wordpress-seo vuln not found

[t2d]

# wp vuln status
...
+-----------------------------------+-------------------+--------------------------------------------------------------------------+----------------+
| name                              | installed version | status                                                                   | fix            |
+-----------------------------------+-------------------+--------------------------------------------------------------------------+----------------+
| wordpress-seo                     | 7.5.3             | No vulnerabilities reported for this version of wordpress-seo            | n/a            |

but wpscan tells me from the outside

[+] wordpress-seo
 | Location: https://xxx/wp-content/plugins/wordpress-seo/
 | Last Updated: 2021-04-06T15:56:00.000Z
 | [!] The version is out of date, the latest version is 16.1.1
 |
 | Found By: Comment (Passive Detection)
 |
 | [!] 2 vulnerabilities identified:
 |
 | [!] Title: Yoast SEO <= 9.1 - Authenticated Race Condition
 |     Fixed in: 9.2
 |     References:
 |      - https://wpscan.com/vulnerability/bd32be83-db19-4026-adc9-9da284849ee3
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19370
 |      - https://plugins.trac.wordpress.org/changeset/1977260/wordpress-seo
 |      - https://packetstormsecurity.com/files/150497/
 |      - https://github.com/Yoast/wordpress-seo/pull/11502/commits/3bfa70a143f5ea3ee1934f3a1703bb5caf139ffa
 |      - https://www.youtube.com/watch?v=nL141dcDGCY
 |
 | [!] Title:  Yoast SEO 1.2.0-11.5 - Authenticated Stored XSS
 |     Fixed in: 11.6
 |     References:
 |      - https://wpscan.com/vulnerability/8bc4cf95-79f7-4d92-b320-a841ab7e6a6f
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13478
 |      - https://gist.github.com/sybrew/2f53625104ee013d2f599ac254f635ee
 |      - https://github.com/Yoast/wordpress-seo/pull/13221
 |      - https://yoast.com/yoast-seo-11.6/
 |
 | Version: 7.5.3 (100% confidence)
 | Found By: Comment (Passive Detection)

Both tools are the latest version.

[oscarssanchez]

Hi @t2d ,

Can you please provide a copy of Yoast 7.5.3 ? Currently, the oldest version available from WordPress.org is 12, so I am unable to test.

Thanks!

[dkotter]

I was able to download Yoast 7.5.3 from here: https://github.com/Yoast/wordpress-seo/releases/tag/7.5.3. Running a scan on that does properly flag that as being insecure and needing to be updated.

That said, the concern here was that maybe there's some issue around caching. We do use a transient to cache the API response (see https://github.com/10up/wpcli-vulnerability-scanner/blob/develop/wpcli-vulnerability-scanner.php#L943). You could easily have a scenario where a scan is run, the API responses are cached and a vulnerability is reported before that cache expires. The next time you run a scan, it wouldn't make a fresh API request and would use the cached data instead, giving you a false result.

But that transient is only cached for a single hour so I don't think that's a fairly common scenario that would happen. Looking at the original report here, Yoast 7.5.3 is being used and the vulnerability there was reported in November of 2018 (while the report here comes from April 2021). Seems unlikely then that this would be the result of stale data, though since every set up is slightly different, possible some weird caching situation.

I think we could easily add a --no-cache flag to our commands, bypassing this cache check. But in my opinion, I'd suggest we remove that caching all together. I understand that the free plan from WP Scan has fairly small limits, so caching helps reduce the likelihood that those limits are reached, but this seems like a tool we would always want fresh data and never want cached data. This isn't something that runs regularly from user requests, it's a command that either is manually run or triggered by something like cron. So I can't think of a reason why we wouldn't want to just remove those caching lines.

All that said, still not sure that is the root cause of this reported issue. Again, can definitely see this causing issues and it does need fixed but seems unlikely that it caused the original reported issue here, just based on timelines.

[jeffpaul]

Will look to validate this once 1.1.0 is released, so punting this out of the milestone for now.

[iamdharmesh]

Hi @jeffpaul @dkotter,

I have tried to reproduce this develop branch and each service shows vulnerability for wordpress-seo version 7.5.3. Should we close this issue OR as per @dkotter's note here, we want remove cache completely? Update: We already have separate issue opened for remove cache and skip cache flag . So we are good to proceed with close this.

WPScan:

Patchstack:

Wordfence:

Thanks.

[iamdharmesh]

Closing this based on findings here. Please feel free to re-open if I misunderstood anything here.