_______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.22 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [i] It seems like you have not updated the database for some time. [?] Do you want to update now? [Y]es [N]o, default: [N]y [i] Updating the Database ... [i] Update completed. [+] URL: https://www.wikimedia.it/ [51.75.90.142] [+] Started: Tue Aug 20 14:54:19 2024 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.38 (Debian) | Found By: Headers (Passive Detection) | Confidence: 100% [+] robots.txt found: https://www.wikimedia.it/robots.txt | Found By: Robots Txt (Aggressive Detection) | Confidence: 100% [+] This site has 'Must Use Plugins': https://www.wikimedia.it/wp-content/mu-plugins/ | Found By: Direct Access (Aggressive Detection) | Confidence: 80% | Reference: http://codex.wordpress.org/Must_Use_Plugins [+] The external WP-Cron seems to be enabled: https://www.wikimedia.it/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 6.5.3 identified (Insecure, released on 2024-05-07). | Found By: Style Etag (Aggressive Detection) | - https://www.wikimedia.it/wp-admin/load-styles.php, Match: '6.5.3' | Confirmed By: Query Parameter In Install Page (Aggressive Detection) | - https://www.wikimedia.it/wp-includes/css/dashicons.min.css?ver=6.5.3 | - https://www.wikimedia.it/wp-includes/css/buttons.min.css?ver=6.5.3 | - https://www.wikimedia.it/wp-admin/css/forms.min.css?ver=6.5.3 | - https://www.wikimedia.it/wp-admin/css/l10n.min.css?ver=6.5.3 | - https://www.wikimedia.it/wp-admin/css/install.min.css?ver=6.5.3 | | [!] 3 vulnerabilities identified: | | [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in HTML API | Fixed in: 6.5.5 | References: | - https://wpscan.com/vulnerability/2c63f136-4c1f-4093-9a8c-5e51f19eae28 | - https://wordpress.org/news/2024/06/wordpress-6-5-5/ | | [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in Template-Part Block | Fixed in: 6.5.5 | References: | - https://wpscan.com/vulnerability/7c448f6d-4531-4757-bff0-be9e3220bbbb | - https://wordpress.org/news/2024/06/wordpress-6-5-5/ | | [!] Title: WordPress < 6.5.5 - Contributor+ Path Traversal in Template-Part Block | Fixed in: 6.5.5 | References: | - https://wpscan.com/vulnerability/36232787-754a-4234-83d6-6ded5e80251c | - https://wordpress.org/news/2024/06/wordpress-6-5-5/ [+] WordPress theme in use: betheme | Location: https://www.wikimedia.it/wp-content/themes/betheme/ | Last Updated: 2024-07-31T19:24:02.000Z | Readme: https://www.wikimedia.it/wp-content/themes/betheme/readme.txt | [!] The version is out of date, the latest version is 27.5.3 | Style URL: https://www.wikimedia.it/wp-content/themes/betheme/style.css | Style Name: Betheme | Style URI: https://themes.muffingroup.com/betheme/ | Description: The biggest WordPress Theme ever... | Author: Muffin group | Author URI: https://muffingroup.com/ | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | Version: 27.4.3 (80% confidence) | Found By: Style (Passive Detection) | - https://www.wikimedia.it/wp-content/themes/betheme/style.css, Match: 'Version: 27.4.3' [+] Enumerating All Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] addon-elements-for-elementor-page-builder | Location: https://www.wikimedia.it/wp-content/plugins/addon-elements-for-elementor-page-builder/ | Last Updated: 2024-06-25T05:42:00.000Z | [!] The version is out of date, the latest version is 1.13.6 | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | [!] 2 vulnerabilities identified: | | [!] Title: Elementor Addon Elements < 1.13.6 - Authenticated (Contributor+) Stored Cross-Site Scripting | Fixed in: 1.13.6 | References: | - https://wpscan.com/vulnerability/378a07e1-5366-4642-a15c-b8c0d2fe58e7 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4569 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/63ef7383-d684-473b-aa0f-45027ef245f6 | | [!] Title: Elementor Addon Elements < 1.13.6 - Authenticated (Contributor+) Stored Cross-Site Scripting | Fixed in: 1.13.6 | References: | - https://wpscan.com/vulnerability/981e113e-d044-4ab3-9615-f9571dd1bb03 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4570 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/ab5f43c0-83d3-4d09-becd-a3552bebd609 | | Version: 1.13.5 (50% confidence) | Found By: Readme - ChangeLog Section (Aggressive Detection) | - https://www.wikimedia.it/wp-content/plugins/addon-elements-for-elementor-page-builder/readme.txt [+] elementor | Location: https://www.wikimedia.it/wp-content/plugins/elementor/ | Last Updated: 2024-08-05T10:50:00.000Z | [!] The version is out of date, the latest version is 3.23.4 | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | [!] 2 vulnerabilities identified: | | [!] Title: Elementor Website Builder < 3.21.6 - Contributor+ DOM Stored XSS | Fixed in: 3.21.6 | References: | - https://wpscan.com/vulnerability/8b8f30d6-bd11-4155-bfd2-3ac15248382b | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4619 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/c7e1028e-e04b-46c4-b574-889d9fc1069d | | [!] Title: Elementor Website Builder < 3.22.2 - Contributor+ Arbitrary SVG Download | Fixed in: 3.22.2 | References: | - https://wpscan.com/vulnerability/e6d56be1-9a2a-426f-88ca-1ffa773622c1 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37437 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/f11bc707-2465-4b64-945a-c0db6e9043dd | | Version: 3.21.0 (100% confidence) | Found By: Javascript Comment (Aggressive Detection) | - https://www.wikimedia.it/wp-content/plugins/elementor/assets/js/admin-feedback.js, Match: 'elementor - v3.21.0' | Confirmed By: Style Comment (Aggressive Detection) | - https://www.wikimedia.it/wp-content/plugins/elementor/assets/css/admin.min.css, Match: 'elementor - v3.21.0' [+] essential-addons-for-elementor-lite | Location: https://www.wikimedia.it/wp-content/plugins/essential-addons-for-elementor-lite/ | Last Updated: 2024-08-19T10:56:00.000Z | [!] The version is out of date, the latest version is 6.0.1 | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | [!] 4 vulnerabilities identified: | | [!] Title: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders < 5.9.24 - Authenticated (Contributor+) Stored Cross-Site Scripting | Fixed in: 5.9.24 | References: | - https://wpscan.com/vulnerability/9b5b4899-630b-45c7-8fd3-6227594a3353 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5189 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/aa70238b-530e-4c90-82f4-c3113887d0e1 | | [!] Title: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders < 5.9.23 - Authenticated (Contributor+) Stored Cross-Site Scripting | Fixed in: 5.9.23 | References: | - https://wpscan.com/vulnerability/cc3a2660-8612-42f1-bbba-714a0e35ae67 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5188 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/5a1d5fd1-80b6-4d62-9837-59ee1e020373 | | [!] Title: Essential Addons for Elementor < 5.9.27 - Contributor+ Stored Cross-Site Scripting | Fixed in: 5.9.27 | References: | - https://wpscan.com/vulnerability/cc22a6d6-ec4a-4d99-b9bd-a5e8a7b3190b | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39649 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/eee7cad6-7910-4860-add9-c500d1f6eff3 | | [!] Title: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders < 6.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via no_more_items_text Parameter | Fixed in: 6.0.0 | References: | - https://wpscan.com/vulnerability/1f60d021-f6f6-4b0f-a4bc-33d9ceb5585a | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7092 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/718c60c1-6117-4959-a907-d0ef457f7185 | | Version: 5.9.22 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - https://www.wikimedia.it/wp-content/plugins/essential-addons-for-elementor-lite/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - https://www.wikimedia.it/wp-content/plugins/essential-addons-for-elementor-lite/readme.txt [+] gdpr-cookie-compliance | Location: https://www.wikimedia.it/wp-content/plugins/gdpr-cookie-compliance/ | Last Updated: 2024-07-08T10:22:00.000Z | [!] The version is out of date, the latest version is 4.15.2 | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | Version: 4.14.0 (90% confidence) | Found By: Query Parameter (Passive Detection) | - https://www.wikimedia.it/wp-content/plugins/gdpr-cookie-compliance/dist/scripts/main.js?ver=4.14.0 | Confirmed By: Readme - Stable Tag (Aggressive Detection) | - https://www.wikimedia.it/wp-content/plugins/gdpr-cookie-compliance/readme.txt [+] gravityforms | Location: https://www.wikimedia.it/wp-content/plugins/gravityforms/ | Last Updated: 2024-08-13T00:00:00.000Z | [!] The version is out of date, the latest version is 2.8.16 | | Found By: Urls In 404 Page (Passive Detection) | | Version: 2.7.12 (90% confidence) | Found By: Query Parameter (Passive Detection) | - https://www.wikimedia.it/wp-content/plugins/gravityforms/js/jquery.json.min.js?ver=2.7.12 | - https://www.wikimedia.it/wp-content/plugins/gravityforms/js/gravityforms.min.js?ver=2.7.12 | - https://www.wikimedia.it/wp-content/plugins/gravityforms/js/placeholders.jquery.min.js?ver=2.7.12 | Confirmed By: Change Log (Aggressive Detection) | - https://www.wikimedia.it/wp-content/plugins/gravityforms/change_log.txt, Match: '### 2.7.12' [+] js_composer | Location: https://www.wikimedia.it/wp-content/plugins/js_composer/ | Last Updated: 2024-07-24T02:32:11.000Z | [!] The version is out of date, the latest version is 7.8 | | Found By: Body Tag (Passive Detection) | | [!] 3 vulnerabilities identified: | | [!] Title: WPBakery Page Builder < 7.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via VC Single Image link attribute | Fixed in: 7.7 | References: | - https://wpscan.com/vulnerability/3b067a13-ee58-44c9-80af-ae04af6256c8 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5265 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/35a5114e-5c5f-4003-8bb3-77243ffbac1a | | [!] Title: WPBakery < 7.8 - Authenticated (Author+) Stored Cross-Site Scripting | Fixed in: 7.8 | References: | - https://wpscan.com/vulnerability/992e5d47-e290-420a-adf8-f552a929e51d | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5708 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/23ff12f0-eb9d-4bb3-8db0-0e794c0f0594 | | [!] Title: WPBakery < 7.8 - Authenticated (Author+) Local File Inclusion | Fixed in: 7.8 | References: | - https://wpscan.com/vulnerability/6e3e1944-67f7-405e-ae4f-f0ab8c6c9acd | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5709 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/7fad30c8-fd8a-4cf2-a3aa-16a374231b87 | | Version: 7.6 (60% confidence) | Found By: Body Tag (Passive Detection) | - https://www.wikimedia.it/, Match: 'js-comp-ver-7.6' [+] smart-slider-3 | Location: https://www.wikimedia.it/wp-content/plugins/smart-slider-3/ | Latest Version: 3.5.1.23 (up to date) | Last Updated: 2024-04-11T14:11:00.000Z | | Found By: Urls In Homepage (Passive Detection) | | Version: 3.5.1.23 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - https://www.wikimedia.it/wp-content/plugins/smart-slider-3/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - https://www.wikimedia.it/wp-content/plugins/smart-slider-3/readme.txt [+] w3-total-cache | Location: https://www.wikimedia.it/wp-content/plugins/w3-total-cache/ | Last Updated: 2024-08-07T17:08:00.000Z | [!] The version is out of date, the latest version is 2.7.5 | | Found By: Comment Debug Info (Passive Detection) | | Version: 2.7.2 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - https://www.wikimedia.it/wp-content/plugins/w3-total-cache/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - https://www.wikimedia.it/wp-content/plugins/w3-total-cache/readme.txt [+] wordpress-seo | Location: https://www.wikimedia.it/wp-content/plugins/wordpress-seo/ | Last Updated: 2024-08-20T07:39:00.000Z | [!] The version is out of date, the latest version is 23.3 | | Found By: Comment (Passive Detection) | | Version: 22.7 (100% confidence) | Found By: Comment (Passive Detection) | - https://www.wikimedia.it/, Match: 'optimized with the Yoast SEO plugin v22.7 -' | Confirmed By: | Readme - Stable Tag (Aggressive Detection) | - https://www.wikimedia.it/wp-content/plugins/wordpress-seo/readme.txt | Readme - ChangeLog Section (Aggressive Detection) | - https://www.wikimedia.it/wp-content/plugins/wordpress-seo/readme.txt [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:09 <==================================================================================================================================> (137 / 137) 100.00% Time: 00:00:09 [i] No Config Backups Found. [+] WPScan DB API OK | Plan: free | Requests Done (during the scan): 11 | Requests Remaining: 14 [+] Finished: Tue Aug 20 14:54:40 2024 [+] Requests Done: 231 [+] Cached Requests: 8 [+] Data Sent: 69.328 KB [+] Data Received: 15.669 MB [+] Memory used: 277.105 MB [+] Elapsed time: 00:00:21