Defender must have had an update in the vulnerability database.

Defender must have had an update in the vulnerability database. Scan from last night showed: "WordPress 2.3-4.7.4 - Host Header Injection in Password Reset"

Also Defender offers to fix it but won't fix it then. It shows is as a plugin/theme problem where it really should be a Wordpress Core issue from what little I could gather on google.

https://monosnap.com/file/8OezKORE6XDV3Ss4x3fVCaKHFdF3Nk

Support Accèss is enabled.

  • caramiame
    • Flash Drive

    Yes

    I have this issue too, so was at first wondering if there is a hole when defender resets salts as I did that right before the initial scan on a fairly new install to look for a rogue image file that I'd been trying to purge...

    Background: I've been using amazon api and a rogue image file that replicates itself was injected from the latest data pull, though I caught it in a few previous pulls, too but it was not persitent .

    I was doing this work prior to the defender install on a new site -- this fake image file gets pulled in from amazon api, Imust have deleted at least 75 initially for 50 products -- They are named the same series of numbers and end with a "."

    The image url is a unique string -- it replicates itself even if you delete all of them, I had more than 50, and immediately deleted transients several times after purging each re-infection of 1, 5, etc.

    I was reading that putting a "." at the end of a cdn provider string from amazon, cloudfront, etc allows malicious parties to hijack your domain in the dns due to a vulnerability with the protocol.

    I have been dealing with this kind of crap for a bit now -- please advise if this report from Defender is accurate and what to do -- I have not tried to fix it as I am all up to date in the dashboard, have ssl, heard of no report and the google search had only one page of results, I already had an issue, and here, Peter says it didn't do anything for him when he did click to repair...

    Update, it has been a while and the rogue image has reappeared twice, at least not as fast but I may need help, lol, not.
    thank you!

  • caramiame
    • Flash Drive

    thanks for the link yet in my case going there gifted me a warning that the connection isn't secure? This happens alot when I search for errors etc lately...

    - there was only one page of search results (now there's more than 8, lol) when I looked earlier for the Defender scan issue report and since not familiar with the reporters plus with all the trouble I've had lately, I was hesitant to trust any of those page results:
    Google Search For Defender Error

    Before starting this followup reply, my dashboard (from "wpvulndb"(?) also the first link on the search results) - tells me to update (?) so before doing anything I came here to check for any news (I just returned there and the urgent message to update went away?) - so since your link doesn't work for me, Paul, I suspect I have xss going on too. :slight_frown:
    Additionally, ninja firewall did an update to itself after I made first post here earlier - here is what they updated:

    v3.5
    The login page can also be protected with a captcha instead of the username/password combination (see “Login Protection > Type of protection”).
    A new option was added to attempt to block bots before they start a brute-force attack (see “Login Protection > Enable bot protection”).
    The substitution character used to sanitise filenames can be changed (see “Firewall Policies > Uploads > Sanitise filenames > Substitution character”).
    The “X-Content-Type-Options” firewall policy will be disabled by default when installing NinjaFirewall.
    Fixed a bug where NinjaFirewall was not reporting the correct timezone.
    The firewall log encoding can be disabled or changed (hexadecimal, base64 or none). See http://nin.link/log_encoding/
    Updated Anti-Malware signatures.
    [WP+ Edition] Updated IPv4/IPv6 GeoIP databases.
    Small fixes and minor adjustments.

    I've been having csp issues in my ff dev browser too, seems like alot of people are having them just in the last few days - I am checking into this plugin to see if it can help some things:
    CSP WordPress Plugin

    Thanks for your tip regarding apache config, I thought serverpilot handled that so now I can go check it out and see if it is related. :slight_smile:
    Ciao!

  • Luís
    • Support

    Hi all,

    This report mentions a vulnerability found in the WordPress core, affecting almost of the WordPress versions:

    https://wpvulndb.com/vulnerabilities/8807

    My teammate Hoang, shared a mu-plugin to fix this, if you are interested:

    https://premium.wpmudev.org/forums/topic/wp-defender-is-reporting-this-wordpress-vulnerability#post-1250319

    The mu-plugin will fix the vulnerability, but Defender and other security plugins will keep alerting this, so, we will need to ignore until wp.org fix the issue.

    When Wp.org fixed the issue, we are able to remove the "mu-plugin".

    Cheers, Luís

  • Peter
    • Site Builder, Child of Zeus

    Thanks for the fix, Luís. Same to Hoang.

    Quick thought though before I make Defender ignore the issue - is there any way of telling if this patch does the job and I didn't make any blunders in following the setup instructions? They are easy enough. But it just feels nice to know everything is working rahter than just trusting that I didn't make any stupid typos e.g.

    Thanks again,
    Peter

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.