wp-vulnerability-scanner.php

<?php
/*
Plugin Name: WP Vulnerability Scanner
Description: Checks if any of your plugins has vulnerabilities
Plugin URI: https://angrycreative.se
Author: angrycreative, moelleer, pekz0r
Author URI: https://angrycreative.se
Version: 1.0
License: GPL2
Text Domain: wp-vulnerability-scanner
*/

define( 'NAGIOS_STATUS_OK', 'OK' );
define( 'NAGIOS_STATUS_WARNING', 'Warning' );
define( 'NAGIOS_STATUS_CRITICAL', 'Critical' );
define( 'NAGIOS_STATUS_UNKNOWN', 'Unknown' );

class WP_Vulnerability_Scanner {

    public $verbose = false;

    public function __construct() {
        add_action( 'wpvs_perform_scan', array( $this, 'wpvs_perform_scan' ) );
        if( !wp_next_scheduled( 'wpvs_perform_scan' ) ) {
            wp_schedule_event( time(), 'daily', 'wpvs_perform_scan' );
        }
    }
    
    function wpvs_perform_scan( $output = 'syslog', $verbose = false ) {

        $this->verbose = $verbose;
        $base_url = 'https://wpvulndb.com/api/v2/plugins/';

        // Check if get_plugins() function exists. This is required on the front end of the
        // site, since it is in a file that is normally only loaded in the admin.
        if ( ! function_exists( 'get_plugins' ) ) {
            require_once ABSPATH . 'wp-admin/includes/plugin.php';
        }

        $all_plugins = get_plugins();

        $unsafe_plugins = array();

        foreach( $all_plugins as $path => $plugin ) {

            $plugin_version = $plugin['Version'];

            $plugin_slug = untrailingslashit( plugin_dir_path( $path ) );

            $result = (array) json_decode( wp_remote_retrieve_body( wp_remote_get( $base_url . $plugin_slug ) ) );

            $this->print_output( 'Scanning ' . $plugin['Name'] . ' (v' . $plugin_version . ')' );

            if( !empty( $result[$plugin_slug]->vulnerabilities ) ) {

                $vulnerabilities = $result[$plugin_slug]->vulnerabilities;

                $unsafe = false;

                foreach( $vulnerabilities as $vul ) {
                    
                    $fixed_in = $vul->fixed_in;

                    if( empty( $fixed_in ) || version_compare( $plugin_version, $fixed_in ) === -1 ) {
                        $unsafe = true;
                        break;
                    }
                }

                if( $unsafe ) {

                    $unsafe_plugins[] = $plugin_slug;

                    $this->print_output( 'You have an unsafe version of ' . $plugin_slug . '.' , $output, NAGIOS_STATUS_CRITICAL );
                    $this->print_output( $result[$plugin_slug]->vulnerabilities, $output );
                } else {
                    $this->print_output( 'Exploit exists in ' . $plugin_slug . ', but you have a safe version.', $output, NAGIOS_STATUS_WARNING );
                }

            } else {
                $this->print_output( $plugin_slug . ' is OK!', $output, NAGIOS_STATUS_OK );
            }

        }

        return $unsafe_plugins;
    }

    public function print_output( $msg = '', $output = 'pretty', $status = '' ) {
        if( !$this->verbose ) {
            return;
        }
        if( $output === 'nagios' ) {
            echo $status . ': ' . $msg . PHP_EOL;
        } else if( $output === 'pretty' ) {
            if( is_array( $msg ) ) {
                print_r( $msg );
            } else {
                echo $msg . PHP_EOL;
            }
        }
    }
}

if( class_exists( 'WP_CLI' ) ) {

    class WP_Vulnerability_Scanner_CLI extends WP_CLI_Command {

        public $verbose = false;
        /**
         * Prints a greeting.
         *
         * ## OPTIONS
         *
         *
         * [--output=<output>]
         * : Whether or not to greet the person with success or error.
         * ---
         * default: pretty
         * options:
         *   - pretty
         *   - syslog
         *   - nagios
         * ---
         *
         * [--verbose]
         * : Show verbose output
         * ---
         *
         * ## EXAMPLES
         *
         *     wp wpsv scan
         *
         * @when after_wp_load
         */
        function scan( $args, $assoc_args ) {

            $output = $assoc_args['output'];

            if( isset( $assoc_args['verbose'] ) ) {
                $this->verbose = true;
            }

            $scanner = new WP_Vulnerability_Scanner();

            $unsafe_plugins = $scanner->wpvs_perform_scan( $output, $this->verbose );
            
            if( !empty( $unsafe_plugins ) ) {
                $unsafe_plugins_str = implode(', ', $unsafe_plugins );
                $unsafe_plugins_num = count( $unsafe_plugins );
                $error_str = '[WP_Vulnerability_Scanner] [' . get_site_url() . ']: Found ' . sprintf( _n( '%s plugin', '%s plugins', $unsafe_plugins_num, 'wp-vulnerability-scanner' ), number_format_i18n( $unsafe_plugins_num ) ) . ' (' . $unsafe_plugins_str . ') with vulnerabilities...';
                if( $output === 'syslog' ) {
                    syslog( LOG_ERR, $error_str );
                } else {
                    WP_CLI::error( $error_str );
                }
            } else {
                WP_CLI::success( '[WP_Vulnerability_Scanner] [' . get_site_url() . ']: Congratulations, you are safe!' );
            }
        }

    }

    WP_CLI::add_command( 'wpvs', 'WP_Vulnerability_Scanner_CLI' );
}

if( !class_exists( 'WP_CLI' ) ) {
    $wpvs = new WP_Vulnerability_Scanner();
}