This article explains how to find old versions of WordPress web servers that have not been WordPress vulnerability security patched and how to scan for vulnerabilities on webpages made by WordPress.

What is WordPress Vulnerability? 

WordPress is a website creation and management system that 40% of all websites in the world are using. When cyber attackers are deciding which web server to target, they look for old versions of web servers that have not been WordPress vulnerability security patched. Because WordPress is used for various purposes including personal blogs, corporate blogs and official corporate websites, the vulnerabilities of WordPress become a major target for hackers. According to MITRE Corporation’s CVE statisticsa total of 344 WordPress vulnerabilities were discovered from 2004 to September 2022. Of those, the number of CVE cyber attackers could exploit was 11.

Types of WordPress Vulnerability

When classifying all discovered WordPress vulnerabilities, XSS vulnerability was the most common vulnerability with 123 cases, followed by the code execution vulnerability with 48 cases.

  • XSS
  • Http Response Splitting
  • Execute Code
  • Sql Injection
  • Gain Information
  • Denial of Service
  • Directory Traversal
  • Bypass Something
  • CSRF
  • Gain Privilege
  • File Inclusion
Discovered WordPress CVE Vulnerability Statistics From 2004 to 2022. Source: MITRE Corporation CVE Statistics

Discovered WordPress CVE Vulnerability Statistics From 2004 to 2022. Source: MITRE Corporation CVE Statistics

Detecting all websites made by WordPress 

Criminal IP’s (https://www.criminalip.io) asset search has a tech_stack filter that can search for IP addresses of servers with distinct technology. By using the tech_stack filter, you can find IP addresses of websites that have been made by WordPress. In particular, it is possible to find IP addresses of outdated WordPress webpages that have not been WordPress vulnerability patched. 

https://www.criminalip.io/asset/search?query=tech_stack:%20wordpress

tech_stack: wordpress

List of web servers that uses WordPress found by using tech_stack filter on Criminal IP's (www.criminalip.io) Asset Search

List of web servers that uses WordPress found by using tech_stack filter on Criminal IP’s (www.criminalip.io) Asset Search

The results show that there are approximately 660,000 active IP addresses of web servers made by WordPress. Under ‘Top Countries’ on the right, you can check the IP addresses applied by WordPress tech stack by country. Of all the IP addresses, 258,000 of them belonged to the US, making them the country with the most WordPress tech stack applied IP addresses in the world.

Finding web servers that have not been WordPress Vulnerability Patched

The results for all IP addresses retrieved also includes outdated WordPress web servers that have not been WordPress vulnerability patched like SQL Injection Vulnerability and XSS Vulnerability. Both SQL Injection Vulnerability and XSS vulnerability are known to be dangerous vulnerabilities that run malicious scripts and gain WordPress administrator access or even make the site disappear.

By combining key word search and tech_stack filter on Criminal IP’s Asset Search (https://www.criminalip.io/asset), you can search for IP addresses with a specific version of WordPress.

If you look at the page source of the website that uses WordPress, the WordPress version is specified in the form of “WordPress X.X.X”. Thus, if you want to search for v4.8.2 WordPress-applied web servers that have not been WordPress vulnerability patched, you can type in “WordPress 4.8.2” tech_stack: wordpress.

https://www.criminalip.io/asset/search?query=%22WordPress%204.8.2%22%20tech_stack:%20wordpress

“WordPress 4.8.2” tech_stack: wordpress

Search results for old versions of WordPress that have not been WordPress CVE vulnerability patched

Search results for old versions of WordPress that have not been WordPress CVE vulnerability patched

Partial part of a web server's banner that uses the WordPress 4.8.2 version that have not been security patched

Partial part of a web server’s banner that uses the WordPress 4.8.2 version that have not been security patched

There are approximately 134 IP addresses of v4.8.2 applied websites that have not been vulnerability patched. However, because the WordPress administrator setting can prevent the exposure of Meta Tag, we expect there to be a lot more than the results show.

How To Scan For Outdated WordPress Vulnerability

From checking the Domain Search scan results for one of the vulnerable WordPress web servers, we found that it is using the outdated version of WordPress v4.8.2. WordPress vulnerabilities are more vulnerable than ever as more than 60 of them have been found including the latest vulnerability CVE-2022-21663CVE-2021-44223 and so on.

https://www.criminalip.io/domain/report?query=104.236.147.213%3A80&scan_id=2069129

Domain Search results for WordPress CVE vulnerability patchless web servers. More than 60 CVEs related to WordPress found

Domain Search results for WordPress CVE vulnerability patchless web servers. More than 60 CVEs related to WordPress found

As such, it is highly likely that the old version of Tech Stack has not been vulnerability patched so it can become a target for hackers.

Therefore, if you are running your own personal website or your company is using website management systems like WordPress, regularly checking whether or not you have the latest version installed is essential.

In this regard, you can also check out our article ‘Exposed Redis Commander: The Biggest Contributor to Database Leakage’ and how to navigate through web servers using fivicon and title search.


Source : Criminal IP (https://www.criminalip.io)

Related Article :

https://blog.criminalip.io/2022/09/06/redis-database-leaks/