ROBOTSTXT/wpvulnerability
ROBOTSTXT/wpvulnerability
1
0
Fork 0
Code Issues Pull requests Releases 2 Activity
2 releases 2 tags
  • 5.0.0 7b62556227

    v5.0.0 Stable

    javier released this 2026-06-02 13:42:48 +00:00 | 1 commits to main since this release

    [5.0.0] - 2026-05-26 =

    Added

    • Vulnerability detail panels fully redesigned across all contexts (plugins, themes, core, server software, Site Health):
      • Bootstrap-inspired score/severity badge colour-coded by severity level (Critical/High/Medium/Low/None).
      • Source attribution pills: label is the hostname extracted from the source URL (e.g. wordfence.com, nvd.nist.gov); uniform dark-grey #50575e; hover turns black/white; linked with rel="nofollow noopener noreferrer".
      • "References:" label and pills displayed on the same flex row.
      • CVSS priority order: CVSS 4 → CVSS 3 → CVSS 2 → legacy CVSS. The highest available score and severity are always shown.
      • ssvc.exploitation: poc → " Public exploit" badge; active → merged into "⚠ Actively exploited".
      • ssvc.automatable: yes → "⚙ Automatable" badge.
      • ssvc.kev_date → date appended to "Actively exploited" (e.g. "⚠ Actively exploited · 2024-03-15").
      • epss → "EPSS X.X%" badge on the same row as the CVSS badge.
      • CVE description from source[].description shown for all vulnerability types; [en-US] / language prefix stripped automatically.
      • CWE name and description shown in server software vulnerability details (was missing).
      • Version range: leading - / * stripped when there is no lower bound (e.g. - < 1.3.28< 1.3.28).
      • Wording change: "affecting this version" → "affecting your installed version" (plugins, themes, core).
    • Core vulnerabilities on update-core.php: display rewritten to use the same two-column table with badges, description, CWE, and reference pills as plugin/theme rows (replaces the old plain table with score-only rows).
    • Theme details modal (single-site): vulnerability section injected after the Tags field. Uses wp_prepare_themes_for_js filter to embed pre-rendered HTML and a JS template patch (admin_footer) to surface it inside the Underscore.js template. Shows version range, badges, description, and references — identical layout to plugin rows.
    • Helper functions added to wpvulnerability-process.php: wpvulnerability_source_css_slug(), wpvulnerability_render_source_pills(), wpvulnerability_render_score_badge(), wpvulnerability_clean_version_range(), wpvulnerability_get_source_description().
    • Helper functions added to wpvulnerability-themes.php: wpvulnerability_theme_modal_html(), wpvulnerability_filter_prepare_themes_for_js(), wpvulnerability_theme_modal_template_patch().
    • Vulnerability severity now uses the full-word value from cvss3.severity ("critical", "high", "medium", "low", "none") when available, falling back to the legacy single-character cvss.severity code. wpvulnerability_severity() accepts both formats.
    • Known Exploited Vulnerability (KEV) badge: when a vulnerability is listed in the CISA KEV catalog (impact.ssvc.kev: true for plugins/themes/core; impact.kev: true for server software), a prominent warning is shown in the vulnerability detail panel.
    • Publication date displayed next to each source link in the vulnerability details table (source[].date field from the API).
    • Server software lifecycle status displayed in the vulnerability detail panel: a coloured dot shows whether the detected version is Supported or End of Life, together with the end-of-life date if available (data.status, data.date_end fields from the API).
    • EOL badge shown in the dashboard software grid (PHP, Apache, nginx, MariaDB, MySQL, ImageMagick, curl, memcached, Redis, SQLite) when the detected version has reached end-of-life. Lifecycle data is fetched alongside vulnerability data during the scheduled scan and stored with the software option.
    • REST API: all vulnerability endpoints now expose uuid (unique vulnerability identifier), kev (boolean), ssvc block (exploitation, automatable, technical_impact) for plugins/themes/core, and severity from cvss3 when available.
    • About tab: new Intelligence Sources table showing how many vulnerabilities each source (CVE, EUVD, JVN, Patchstack, WPScan, Wordfence) contributes, broken down by Core / Plugins / Themes. Populated from the new stats.vulnerabilities.{source} field in the API.
    • REST API: source entries now include a date field with the vulnerability publication date.

    Security

    • wpvulnerability-adminms.php: wpvulnerability_process_network_config_forms() now requires manage_network_options capability (via current_user_can()) in addition to the nonce check already present. Previously, a logged-in user who obtained a valid nonce could update plugin config and analysis options.
    • WP-CLI: all vulnerability commands (core, plugins, themes, php, apache, …) now require manage_options (or manage_network_options on multisite). Commands abort with a clear error and --user=<admin_login> hint if the check fails. Enforces the same access model as the REST API endpoints.
    • WP-CLI: all config commands (hide, email, cache, log-retention, period) now require manage_options / manage_network_options before modifying any WordPress option.
    • REST API permission check now passes strict mode (true) to base64_decode() when parsing the HTTP Basic Authorization header. Without this flag, PHP silently ignores illegal base64 characters; with it, a malformed or padding-stripped token is immediately rejected and returns an authentication failure instead of decoding unpredictable bytes.
    • Debug web server detection (LiteSpeed, OpenLiteSpeed, Caddy) now routes through the wpvulnerability_safe_shell_exec() wrapper instead of calling shell_exec() directly. This ensures the WPVULNERABILITY_DISABLE_SHELL_EXEC constant, the security mode, the command whitelist, and audit logging are respected even when WP_DEBUG is enabled.

    Fixed

    • Forced test email on a fresh install (no email address configured yet) no longer produces an E_WARNING on PHP 7.x or a TypeError on PHP 8.x. The fallback now initialises emails as an array instead of appending to a potentially empty string.
    • determine_locale() call in the About tab is now guarded by function_exists() instead of a version_compare() check, which is more forward-compatible and correctly recognised by static analysis tools.
    • preg_replace() return values (which can be null on error) in the HTML-to-plain-text converter are now handled safely, preventing a potential TypeError on corrupt input.
    • DOMDocument::$documentElement null check added in the HTML-to-plain-text converter; avoids a potential fatal error on malformed or empty HTML fragments.
    • JSON-encoded vulnerability count options are validated as strings before being passed to json_decode(), preventing potential errors when a WordPress option returns an unexpected type.
    • cron_schedules callbacks (wpvulnerability_add_every_week, wpvulnerability_add_every_day) now use did_action('init') guard before calling __(), eliminating the "Translation loading triggered too early" notice introduced in WordPress 6.7.
    • WP-CLI vulnerability commands (core, plugins, themes, php, and all software components) now display a clear success message when no vulnerabilities are found, instead of an empty table.
    • WP-CLI config period monthly now returns a proper error message instead of silently treating the value as never. Valid periods are daily, weekly, and never.
    • uninstall.php created. Plugin data is preserved by default on uninstall; a new "Delete all plugin data on uninstall" checkbox in the Tools settings tab allows opting in to full removal.
    • Large vulnerability data options are now stored with autoload=false, preventing unnecessary loading of JSON blobs on every WordPress request.

    Changed

    • Minimum required PHP version updated from 5.6 to 7.0. The null coalescing operator (??) introduced throughout the codebase for improved type safety requires PHP 7.0 or later. PHP 5.6 reached end-of-life in December 2018 and is no longer supported by any currently maintained WordPress version.
    • Minimum required WordPress version updated from 4.7 to 5.6. This enables simplification of backward-compatibility code paths and full use of Application Passwords, wp_timezone(), wp_date(), determine_locale(), and $wpdb->db_server_info() without version guards.
    • Removed wp_doing_cron() polyfill — the function has been available since WordPress 4.8 and is guaranteed at the new minimum.
    • Application Passwords authentication in the REST API no longer requires a function_exists('wp_is_application_passwords_available') guard — Application Passwords are always available at WordPress 5.6.
    • Removed fallback code paths for wp_timezone() (WordPress 5.3), wp_date() (WordPress 5.3), and determine_locale() (WordPress 5.0).
    • wpvulnerability_get_vulnerabilities() now stores the impact field in each matched vulnerability array entry, enabling KEV and severity display for all component types.
    • wpvulnerability_get_fresh_vulnerabilities() (software.php) now stores lifecycle metadata (name, status, date_start, date_end) in the software option alongside vulnerabilities and vulnerable. The transient is explicitly cleared before the refresh to guarantee a fresh API call.
    • wpvulnerability_get_cron_snapshot() now uses only public WordPress Cron API functions (wp_next_scheduled(), wp_get_schedule()) instead of the private _get_cron_array(). The function iterates over the known plugin hooks (defined in wpvulnerability_get_plugin_cron_hooks()) rather than scanning the full cron array. Duplicate-instance detection is no longer performed.
    • wpvulnerability_get_plugin(), wpvulnerability_get_theme(), wpvulnerability_get_core(), and wpvulnerability_get_vulnerabilities() now store the uuid field in each vulnerability entry.

    Developer

    • Full PHPStan level 9 compliance achieved across all 17 PHP files: 1,092 pre-existing type errors resolved; analysis now passes clean with zero errors and an empty baseline.
    • Added development tooling: composer.json with all dev dependencies, phpstan.neon (level 9), phpcs.xml (WordPress standards), phpunit.xml.dist, bin/deploy.sh, and docs/ directory.
    • Added 18 PHPUnit plugin header tests verifying consistency between wpvulnerability.php and readme.txt.
    • WordPress API stubs updated to v7.0.0 for PHPStan analysis. Added johnbillion/wp-compat extension for WordPress version compatibility analysis.
    • Added internal helpers wpvulnerability_get_component_count() and wpvulnerability_get_config() to centralise typed access to cached vulnerability counts and plugin configuration.
    • Fixed 10 WordPress version compatibility findings reported by wp-compat: wp_date(), determine_locale(), wp_authenticate_application_password(), after_core_auto_updates_settings hook, site_status_tests filter, and others.

    Compatibility

    • WordPress: 5.6 - 7.1
    • PHP: 7.0 - 8.5
    • WP-CLI: 2.3.0 - 2.12.0

    Tests

    • PHP Coding Standards: 3.13.5
    • WordPress Coding Standards: 3.3.0
    • PHPStan: 2.1.55 (level 9, 0 errors)
    • PHPUnit: 9.6.34 (18 tests)
    • Plugin Check (PCP): 1.8.0
    Downloads