在新兴的 Snyk 平台上检测 PHP 应用程序的漏洞
首先
由于身体不适,我已经连续两天无法发布帖子,感到很丢脸。天气变得明显寒冷,希望大家也要注意不要感冒,请大家保重身体。
Snyk
Snyk(思纪子)是一家总部位于美国波士顿的专注于云计算的网络安全公司,成立于2015年。 在2021年的《福布斯云端100强》中,Snyk排名第39位,其估值在2021年9月飙升至85亿美元(合934亿日元)。似乎有谷歌、Salesforce、Intuit、Atlassian等公司作为其客户。
Note: The Chinese translation provided above is a direct translation of the original text. The company name “Snyk” is also left untranslated, as there is no widely used equivalent term in Chinese.
Snyk的词源和发音
Snyk 是「你现在知道」的简称。
创业者似乎是以“sneak”这个发音来读的。
此外,在开发团队中似乎也有人将其发音为“Snick(斯尼克)”。“Snick”一词指的是钥匙锁上时发出的卡嗒声,因为该声音可以增加锁的安全性。
产品
根据产品来看,似乎可以分为以下四个。
方案
以下是四种计划选择:Free、Team、Business和Enterprise。付费计划需要有5名开发者,每月费用从125美元起,可以选择Snyk Open Source或Snyk Container其中之一。
免费计划
免费计划有以下限制。
注册
Snyk 是一个 SaaS(软件即服务)平台,需要创建账号才能开始使用。您可以使用 GitHub、Google、Bitbucket、Azure AD 或 Docker ID 中的任何一个账号进行创建。
https://app.snyk.io/login
接口
Snyk的界面如下所示。
Snyk – Web ベース
Snyk CLI – コマンドラインベース
Snyk API – Business プランか Enterpirse プランでのみ利用可能
IDE plugins
Snyk Vulnerability Scanner (JETBRAINS)
Snyk Vulnerability Scanner (Visual Studio Code)
Snyk Vulnerability Scanner (Visual Studio 2015, 2017, 2019)
Snyk Security Scanner (ECLIPSE)
Website Scanner – URL を入力して Web サイトをオンラインで検査
Snyk Vulnerability Database –
Snyk Advisor –
Snyk 命令行界面
安装
根据2021年12月的最新数据,Snyk CLI可以通过npm、Yarn、Homebrew、Scoop、Docker和单独的可执行文件进行安装。
npm是一个包管理工具。
npm install snyk@latest -g
线
yarn global add snyk
自酿的酒
brew tap snyk/tap && brew install snyk
– 遠端:正在列舉物件: 1960個,完成。
– 遠端:正在計數物件: 100% (924/924),完成。
– 遠端:正在壓縮物件: 100% (704/704),完成。
– 遠端:總共 1960個 (差異 315個),重複使用 751個 (差異 218個),重複打包 1036個
– 接收物件: 100% (1960/1960),265.65 KiB | 5.11 MiB/s,完成。
– 解析差異: 100% (803/803),完成。
– 安裝 2個配方 (20個文件,330.8KB)。
– 下載 https://static.snyk.io/cli/v1.797.0/snyk-macos
– 正在安裝 snyk 來自 snyk/tap
– 裝好 ? /usr/local/Cellar/snyk/1.797.0: 3個文件,52.7MB,建立於 4秒內。
– 執行 `brew cleanup snyk`…
– 透過設定 HOMEBREW_NO_INSTALL_CLEANUP 來停用此行為。
– 透過 HOMEBREW_NO_ENV_HINTS 來隱藏這些提示 (參考 `man brew`)。
舀取
scoop bucket add snyk https://github.com/snyk/scoop-snyk
scoop install snyk
请帮助我 wǒ)
snyk --help
Snyk CLI
Snyk CLI scans and monitors your projects for security vulnerabilities.
Visit https://snyk.io for more details.
Not sure where to start?
1. Authenticate with snyk auth.
2. Test your local project with snyk test.
3. Get alerted for new vulnerabilities with snyk monitor.
Available commands
To learn more about Snyk CLI use the --help option, e.g. snyk container --help or snyk auth --help
.
snyk auth
Authenticate Snyk CLI with a Snyk account.
snyk test
Test local project's dependencies for vulnerabilities.
snyk monitor
Snapshot and continuously monitor your project.
snyk container
Test container images for vulnerabilities.
snyk iac
Find security issues in your Infrastructure as Code files.
snyk code
Find security issues using static code analysis.
snyk config
Manage Snyk CLI configuration.
snyk protect
Applies the patches specified in your .snyk file to the local file system.
snyk policy
Display the .snyk policy for a package.
snyk ignore
Modifies the .snyk policy to ignore stated issues.
snyk wizard
Configure your .snyk policy file.
版本确认
snyk --version
查看截至2021年12月20日的版本,发现版本号为1.797.0。(顺便提一下,之后在12/20进行了6次版本更新。)
验证
snyk auth
一旦授权完成,请返回此提示,并且您将可以开始使用 Snyk。
如果您等不及,请使用此网址:
https://snyk.io/login?token=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&utm_medium=cli&utm_source=cli&utm_campaign=HOMEBREW&os=darwin&docker=false
您的帐号已通过身份验证。Snyk现在可以使用了。
执行上述命令将自动启动浏览器。
检查PHP应用程序
只需要一个选项:在中国人母语中改述以下内容:
支持的PHP包管理工具
开发语言
包管理器/构建工具PHP
Composer
PHP 支持的文件扩展名。
语言
扩展PHP
fcgiPHP
php3PHP
php4PHP
php5PHP
phpsPHP
phptPHP
incPHP
awPHP
phpPHP
ctp
检查WordPress的弱点
检查包装
mkdir snyk && cd $_
composer require johnpbloch/wordpress-core-installer
composer require johnpbloch/wordpress-core
snyk test
已创建./composer.json文件
正在运行composer update johnpbloch/wordpress-core-installer
正在加载包信息的composer存储库
正在更新依赖项
锁定文件操作:1个安装、0个更新、0个移除
– 锁定johnpbloch/wordpress-core-installer(2.0.0)
正在写入锁定文件
从锁定文件中安装依赖项(包括require-dev)
包操作:1个安装、0个更新、0个移除
– 安装johnpbloch/wordpress-core-installer(2.0.0):解压归档文件
生成自动加载文件使用johnpbloch/wordpress-core的版本^5.8
已更新./composer.json文件
正在运行composer update johnpbloch/wordpress-core
正在加载包信息的composer存储库
正在更新依赖项
锁定文件操作:1个安装、0个更新、0个移除
– 锁定johnpbloch/wordpress-core(5.8.2)
正在写入锁定文件
从锁定文件中安装依赖项(包括require-dev)
包操作:1个安装、0个更新、0个移除
– 安装johnpbloch/wordpress-core(5.8.2):解压归档文件
生成自动加载文件
正在测试/Users/bezeklik/Workspace/snyk…
组织:bezeklik
软件包管理器:composer
目标文件:composer.lock
项目名称:snyk
开源:否
项目路径:/Users/bezeklik/Workspace/snyk
许可证:已启用
✔ 对5个依赖项进行了已知问题测试,未发现易受攻击的路径。
下一步:
– 运行`snyk monitor`以接收有关新相关漏洞的通知。
– 运行`snyk test`作为您的CI/测试的一部分。
由于最新版本的 WordPress 5.8.2,因此没有检测到软件包的漏洞。
代码检查
snyk code test
✗ [Low] XML External Entity (XXE) Injection
Path: wordpress/wp-includes/atomlib.php, line 173
Info: Unsanitized input from data from a remote resource flows to xml_parse. This may result in an XXE vulnerability. You may be vulnerable if using an old version of PHP (<8.0)
✗ [Medium] Open Redirect
Path: wordpress/wp-includes/js/backbone.js, line 2032
Info: Unsanitized input from the document location flows into replace, where it is used as an URL to redirect the user. This may result in an Open Redirect vulnerability.
✗ [Medium] Open Redirect
Path: wordpress/wp-admin/js/privacy-tools.js, line 91
Info: Unsanitized input from data from a remote resource flows into window.location, where it is used as an URL to redirect the user. This may result in an Open Redirect vulnerability.
✗ [Medium] Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
Path: wordpress/wp-login.php, line 672
Info: setcookie has the Secure attribute set to false. Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Medium] Open Redirect
Path: wordpress/wp-includes/ms-settings.php, line 79
Info: Unsanitized input from an HTTP header flows into header, where it is used as an URL to redirect the user. This may result in an Open Redirect vulnerability.
✗ [Medium] Open Redirect
Path: wordpress/wp-includes/pluggable.php, line 1343
Info: Unsanitized input from an HTTP header flows into header, where it is used as an URL to redirect the user. This may result in an Open Redirect vulnerability.
✗ [Medium] Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
Path: wordpress/wp-includes/comment.php, line 577
Info: setcookie misses the Secure attribute (it is false by default). Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Medium] Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
Path: wordpress/wp-includes/comment.php, line 578
Info: setcookie misses the Secure attribute (it is false by default). Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Medium] Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
Path: wordpress/wp-includes/comment.php, line 579
Info: setcookie misses the Secure attribute (it is false by default). Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Medium] Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
Path: wordpress/wp-includes/pluggable.php, line 1031
Info: setcookie misses the Secure attribute (it is false by default). Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Medium] Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
Path: wordpress/wp-includes/pluggable.php, line 1032
Info: setcookie misses the Secure attribute (it is false by default). Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Medium] Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
Path: wordpress/wp-includes/pluggable.php, line 1033
Info: setcookie misses the Secure attribute (it is false by default). Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Medium] Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
Path: wordpress/wp-includes/pluggable.php, line 1034
Info: setcookie misses the Secure attribute (it is false by default). Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Medium] Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
Path: wordpress/wp-includes/pluggable.php, line 1035
Info: setcookie misses the Secure attribute (it is false by default). Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Medium] Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
Path: wordpress/wp-includes/pluggable.php, line 1036
Info: setcookie misses the Secure attribute (it is false by default). Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Medium] Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
Path: wordpress/wp-includes/pluggable.php, line 1039
Info: setcookie misses the Secure attribute (it is false by default). Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Medium] Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
Path: wordpress/wp-includes/pluggable.php, line 1040
Info: setcookie misses the Secure attribute (it is false by default). Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Medium] Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
Path: wordpress/wp-includes/pluggable.php, line 1043
Info: setcookie misses the Secure attribute (it is false by default). Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Medium] Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
Path: wordpress/wp-includes/pluggable.php, line 1044
Info: setcookie misses the Secure attribute (it is false by default). Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Medium] Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
Path: wordpress/wp-includes/pluggable.php, line 1045
Info: setcookie misses the Secure attribute (it is false by default). Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Medium] Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
Path: wordpress/wp-includes/pluggable.php, line 1046
Info: setcookie misses the Secure attribute (it is false by default). Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Medium] Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
Path: wordpress/wp-includes/pluggable.php, line 1049
Info: setcookie misses the Secure attribute (it is false by default). Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Medium] Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
Path: wordpress/wp-includes/pluggable.php, line 1050
Info: setcookie misses the Secure attribute (it is false by default). Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Medium] Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
Path: wordpress/wp-includes/pluggable.php, line 1051
Info: setcookie misses the Secure attribute (it is false by default). Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Medium] Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
Path: wordpress/wp-includes/pluggable.php, line 1052
Info: setcookie misses the Secure attribute (it is false by default). Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Medium] Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
Path: wordpress/wp-includes/pluggable.php, line 1055
Info: setcookie misses the Secure attribute (it is false by default). Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Medium] Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
Path: wordpress/wp-includes/option.php, line 1274
Info: setcookie misses the Secure attribute (it is false by default). Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Medium] Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
Path: wordpress/wp-includes/class-wp-recovery-mode-cookie-service.php, line 62
Info: setcookie misses the Secure attribute (it is false by default). Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Medium] Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
Path: wordpress/wp-includes/class-wp-recovery-mode-cookie-service.php, line 63
Info: setcookie misses the Secure attribute (it is false by default). Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-login.php, line 416
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-login.php, line 419
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-login.php, line 672
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/comment.php, line 577
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/comment.php, line 578
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/comment.php, line 579
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/comment.php, line 595
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/comment.php, line 596
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/comment.php, line 597
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/pluggable.php, line 1031
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/pluggable.php, line 1032
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/pluggable.php, line 1033
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/pluggable.php, line 1034
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/pluggable.php, line 1035
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/pluggable.php, line 1036
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/pluggable.php, line 1039
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/pluggable.php, line 1040
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/pluggable.php, line 1043
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/pluggable.php, line 1044
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/pluggable.php, line 1045
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/pluggable.php, line 1046
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/pluggable.php, line 1049
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/pluggable.php, line 1050
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/pluggable.php, line 1051
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/pluggable.php, line 1052
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/pluggable.php, line 1055
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/option.php, line 1097
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/option.php, line 1098
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/option.php, line 1274
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/class-wp-recovery-mode-cookie-service.php, line 62
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-includes/class-wp-recovery-mode-cookie-service.php, line 63
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Sensitive Cookie Without ‘HttpOnly’ Flag
Path: wordpress/wp-admin/post.php, line 231
Info: setcookie misses the HttpOnly attribute (it is false by default). Set it to true to protect the cookie from possible malicious code on client side.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/pluggable.php, line 2432
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/pluggable.php, line 2565
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/pluggable.php, line 2568
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/l10n.php, line 1105
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/ms-files.php, line 59
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-admin/includes/dashboard.php, line 1155
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-admin/includes/dashboard.php, line 1256
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-admin/includes/dashboard.php, line 1765
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-admin/includes/plugin-install.php, line 246
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/class-snoopy.php, line 1218
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/class-wp.php, line 461
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-admin/update-core.php, line 559
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-admin/update-core.php, line 733
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/class-wp-theme.php, line 217
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-admin/includes/class-wp-ms-themes-list-table.php, line 512
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/class-phpass.php, line 83
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/class-phpass.php, line 84
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/class-phpass.php, line 152
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/class-phpass.php, line 154
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-admin/includes/image.php, line 504
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-admin/includes/plugin.php, line 1338
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/rss.php, line 813
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/SimplePie/Caption.php, line 120
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/class-wp-text-diff-renderer-table.php, line 453
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/class-wp-text-diff-renderer-table.php, line 454
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/class-wp-text-diff-renderer-table.php, line 467
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/class-wp-embed.php, line 232
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/ms-site.php, line 965
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/SimplePie/Copyright.php, line 92
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/SimplePie/Cache/Memcached.php, line 95
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/ID3/module.tag.apetag.php, line 314
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/class-wp-term-query.php, line 740
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/SimplePie/Author.php, line 102
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-admin/includes/schema.php, line 1078
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/cron.php, line 122
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/cron.php, line 302
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/cron.php, line 510
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/cron.php, line 600
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/cron.php, line 762
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/cron.php, line 1224
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/ms-blogs.php, line 135
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/ms-blogs.php, line 153
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/ms-blogs.php, line 269
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/SimplePie/Category.php, line 115
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/class-wp-oembed-controller.php, line 174
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/ms-functions.php, line 355
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/ms-functions.php, line 374
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/ms-functions.php, line 378
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/ms-functions.php, line 788
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/ms-functions.php, line 857
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/ms-functions.php, line 2815
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/class-simplepie.php, line 736
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/rest-api/endpoints/class-wp-rest-pattern-directory-controller.php, line 125
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-admin/includes/misc.php, line 1347
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-admin/includes/misc.php, line 1451
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/class-pop3.php, line 190
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/class-wp-comment-query.php, line 432
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/class-wp-comment-query.php, line 999
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/class-wp-site-query.php, line 339
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-admin/includes/upgrade.php, line 952
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/SimplePie/Credit.php, line 101
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/class-wp-network-query.php, line 248
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-admin/includes/file.php, line 518
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/SimplePie/Restriction.php, line 101
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-admin/includes/import.php, line 143
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/bookmark.php, line 153
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/SimplePie/Enclosure.php, line 271
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/SimplePie/Source.php, line 73
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/SimplePie/Item.php, line 116
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/PHPMailer/SMTP.php, line 640
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/PHPMailer/SMTP.php, line 648
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/default-constants.php, line 232
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-admin/includes/class-wp-community-events.php, line 315
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-admin/includes/class-wp-community-events.php, line 317
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-admin/includes/class-wp-plugins-list-table.php, line 951
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/SimplePie/Cache/Memcache.php, line 99
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php, line 1002
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/SimplePie/Rating.php, line 92
Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/pluggable.php, line 2566
Info: SHA1 hash (used in sha1) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/pluggable.php, line 2567
Info: SHA1 hash (used in sha1) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/class-wp-recovery-mode-cookie-service.php, line 141
Info: SHA1 hash (used in sha1) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/class-wp-session-tokens.php, line 74
Info: SHA1 hash (used in sha1) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/pluggable.php, line 2350
Info: md5 hash (used in hash_hmac) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/pluggable.php, line 2373
Info: md5 hash (used in hash_hmac) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/PHPMailer/SMTP.php, line 627
Info: md5 hash (used in hash_hmac) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/ID3/getid3.php, line 1669
Info: MD5 hash (used in md5_file) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/ID3/getid3.php, line 1699
Info: MD5 hash (used in md5_file) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-admin/includes/update-core.php, line 1120
Info: MD5 hash (used in md5_file) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-admin/includes/update-core.php, line 1224
Info: MD5 hash (used in md5_file) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-admin/includes/file.php, line 1258
Info: MD5 hash (used in md5_file) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-admin/includes/class-core-upgrader.php, line 411
Info: MD5 hash (used in md5_file) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php, line 1188
Info: MD5 hash (used in md5_file) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/class-wp-recovery-mode-cookie-service.php, line 232
Info: sha1 hash (used in hash_hmac) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/ID3/getid3.php, line 664
Info: md5 hash (used in getHashdata) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/ID3/getid3.php, line 670
Info: sha1 hash (used in getHashdata) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/ID3/getid3.php, line 1673
Info: SHA1 hash (used in sha1_file) is insecure. Consider changing it to a secure hashing algorithm.
✗ [Medium] Use of Password Hash With Insufficient Computational Effort
Path: wordpress/wp-includes/ID3/getid3.php, line 1703
Info: SHA1 hash (used in sha1_file) is insecure. Consider changing it to a secure hashing algorithm.
✗ [High] File Inclusion
Path: wordpress/wp-includes/blocks.php, line 99
Info: Unsanitized input from data from a remote resource flows into _, where it is included dynamically. Allowing unvalidated user input to control files that are included dynamically in PHP can lead to malicious code execution.
✗ [High] File Inclusion
Path: wordpress/wp-includes/ID3/getid3.php, line 632
Info: Unsanitized input from data from a remote resource flows into _, where it is included dynamically. Allowing unvalidated user input to control files that are included dynamically in PHP can lead to malicious code execution.
✗ [High] File Inclusion
Path: wordpress/wp-admin/admin.php, line 291
Info: Unsanitized input from an HTTP parameter flows into _, where it is included dynamically. Allowing unvalidated user input to control files that are included dynamically in PHP can lead to malicious code execution.
✗ [High] File Inclusion
Path: wordpress/wp-admin/admin.php, line 293
Info: Unsanitized input from an HTTP parameter flows into _, where it is included dynamically. Allowing unvalidated user input to control files that are included dynamically in PHP can lead to malicious code execution.
✗ [High] File Inclusion
Path: wordpress/wp-admin/update.php, line 100
Info: Unsanitized input from an HTTP parameter flows into _, where it is included dynamically. Allowing unvalidated user input to control files that are included dynamically in PHP can lead to malicious code execution.
✗ [High] SQL Injection
Path: wordpress/wp-admin/includes/class-wp-list-table.php, line 617
Info: Unsanitized input from an HTTP parameter flows into prepare, where it is used in an SQL query. This may result in an SQL Injection vulnerability.
✗ [High] SQL Injection
Path: wordpress/wp-admin/user-edit.php, line 108
Info: Unsanitized input from an HTTP parameter flows into query, where it is used in an SQL query. This may result in an SQL Injection vulnerability.
✗ [High] SQL Injection
Path: wordpress/wp-admin/user-edit.php, line 159
Info: Unsanitized input from an HTTP parameter flows into query, where it is used in an SQL query. This may result in an SQL Injection vulnerability.
✗ [High] SQL Injection
Path: wordpress/wp-includes/comment.php, line 1189
Info: Unsanitized input from an HTTP parameter flows into query, where it is used in an SQL query. This may result in an SQL Injection vulnerability.
✗ [High] SQL Injection
Path: wordpress/wp-admin/setup-config.php, line 317
Info: Unsanitized input from an HTTP parameter flows into query, where it is used in an SQL query. This may result in an SQL Injection vulnerability.
✗ [High] SQL Injection
Path: wordpress/wp-includes/comment.php, line 2933
Info: Unsanitized input from the database flows into query, where it is used in an SQL query. This may result in an SQL Injection vulnerability.
✗ [High] SQL Injection
Path: wordpress/wp-includes/comment.php, line 3128
Info: Unsanitized input from the database flows into query, where it is used in an SQL query. This may result in an SQL Injection vulnerability.
✗ [High] SQL Injection
Path: wordpress/wp-includes/comment.php, line 3129
Info: Unsanitized input from the database flows into query, where it is used in an SQL query. This may result in an SQL Injection vulnerability.
✗ [High] Server-Side Request Forgery (SSRF)
Path: wordpress/wp-admin/includes/class-file-upload-upgrader.php, line 128
Info: Unsanitized input from an HTTP parameter flows into unlink, where it is used as an URL to perform a request. This may result in a Server-Side Request Forgery vulnerability.
✗ [High] Server-Side Request Forgery (SSRF)
Path: wordpress/wp-includes/class-wp-image-editor-gd.php, line 98
Info: Unsanitized input from data from a remote resource flows into file_get_contents, where it is used as an URL to perform a request. This may result in a Server-Side Request Forgery vulnerability.
✗ [High] Path Traversal
Path: wordpress/wp-includes/class-wp-image-editor-gd.php, line 98
Info: Unsanitized input from data from a remote resource flows into file_get_contents, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.
✗ [High] Path Traversal
Path: wordpress/wp-admin/includes/class-file-upload-upgrader.php, line 128
Info: Unsanitized input from an HTTP parameter flows into unlink, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to delete arbitrary files.
✗ [High] Path Traversal
Path: wordpress/wp-includes/l10n.php, line 1169
Info: Unsanitized input from an HTTP parameter flows into file_get_contents, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.
✗ [High] Path Traversal
Path: wordpress/wp-includes/ms-files.php, line 87
Info: Unsanitized input from an HTTP parameter flows into readfile, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-login.php, line 221
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/user-edit.php, line 584
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-includes/rest-api/class-wp-rest-server.php, line 513
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-signup.php, line 116
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-signup.php, line 149
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-signup.php, line 261
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-signup.php, line 272
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-signup.php, line 278
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/includes/media.php, line 2075
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/includes/media.php, line 2346
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/includes/media.php, line 2414
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/includes/media.php, line 2592
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/includes/media.php, line 2608
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/includes/media.php, line 2740
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/includes/media.php, line 2832
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/includes/media.php, line 2902
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/network/sites.php, line 388
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/includes/class-wp-users-list-table.php, line 403
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/network/site-info.php, line 171
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/install.php, line 432
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/nav-menus.php, line 720
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/nav-menus.php, line 1006
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/includes/plugin-install.php, line 621
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/includes/plugin-install.php, line 654
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/includes/plugin-install.php, line 656
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/includes/plugin-install.php, line 673
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/includes/plugin-install.php, line 695
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/includes/plugin-install.php, line 700
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/includes/plugin-install.php, line 766
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/includes/plugin-install.php, line 847
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/includes/plugin-install.php, line 860
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/includes/plugin-install.php, line 872
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/theme-editor.php, line 285
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/async-upload.php, line 67
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/async-upload.php, line 72
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/async-upload.php, line 88
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/async-upload.php, line 98
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/async-upload.php, line 155
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/widgets-form.php, line 302
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-includes/blocks/legacy-widget.php, line 119
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-includes/load.php, line 1598
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-includes/load.php, line 1605
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/authorize-application.php, line 140
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/network/upgrade.php, line 124
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/network/upgrade.php, line 128
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-includes/comment-template.php, line 73
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-includes/comment-template.php, line 254
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-includes/comment-template.php, line 1028
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-includes/comment-template.php, line 1974
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-includes/comment-template.php, line 2704
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/plugins.php, line 641
Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/includes/dashboard.php, line 1732
Info: Unsanitized input from an HTTP header flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-includes/js/tinymce/wp-tinymce.php, line 38
Info: Unsanitized input from data from a remote resource flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-includes/js/tinymce/wp-tinymce.php, line 41
Info: Unsanitized input from data from a remote resource flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-includes/js/tinymce/wp-tinymce.php, line 42
Info: Unsanitized input from data from a remote resource flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).
✗ [High] Regular Expression Denial of Service (ReDoS)
Path: wordpress/wp-includes/class-snoopy.php, line 322
Info: Unsanitized user input from an HTTP parameter flows into preg_match, where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS).
✗ [High] Regular Expression Denial of Service (ReDoS)
Path: wordpress/wp-includes/class-snoopy.php, line 389
Info: Unsanitized user input from an HTTP parameter flows into preg_match, where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/js/nav-menu.js, line 1354
Info: Unsanitized input from data from a remote resource flows into html, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-includes/js/plupload/handlers.js, line 90
Info: Unsanitized input from data from a remote resource flows into html, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-includes/js/plupload/handlers.js, line 207
Info: Unsanitized input from data from a remote resource flows into html, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-includes/js/plupload/handlers.js, line 221
Info: Unsanitized input from data from a remote resource flows into html, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/js/site-health.js, line 168
Info: Unsanitized input from data from a remote resource flows into html, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/js/image-edit.js, line 540
Info: Unsanitized input from data from a remote resource flows into html, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/js/image-edit.js, line 549
Info: Unsanitized input from data from a remote resource flows into html, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/js/image-edit.js, line 557
Info: Unsanitized input from data from a remote resource flows into html, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/js/image-edit.js, line 627
Info: Unsanitized input from data from a remote resource flows into html, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/js/inline-edit-post.js, line 443
Info: Unsanitized input from data from a remote resource flows into html, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/js/dashboard.js, line 151
Info: Unsanitized input from data from a remote resource flows into html, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/js/inline-edit-tax.js, line 232
Info: Unsanitized input from data from a remote resource flows into html, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/js/post.js, line 239
Info: Unsanitized input from data from a remote resource flows into html, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/js/post.js, line 1019
Info: Unsanitized input from data from a remote resource flows into html, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-includes/js/plupload/handlers.js, line 135
Info: Unsanitized input from data from a remote resource flows into append, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/js/site-health.js, line 171
Info: Unsanitized input from data from a remote resource flows into append, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/js/image-edit.js, line 483
Info: Unsanitized input from data from a remote resource flows into append, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/js/post.js, line 68
Info: Unsanitized input from data from a remote resource flows into append, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/js/tags.js, line 138
Info: Unsanitized input from data from a remote resource flows into after, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/js/tags.js, line 155
Info: Unsanitized input from data from a remote resource flows into after, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/js/tags-box.js, line 315
Info: Unsanitized input from data from a remote resource flows into after, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/js/tags.js, line 141
Info: Unsanitized input from data from a remote resource flows into prepend, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/js/inline-edit-post.js, line 432
Info: Unsanitized input from data from a remote resource flows into before, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/js/inline-edit-tax.js, line 209
Info: Unsanitized input from data from a remote resource flows into before, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/js/updates.js, line 2540
Info: Unsanitized input from the document location flows into append, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/js/updates.js, line 2563
Info: Unsanitized input from the document location flows into append, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/js/updates.js, line 2649
Info: Unsanitized input from the document location flows into append, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Cross-site Scripting (XSS)
Path: wordpress/wp-admin/js/updates.js, line 2547
Info: Unsanitized input from the document location flows into prepend, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [High] Code Injection
Path: wordpress/wp-includes/js/customize-preview.js, line 859
Info: Unsanitized input from the document location flows into setInterval, where it is executed as JavaScript code. This may result in a Code Injection vulnerability.
✔ Test completed
Organization: undefined
Test type: Static code analysis
Project path: /Users/bezeklik/Workspace/snyk
263 Code issues found
105 [High] 157 [Medium] 1 [Low]
尽管我试着进行代码检查,但令人意外的是,即使是最新版本,也发现了263个问题。
检测受欢迎的 PHP 应用程序的弱点
获取 GitHub 仓库列表
为了检查目的,我们将使用GitHub Search API来获取一些使用PHP编写的存储库的列表,并按照星级排序获取大约50个。
GITHUB_API=https://api.github.com/search/repositories
LANGUAGE=php
KEYWORD=''
STARS=10000
curl --silent \
--header "Accept: application/vnd.github.v3+json" \
"${GITHUB_API}?q=${KEYWORD}+in:name,description,readme+language:${LANGUAGE}+stars:>=${STARS}&sort=stars&order=desc&per_page=50" \
| jq --raw-output '.items[] | [.full_name, .html_url, .language // "-", .stargazers_count] | @tsv' \
| awk '{printf("|%d|[%s](%s)|%s|%'"'"'d|\n", NR, $1, $2, $3, $4)}'
GITHUB_API=https://api.github.com/search/repositories
LANGUAGE=php
KEYWORD=cms
STARS=900
curl --silent \
--header "Accept: application/vnd.github.v3+json" \
"${GITHUB_API}?q=${KEYWORD}+in:name,description,readme+language:${LANGUAGE}+stars:>=${STARS}&sort=stars&order=desc&per_page=50" \
| jq --raw-output '.items[] | [.full_name, .html_url, .language // "-", .stargazers_count] | @tsv' \
| awk '{printf("|%d|[%s](%s)|%s|%'"'"'d|\n", NR, $1, $2, $3, $4)}'
