This article explains how to find old versions of WordPress web servers that have not been patched for WordPress vulnerabilities and how to scan for vulnerabilities in webpages created with WordPress.

What is WordPress Vulnerability? 

WordPress is a website creation and management system used by 40% of all websites worldwide. When cyber attackers are deciding which web server to target, they look for old versions of web servers that have not been WordPress vulnerability security patched. Because WordPress is used for various purposes, including personal blogs, corporate blogs, and official corporate websites, the vulnerabilities of WordPress become a major target for hackers. According to MITRE Corporation’s CVE statistics, a total of 344 WordPress vulnerabilities were discovered from 2004 to September 2022, of which actual attackers can exploit 11 CVEs.

Types of WordPress Vulnerability

When classifying all discovered WordPress vulnerabilities, XSS vulnerability was the most common vulnerability with 123 cases, followed by the code execution vulnerability with 48 cases.

  • XSS
  • HTTP Response Splitting
  • Execute Code
  • SQL Injection
  • Gain Information
  • Denial of Service
  • Directory Traversal
  • Bypass Something
  • CSRF
  • Gain Privilege
  • File Inclusion
Discovered WordPress CVE Vulnerability Statistics From 2004 to 2022. Source: MITRE Corporation CVE Statistics

Statistics on WordPress vulnerabilities discovered from 2004 to 2022

Detecting Websites Built With WordPress

Criminal IP’s Asset Search (https://www.criminalip.io/asset) has a tech_stack filter that can search for the IP addresses of servers with specific technology. Using the tech_stack filter, you can find the IP addresses of websites built with WordPress. In particular, it is possible to find IP addresses of outdated WordPress webpages that have not been WordPress vulnerability patched. 

https://www.criminalip.io/asset/search?query=tech_stack:%20wordpress

tech_stack: wordpress

List of web servers that uses WordPress found by using tech_stack filter on Criminal IP's (www.criminalip.io) Asset Search

List of web servers that use WordPress found by using tech_stack filter on Criminal IP’s Asset Search (https://www.criminalip.io/asset)

The results show approximately 660,000 active IP addresses of web servers created with WordPress. Under ‘Top Countries’ on the right, you can check the country statistics of IP addresses. Of all the IP addresses, about 258,000 belonged to the US.

Finding web servers that have not been WordPress Vulnerability Patched

The results for all IP addresses discovered include outdated WordPress web servers that have not patched for vulnerabilities, such as SQL Injection Vulnerability and XSS Vulnerability. Both SQL Injection Vulnerability and XSS vulnerability are known to be dangerous vulnerabilities that run malicious scripts and gain WordPress administrator access or even make the site disappear.

By combining a keyword search and tech_stack filter on Criminal IP’s Asset Search (https://www.criminalip.io/asset), you can search for IP addresses with a specific version of WordPress.

[Criminal IP Search 101- How to Find Old WordPress Servers]

If you look at the page source of the website that uses WordPress, the WordPress version is specified in the form of “WordPress X.X.X”. Thus, if you want to search for v4.8.2 WordPress-applied web servers that have not been WordPress vulnerability patched, you can type in “WordPress 4.8.2” tech_stack: wordpress.

https://www.criminalip.io/asset/search?query=%22WordPress%204.8.2%22%20tech_stack:%20wordpress

“WordPress 4.8.2” tech_stack: wordpress

Search results for old versions of WordPress that have not been WordPress CVE vulnerability patched

Search results for old versions of WordPress that have not been WordPress CVE vulnerability patched

Partial part of a web server's banner that uses the WordPress 4.8.2 version that have not been security patched

Partial part of a web server’s banner that uses the WordPress 4.8.2 version without a security patch

There are approximately 134 IP addresses of v4.8.2 applied websites that have not been vulnerability patched. However, because the WordPress administrator setting can prevent the exposure of Meta Tag, we expect there to be a lot more than the results show.

How To Scan For Outdated WordPress Vulnerability

From checking the Domain Search scan results for one of the vulnerable WordPress web servers, we found that it is using the outdated version of WordPress v4.8.2. WordPress vulnerabilities are more vulnerable than ever, as more than 60 have been found, including the latest vulnerabilities, CVE-2022-21663 and CVE-2021-44223.

https://www.criminalip.io/domain/report?query=104.236.147.213%3A80&scan_id=2069129

Domain Search results for WordPress CVE vulnerability patchless web servers. More than 60 CVEs related to WordPress found

Domain Search results for the WordPress vulnerability unpatched webserver: More than 60 CVEs related to WordPress found

It is highly likely that the web servers with the old version of WordPress have not been vulnerability patched, so they can become a target for hackers.

Therefore, checking for regular version updates is essential if you are running a personal website, such as a blog, or a company uses a website management system, such as WordPress.

Please check out our article ‘Exposed Redis Commander: The Biggest Contributor to Database Leakage’ regarding how to search vulnerable web servers using favicon and title search.


Source : Criminal IP (https://www.criminalip.io)

Related Article :

https://blog.criminalip.io/2022/09/06/redis-database-leaks/%5B/fusion_text%5D%5B/fusion_builder_column%5D%5B/fusion_builder_row%5D%5B/fusion_builder_container%5D