give dates and current versions for WP

[digininja]

As part of a scan you output the version of WP detected, it would be good if you could also say when that version was released and give the current version with its release date. When I'm writing my report I want to put:

You are running version x.x which was released y/y/y, it is recommended you upgrade to the latest which is currently version p.p.

The "shock" value of pointing out that their current version is 2 years out of date (recent test) works well to get them to update and if you've got the data then it saves me going looking it up.

Same for plugins and their dates would be really good but that would be a lot of work.

[ethicalhack3r]

I like the idea, I think we might have even discussed it before on here. The only way I can think of to get the latest plugin/theme version number is to hit wordpress.com's plugin repository for the information.

This would require the user to have internet access and also allow wordpress to log the incoming requests which could cause a privacy issue for users.

Maybe there are other ways we can do it though?

Keeping the latest plugin versions ourselves would be too much overhead I think. Would require a regular scan of all the plugins possibly leading to wordpress banning the scans as they have in the past.

[firefart]

@ethicalhack3r we could add this information to plugins.txt (which could be a json) so you can sync it from our repo. Would be good if we integrate the other files in the database

[pvdl]

@digininja
At the moment: Maybe this small program can help you: https://github.com/wpscanteam/Tools/blob/master/pluginversion.rb

[secureli]

This would be very beneficial for my usage of WPscan. I would be happy to spearhead this new feature. Does anyone want to work with me on this?

[pvdl]

I found another useful source: http://pluginmirror.com/plugins/
Free and open source!

[pvdl]

Made some improvements on the pluginversion script.
https://github.com/wpscanteam/Tools/blob/master/pluginversion.rb

[pvdl]

Improved the script a bit more.

Output example:

URL         : http://plugins.svn.wordpress.org/woocommerce/trunk/readme.txt
Plugin      : woocommerce
Version     : 2.2.10
Requires WP : 3.8
Tested up to: 4.1
Last update : 2014-12-16

@wpscanteam/owners , what do you think, shall we implement this 'code-snippet' in the WPScan-core?
We can use the verbose mode or create an extra option e.g. --dates

It uses the external wordpress svn repository for getting the dates from the installed plugins.

[ethicalhack3r]

I like the optional aspect, but maybe using the WordPress web Plugin DB would be faster and likely to have less issues accessing?

[firefart]

i think having this in wpvulndb and pushing it to the json makes more sense to reduce the number of http requests to svn.wordpress.org. I think there is already an issue in the wpvulndb repo for fetching the current version and storing them

[ethicalhack3r]

Good point, I think this makes more sense

[ethicalhack3r]

Quick update: We have implemented current versions and release dates to plugins (and themes?) but not WP itself yet.

[ethicalhack3r]

Just remembered that we already store the WP release date in WPVULNDB but don't export it to WPScan. Looking into this now. Current WP versions would be tricky.

[ethicalhack3r]

We now show the WP release date