diff --git a/changelog.txt b/changelog.txt index 1da097d..e0d46a8 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,19 +1,26 @@ == Changelog == -= [3.3.0] - 2024-07-30 = += [3.3.0] - 2024-08-02 = **Added** * Ability to exclude of vulnerability types at a global level. +* WP-CLI commands formats (--format=[table,json]). +* REST API endpoints (requires Application Password). + +**Changed** + +* README file. **Compatibility** -* WordPress: 4.1 - 6.6 +* WordPress: 4.1 - 6.7 * PHP: 5.6 - 8.3 * WP-CLI: 2.3.0 - 2.10.0 **Tests** +* PHP Coding Standards: 3.10.2 * WordPress Coding Standards: 3.1.0 * Plugin Check (PCP): 1.0.2 * SonarCloud Code Review diff --git a/readme.txt b/readme.txt index 4a8c49a..8ee6e4f 100644 --- a/readme.txt +++ b/readme.txt @@ -9,66 +9,69 @@ Version: 3.3.0 License: GPL-2.0-or-later License URI: https://spdx.org/licenses/GPL-2.0-or-later.html -Receive information about possible vulnerabilities in your WordPress from [WordPress Vulnerability Database API](https://www.wpvulnerability.com/). +Get WordPress vulnerability alerts from [WordPress Vulnerability Database API](https://www.wpvulnerability.com/). == Description == -This plugin taps into the power of the free and unlimited [WordPress Vulnerability Database API](https://www.wpvulnerability.com/) to deliver vulnerability assessments directly within your WordPress dashboard. It's an essential tool for website administrators, developers, and anyone keen on maintaining a secure WordPress environment. +This plugin integrates with the WPVulnerability API to provide real-time vulnerability assessments for your WordPress core, plugins, themes, PHP version, Apache HTTPD, and nginx. It delivers detailed reports directly within your WordPress dashboard, helping you stay aware of potential security risks. Configure the plugin to send periodic notifications about your site's security status, ensuring you remain informed without being overwhelmed. Designed for ease of use, it supports proactive security measures without storing or retrieving any personal data from your site. -Secure your WordPress experience today, your first line of defense against vulnerabilities! += Data reliability = -= Comprehensive Security Analysis = +The information provided by the information database comes from different sources that have been reviewed by third parties. There is no liability of any kind for the information. Act at your own risk. -* Core: Checks the version of your WordPress Core against known vulnerabilities, ensuring you're always aware of potential risks. -* Plugin: Evaluates all your installed plugins, including those from the official repository, external sources, or premium ones, for any security weaknesses. -* Theme: Evaluates all your installed themes, including those from the official repository, external sources, or premium ones, for any security weaknesses. -* PHP: Analyzes your server's PHP version, detecting vulnerabilities specific to your PHP setup. This is crucial as outdated or unsupported PHP versions can significantly increase security risks. -* Apache HTTPD: Assesses the version of Apache HTTPD on your server, identifying any known vulnerabilities or misconfigurations that could compromise security. -* nginx: Evaluates the version of nginx on your server, pinpointing any known vulnerabilities or misconfigurations that could pose security threats. +== Using the plugin == -= In-Depth Vulnerability Reporting = += WP-CLI = -Stay ahead of potential threats with detailed reports. If a vulnerability is detected, visit the 'Site Health' section in your WordPress dashboard for in-depth information. It informs you about the nature of the vulnerability and provides guidance, such as updating to a newer version or addressing issues with unsupported or unpatched plugins/themes. +You can use the following WP-CLI commands to manage and check vulnerabilities: -= Customizable Alert System = +* `wp wpvulnerability core`: Lists Core vulnerabilities. +* `wp wpvulnerability plugins`: Lists Plugins vulnerabilities. +* `wp wpvulnerability themes`: Lists Themes vulnerabilities. +* `wp wpvulnerability php`: Lists PHP vulnerabilities. +* `wp wpvulnerability apache`: Lists Apache HTTPD vulnerabilities. +* `wp wpvulnerability nginx`: Lists nginx vulnerabilities. -Configure the plugin to send periodic notifications about your site's security status. Choose between daily or weekly updates, ensuring you're always in the loop about your website's vulnerability status without being overwhelmed by information. +All commands support the `--format` option to specify the output format: -= Why Choose This Plugin? = +* `--format=table`: Displays the results in a table format (default). +* `--format=json`: Displays the results in JSON format. -* User-Friendly: Designed for ease of use; no technical expertise required. -* Proactive Security: Helps in early detection and resolution of security issues. -* Peace of Mind: Ensures you're always a step ahead in maintaining a secure WordPress site. -* Privacy-Conscious: The plugin operates with a strong commitment to privacy. It does not store any data from your site nor retrieves personal or sensitive information. -* Respect for Data Integrity: We understand the importance of your site’s integrity. The plugin works discreetly in the background, ensuring that your content and data remain untouched and unaffected during security checks. +Need help? -= Using the plugin = +* `wp wpvulnerability --help`: Displays help information for WPVulnerability commands. +* `wp wpvulnerability [command] --help`: Displays help information for a WPVulnerability command. -== WP-CLI == += REST API = -And then, You will find these wpcli commands: +The WPVulnerability plugin provides several REST API endpoints to fetch vulnerability information for different components of your WordPress site. -* `wp wpvulnerability --help`: Get help with these commands. -* `wp wpvulnerability core`: List Core vulnerabilities. -* `wp wpvulnerability plugins`: List Plugins vulnerabilities. -* `wp wpvulnerability themes`: List Themes vulnerabilities. -* `wp wpvulnerability php`: List PHP vulnerabilities. -* `wp wpvulnerability apache`: List Apache HTTPD vulnerabilities. -* `wp wpvulnerability nginx`: List nginx vulnerabilities. +* `/wpvulnerability/v1/core`: Fetches Core vulnerabilities. +* `/wpvulnerability/v1/plugins`: Fetches Plugins vulnerabilities. +* `/wpvulnerability/v1/themes`: Fetches Themes vulnerabilities. +* `/wpvulnerability/v1/php`: Fetches PHP vulnerabilities. +* `/wpvulnerability/v1/apache`: Fetches Apache HTTPD vulnerabilities. +* `/wpvulnerability/v1/nginx`: Fetches nginx vulnerabilities. -== Configurations == +Authentication -**From mail** +The WPVulnerability REST API uses Application Passwords for authentication. You need to include a valid Application Password in the Authorization header of your requests. -_Since: 3.2.2_ +Example Request with Authentication -If, for some reason, you need the emails sent by the plugin to have a From different from the site administrator, you can change it from the `wp-config.php` by adding a constant: +``` +curl -X GET https://example.com/wp-json/wpvulnerability/v1/plugins -u username:application_password +``` -`define( 'WPVULNERABILITY_MAIL', 'sender@example.com' );` +Replace username with your WordPress `username` and `application_password` with your [Application Password](https://make.wordpress.org/core/2020/11/05/application-passwords-integration-guide/). -= Data reliability = +== Extra Configurations == -The information provided by the information database comes from different sources that have been reviewed by third parties. There is no liability of any kind for the information. Act at your own risk. += "From:" mail (since: 3.2.2) = + +If, for some reason, you need the emails sent by the plugin to have a From different from the site administrator, you can change it from the `wp-config.php` by adding a constant: + +`define( 'WPVULNERABILITY_MAIL', 'sender@example.com' );` == Installation == @@ -106,26 +109,33 @@ First of all, peace of mind. Investigate what the vulnerability is and, above al == Compatibility == -* WordPress: 4.1 - 6.6 +* WordPress: 4.1 - 6.7 * PHP: 5.6 - 8.3 * WP-CLI: 2.3.0 - 2.10.0 == Changelog == -= [3.3.0] - 2024-07-30 = += [3.3.0] - 2024-08-02 = **Added** * Ability to exclude of vulnerability types at a global level. +* WP-CLI commands formats (--format=[table,json]). +* REST API endpoints (requires Application Password). + +**Changed** + +* README file. **Compatibility** -* WordPress: 4.1 - 6.6 +* WordPress: 4.1 - 6.7 * PHP: 5.6 - 8.3 * WP-CLI: 2.3.0 - 2.10.0 **Tests** +* PHP Coding Standards: 3.10.2 * WordPress Coding Standards: 3.1.0 * Plugin Check (PCP): 1.0.2 * SonarCloud Code Review diff --git a/wpvulnerability-api.php b/wpvulnerability-api.php index 7ed826d..51d417a 100644 --- a/wpvulnerability-api.php +++ b/wpvulnerability-api.php @@ -19,7 +19,7 @@ */ function wpvulnerability_rest_core_vulnerabilities() { - // Include the file containing the function to get core vulnerabilities. + // Include the files containing the functions to get core vulnerabilities. require_once WPVULNERABILITY_PLUGIN_PATH . '/wpvulnerability-general.php'; require_once WPVULNERABILITY_PLUGIN_PATH . '/wpvulnerability-core.php'; @@ -29,6 +29,7 @@ function wpvulnerability_rest_core_vulnerabilities() { $core_complete = array(); $vulnerabilities = array(); + // Check if vulnerabilities are found and is an array. if ( $core_vulnerabilities && is_array( $core_vulnerabilities ) ) { // Loop through each core vulnerability. @@ -36,7 +37,7 @@ function wpvulnerability_rest_core_vulnerabilities() { $core_complete_temp = array(); - // Process theme name and slug. + // Process vulnerability version. $core_complete_temp['version'] = trim( html_entity_decode( wp_kses( (string) $vulnerability['name'], 'strip' ) ) ); // Process vulnerability severity. @@ -95,7 +96,7 @@ function wpvulnerability_rest_core_vulnerabilities() { */ function wpvulnerability_rest_plugins_vulnerabilities() { - // Include the file containing the function to get plugins vulnerabilities. + // Include the files containing the functions to get plugins vulnerabilities. require_once WPVULNERABILITY_PLUGIN_PATH . '/wpvulnerability-general.php'; require_once WPVULNERABILITY_PLUGIN_PATH . '/wpvulnerability-plugins.php'; @@ -107,12 +108,13 @@ function wpvulnerability_rest_plugins_vulnerabilities() { // Loop through each plugin vulnerability. foreach ( $plugins_vulnerabilities as $plugin ) { + // Check if the plugin is vulnerable. if ( 1 === $plugin['vulnerable'] ) { $plugins_complete_temp = array(); $plugins_complete_temp_vulnerabilities = array(); - // Process theme name and slug. + // Process plugin name and slug. $plugins_complete_temp['name'] = trim( html_entity_decode( wp_kses( (string) $plugin['Name'], 'strip' ) ) ); $plugins_complete_temp['slug'] = trim( html_entity_decode( wp_kses( (string) $plugin['slug'], 'strip' ) ) ); @@ -164,10 +166,12 @@ function wpvulnerability_rest_plugins_vulnerabilities() { } } + // Add processed vulnerability to the temporary array. $plugins_complete_temp['vulnerabilities'][] = $plugins_complete_temp_vulnerabilities; unset( $plugins_complete_temp_vulnerabilities, $vulnerability ); } + // Add processed plugin data to the complete array. $plugins_complete[] = $plugins_complete_temp; unset( $plugins_complete_temp ); } @@ -202,6 +206,7 @@ function wpvulnerability_rest_themes_vulnerabilities() { // Loop through each theme vulnerability. foreach ( $themes_vulnerabilities as $theme ) { + // Check if the theme is vulnerable. if ( 1 === $theme['wpvulnerability']['vulnerable'] ) { $themes_complete_temp = array(); @@ -259,10 +264,12 @@ function wpvulnerability_rest_themes_vulnerabilities() { } } + // Add processed vulnerability to the temporary array. $themes_complete_temp['vulnerabilities'][] = $themes_complete_temp_vulnerabilities; unset( $themes_complete_temp_vulnerabilities, $vulnerability ); } + // Add processed theme data to the complete array. $themes_complete[] = $themes_complete_temp; unset( $themes_complete_temp ); } @@ -301,6 +308,7 @@ function wpvulnerability_rest_php_vulnerabilities() { $php_complete_temp = array(); + // Process PHP version and affected versions. $php_complete_temp['version'] = trim( html_entity_decode( wp_kses( (string) $php['version'], 'strip' ) ) ); $php_complete_temp['affected'] = trim( html_entity_decode( wp_kses( (string) $php['versions'], 'strip' ) ) ); $php_complete_temp['unfixed'] = (int) $php['unfixed']; @@ -317,6 +325,7 @@ function wpvulnerability_rest_php_vulnerabilities() { } } + // Add processed vulnerability to the complete array. $php_complete[] = $php_complete_temp; unset( $php_complete_temp, $php ); @@ -359,6 +368,7 @@ function wpvulnerability_rest_apache_vulnerabilities() { $apache_complete_temp = array(); + // Process Apache version and affected versions. $apache_complete_temp['version'] = trim( html_entity_decode( wp_kses( (string) $apache['version'], 'strip' ) ) ); $apache_complete_temp['affected'] = trim( html_entity_decode( wp_kses( (string) $apache['versions'], 'strip' ) ) ); $apache_complete_temp['unfixed'] = (int) $apache['unfixed']; @@ -375,6 +385,7 @@ function wpvulnerability_rest_apache_vulnerabilities() { } } + // Add processed vulnerability to the complete array. $apache_complete[] = $apache_complete_temp; unset( $apache_complete_temp, $apache ); @@ -411,6 +422,7 @@ function wpvulnerability_rest_nginx_vulnerabilities() { $webserver = wpvulnerability_detect_webserver(); + // Check if the webserver is nginx and has a version. if ( isset( $webserver['id'] ) && 'nginx' === $webserver['id'] && isset( $webserver['version'] ) && $webserver['version'] ) { // Loop through each Nginx vulnerability. @@ -418,6 +430,7 @@ function wpvulnerability_rest_nginx_vulnerabilities() { $nginx_complete_temp = array(); + // Process nginx version and affected versions. $nginx_complete_temp['version'] = trim( html_entity_decode( wp_kses( (string) $nginx['version'], 'strip' ) ) ); $nginx_complete_temp['affected'] = trim( html_entity_decode( wp_kses( (string) $nginx['versions'], 'strip' ) ) ); $nginx_complete_temp['unfixed'] = (int) $nginx['unfixed']; @@ -434,6 +447,7 @@ function wpvulnerability_rest_nginx_vulnerabilities() { } } + // Add processed vulnerability to the complete array. $nginx_complete[] = $nginx_complete_temp; unset( $nginx_complete_temp, $nginx ); @@ -464,7 +478,7 @@ function wpvulnerability_permission_check( WP_REST_Request $request ) { // Check if the authorization header is present and properly formatted. if ( $authorization_header && preg_match( '/^Basic\s(.+)$/i', $authorization_header, $matches ) ) { - $auth_string = base64_decode( $matches[1] ); + $auth_string = base64_decode( (string) $matches[1] ); // phpcs:ignore list( $user, $password ) = explode( ':', $auth_string ); // Authenticate the user using the application password.