-spain
D
Back
Top