typisttech/wpsecadv

## 快速入门 ``` composer repo --append add wpsecadv composer https://repo-wpsecadv.typist.tech composer audit ``` 它生成的审计报告如下所示： ``` Found 2 security vulnerability advisories affecting 1 package: +-------------------+--------------------------------------------------------------+ | Package | roots/wordpress-no-content | | Severity | medium | | Advisory ID | WPSECADV/WF/112ed4f2-fe91-4d83-a3f7-eaf889870af4/wordpress | | CVE | CVE-2022-3590 | // ... ```

Command "repo" is not defined.

`composer repo` 子命令是从 Composer v2.9.0 开始添加的。 如果您使用的是旧版本的 Composer，请手动将其**追加**到您的 `composer.json` 中： ``` "repositories": [ { "name": "wp-packages", "type": "composer", "url": "https://repo.wp-packages.org" - } + }, + { + "name": "wpsecadv", + "type": "composer", + "url": "https://repo-wpsecadv.typist.tech" + } ], ```

## 教程 首先，创建一个新的 Bedrock 项目并 `cd` 进入： ``` composer create-project roots/bedrock bedrock 1.30.0 cd bedrock ``` 安装一些存在漏洞的包： ``` composer require wp-theme/twentyfifteen:1.1 ``` 添加 WP Sec Adv： ``` composer repo --append add wpsecadv composer https://repo-wpsecadv.typist.tech ``` 检查已安装包的安全漏洞建议： ``` composer audit // ... // Found 3 security vulnerability advisories affecting 2 packages // ... ```

完整的控制台输出

``` $ composer audit Found 3 security vulnerability advisories affecting 2 packages: +-------------------+----------------------------------------------------------------------------------+ | Package | roots/wordpress-no-content | | Severity | medium | | Advisory ID | WPSECADV/WF/112ed4f2-fe91-4d83-a3f7-eaf889870af4/wordpress | | CVE | CVE-2022-3590 | | Title | WordPress Core - All known versions - Unauthenticated Blind Server Side Request | | | Forgery | | | ### Copyright 1999-2026 The MITRE Corporation | | | CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, | | | no-charge, royalty-free, irrevocable copyright license to reproduce, prepare | | | derivative works of, publicly display, publicly perform, sublicense, and | | | distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for | | | such purposes is authorized provided that you reproduce MITRE's copyright | | | designation and this license in any such copy. | | | https://www.cve.org/Legal/TermsOfUse | | | ### Copyright 2012-2026 Defiant Inc. | | | Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, | | | royalty-free, irrevocable copyright license to reproduce, prepare derivative | | | works of, publicly display, publicly perform, sublicense, and distribute this | | | software vulnerability information. Any copy of the software vulnerability | | | information you make for such purposes is authorized provided that you include a | | | hyperlink to this vulnerability record and reproduce Defiant's copyright | | | designation and this license in any such copy. | | | https://www.wordfence.com/wordfence-intelligence-terms-and-conditions/ | | URL | https://www.wordfence.com/threat-intel/vulnerabilities/id/112ed4f2-fe91-4d83-a3f | | | 7-eaf889870af4?source=api-prod | | Affected versions | * | | Reported at | 2022-09-06T00:00:00+00:00 | +-------------------+----------------------------------------------------------------------------------+ +-------------------+----------------------------------------------------------------------------------+ | Package | roots/wordpress-no-content | | Severity | medium | | Advisory ID | WPSECADV/WF/9fda5e15-fdf9-4b67-93d3-2dbfa94aefe9/wordpress | | CVE | CVE-2017-14990 | | Title | WordPress Core - All Known Versions - Cleartext Storage of | | | wp_signups.activation_key | | | ### Copyright 1999-2026 The MITRE Corporation | | | CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, | | | no-charge, royalty-free, irrevocable copyright license to reproduce, prepare | | | derivative works of, publicly display, publicly perform, sublicense, and | | | distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for | | | such purposes is authorized provided that you reproduce MITRE's copyright | | | designation and this license in any such copy. | | | https://www.cve.org/Legal/TermsOfUse | | | ### Copyright 2012-2026 Defiant Inc. | | | Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, | | | royalty-free, irrevocable copyright license to reproduce, prepare derivative | | | works of, publicly display, publicly perform, sublicense, and distribute this | | | software vulnerability information. Any copy of the software vulnerability | | | information you make for such purposes is authorized provided that you include a | | | hyperlink to this vulnerability record and reproduce Defiant's copyright | | | designation and this license in any such copy. | | | https://www.wordfence.com/wordfence-intelligence-terms-and-conditions/ | | URL | https://www.wordfence.com/threat-intel/vulnerabilities/id/9fda5e15-fdf9-4b67-93d | | | 3-2dbfa94aefe9?source=api-prod | | Affected versions | * | | Reported at | 2017-10-10T00:00:00+00:00 | +-------------------+----------------------------------------------------------------------------------+ +-------------------+----------------------------------------------------------------------------------+ | Package | wp-theme/twentyfifteen | | Severity | medium | | Advisory ID | WPSECADV/WF/57666105-81e4-4ef4-8889-9ce9995d2629/twentyfifteen | | CVE | CVE-2015-3429 | | Title | Twenty Fifteen Theme <= 1.1 & WordPress Core < 4.2.2 - Cross-Site Scripting via | | | example.html | | | ### Copyright 1999-2026 The MITRE Corporation | | | CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, | | | no-charge, royalty-free, irrevocable copyright license to reproduce, prepare | | | derivative works of, publicly display, publicly perform, sublicense, and | | | distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for | | | such purposes is authorized provided that you reproduce MITRE's copyright | | | designation and this license in any such copy. | | | https://www.cve.org/Legal/TermsOfUse | | | ### Copyright 2012-2026 Defiant Inc. | | | Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, | | | royalty-free, irrevocable copyright license to reproduce, prepare derivative | | | works of, publicly display, publicly perform, sublicense, and distribute this | | | software vulnerability information. Any copy of the software vulnerability | | | information you make for such purposes is authorized provided that you include a | | | hyperlink to this vulnerability record and reproduce Defiant's copyright | | | designation and this license in any such copy. | | | https://www.wordfence.com/wordfence-intelligence-terms-and-conditions/ | | URL | https://www.wordfence.com/threat-intel/vulnerabilities/id/57666105-81e4-4ef4-888 | | | 9-9ce9995d2629?source=api-prod | | Affected versions | <=1.1 | | Reported at | 2015-04-08T00:00:00+00:00 | +-------------------+----------------------------------------------------------------------------------+ ```

最好的做法是将包更新到已修补的版本。 更新 Twenty Fifteen 主题： ``` composer require wp-theme/twentyfifteen // ... // Found 2 security vulnerability advisories affecting 1 package // ... ```

完整的控制台输出

``` $ composer require wp-theme/twentyfifteen ./composer.json has been updated Running composer update wp-theme/twentyfifteen Loading composer repositories with package information Updating dependencies Lock file operations: 0 installs, 1 update, 0 removals - Upgrading wp-theme/twentyfifteen (1.1 => 4.1) Writing lock file Installing dependencies from lock file (including require-dev) Package operations: 0 installs, 1 update, 0 removals - Upgrading wp-theme/twentyfifteen (1.1 => 4.1): Extracting archive Generating optimized autoload files Found 2 security vulnerability advisories affecting 1 package. Run "composer audit" for a full list of advisories. Using version ^4.1 for wp-theme/twentyfifteen ```

但是，可能还没有补丁，或者永远不会有（就像那两个 WordPress 核心 CVE 一样）。 忽略对 `roots/wordpress-no-content` 的审计，编辑 `composer.json`： ``` { "config": { "audit": { "ignore": ["roots/wordpress-no-content"] } } } ``` 当安装已知漏洞的包时，Composer 解析器会阻止它们并导致 `composer update|require` 失败。 安装一个有漏洞的 WooCommerce 版本： ``` composer require wp-plugin/woocommerce:10.5.0 // ... // Your requirements could not be resolved to an installable set of packages. // // Problem 1 // - Root composer.json requires wp-plugin/woocommerce 10.5.0 (exact version match: 10.5.0 or 10.5.0.0), found wp-plugin/woocommerce[10.5.0] but these were not loaded, because they are affected by security advisories ("WPSECADV/WF/df7eca9b-e353-49e7-8706-89c1787637e9/woocommerce"). // ... // Installation failed, reverting ./composer.json and ./composer.lock to their original content. ```

完整的控制台输出

``` $ composer require wp-plugin/woocommerce:10.5.0 ./composer.json has been updated Running composer update wp-plugin/woocommerce Loading composer repositories with package information Updating dependencies Your requirements could not be resolved to an installable set of packages. Problem 1 - Root composer.json requires wp-plugin/woocommerce 10.5.0 (exact version match: 10.5.0 or 10.5.0.0), found wp-plugin/woocommerce[10.5.0] but these were not loaded, because they are affected by security advisories ("WPSECADV/WF/df7eca9b-e353-49e7-8706-89c1787637e9/woocommerce"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config. Installation failed, reverting ./composer.json and ./composer.lock to their original content. ```

遗憾的是，由于 WooCommerce 插件的兼容性问题，我们不得不继续使用 WooCommerce v10.5.0。 要在安装期间禁用安全阻断： ``` composer require wp-plugin/woocommerce:10.5.0 --no-security-blocking // ... // Found 2 ignored security vulnerability advisories affecting 1 package. // Found 1 security vulnerability advisory affecting 1 package. // ... ```

完整的控制台输出

``` $ composer require wp-plugin/woocommerce:10.5.0 --no-security-blocking ./composer.json has been updated Running composer update wp-plugin/woocommerce Loading composer repositories with package information Updating dependencies Lock file operations: 1 install, 0 updates, 0 removals - Locking wp-plugin/woocommerce (10.5.0) Writing lock file Installing dependencies from lock file (including require-dev) Package operations: 1 install, 0 updates, 0 removals - Installing wp-plugin/woocommerce (10.5.0): Extracting archive Generating optimized autoload files Found 2 ignored security vulnerability advisories affecting 1 package. Found 1 security vulnerability advisory affecting 1 package. Run "composer audit" for a full list of advisories. ```

`--no-security-blocking` 标志允许安装带有安全建议的包，但这只是一次性的。 未来的 `composer update|require` 将会被阻断。 一旦安装完成，可以通过以下方式获取 CVE ID： ``` composer audit // ... // | Package | wp-plugin/woocommerce | // | CVE | CVE-2026-3589 | // ... ```

完整的控制台输出

``` $ composer audit Found 2 ignored security vulnerability advisories affecting 1 package: +-------------------+----------------------------------------------------------------------------------+ | Package | roots/wordpress-no-content | | Severity | medium | | Advisory ID | WPSECADV/WF/112ed4f2-fe91-4d83-a3f7-eaf889870af4/wordpress | | CVE | CVE-2022-3590 | | Title | WordPress Core - All known versions - Unauthenticated Blind Server Side Request | | | Forgery | | | ### Copyright 1999-2026 The MITRE Corporation | | | CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, | | | no-charge, royalty-free, irrevocable copyright license to reproduce, prepare | | | derivative works of, publicly display, publicly perform, sublicense, and | | | distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for | | | such purposes is authorized provided that you reproduce MITRE's copyright | | | designation and this license in any such copy. | | | https://www.cve.org/Legal/TermsOfUse | | | ### Copyright 2012-2026 Defiant Inc. | | | Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, | | | royalty-free, irrevocable copyright license to reproduce, prepare derivative | | | works of, publicly display, publicly perform, sublicense, and distribute this | | | software vulnerability information. Any copy of the software vulnerability | | | information you make for such purposes is authorized provided that you include a | | | hyperlink to this vulnerability record and reproduce Defiant's copyright | | | designation and this license in any such copy. | | | https://www.wordfence.com/wordfence-intelligence-terms-and-conditions/ | | URL | https://www.wordfence.com/threat-intel/vulnerabilities/id/112ed4f2-fe91-4d83-a3f | | | 7-eaf889870af4?source=api-prod | | Affected versions | * | | Reported at | 2022-09-06T00:00:00+00:00 | | Ignore reason | None specified | +-------------------+----------------------------------------------------------------------------------+ +-------------------+----------------------------------------------------------------------------------+ | Package | roots/wordpress-no-content | | Severity | medium | | Advisory ID | WPSECADV/WF/9fda5e15-fdf9-4b67-93d3-2dbfa94aefe9/wordpress | | CVE | CVE-2017-14990 | | Title | WordPress Core - All Known Versions - Cleartext Storage of | | | wp_signups.activation_key | | | ### Copyright 1999-2026 The MITRE Corporation | | | CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, | | | no-charge, royalty-free, irrevocable copyright license to reproduce, prepare | | | derivative works of, publicly display, publicly perform, sublicense, and | | | distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for | | | such purposes is authorized provided that you reproduce MITRE's copyright | | | designation and this license in any such copy. | | | https://www.cve.org/Legal/TermsOfUse | | | ### Copyright 2012-2026 Defiant Inc. | | | Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, | | | royalty-free, irrevocable copyright license to reproduce, prepare derivative | | | works of, publicly display, publicly perform, sublicense, and distribute this | | | software vulnerability information. Any copy of the software vulnerability | | | information you make for such purposes is authorized provided that you include a | | | hyperlink to this vulnerability record and reproduce Defiant's copyright | | | designation and this license in any such copy. | | | https://www.wordfence.com/wordfence-intelligence-terms-and-conditions/ | | URL | https://www.wordfence.com/threat-intel/vulnerabilities/id/9fda5e15-fdf9-4b67-93d | | | 3-2dbfa94aefe9?source=api-prod | | Affected versions | * | | Reported at | 2017-10-10T00:00:00+00:00 | | Ignore reason | None specified | +-------------------+----------------------------------------------------------------------------------+ Found 1 security vulnerability advisory affecting 1 package: +-------------------+----------------------------------------------------------------------------------+ | Package | wp-plugin/woocommerce | | Severity | medium | | Advisory ID | WPSECADV/WF/df7eca9b-e353-49e7-8706-89c1787637e9/woocommerce | | CVE | CVE-2026-3589 | | Title | WooCommerce < 10.5.3 - Cross-Site Request Forgery | | | ### Copyright 1999-2026 The MITRE Corporation | | | CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, | | | no-charge, royalty-free, irrevocable copyright license to reproduce, prepare | | | derivative works of, publicly display, publicly perform, sublicense, and | | | distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for | | | such purposes is authorized provided that you reproduce MITRE's copyright | | | designation and this license in any such copy. | | | https://www.cve.org/Legal/TermsOfUse | | | ### Copyright 2012-2026 Defiant Inc. | | | Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, | | | royalty-free, irrevocable copyright license to reproduce, prepare derivative | | | works of, publicly display, publicly perform, sublicense, and distribute this | | | software vulnerability information. Any copy of the software vulnerability | | | information you make for such purposes is authorized provided that you include a | | | hyperlink to this vulnerability record and reproduce Defiant's copyright | | | designation and this license in any such copy. | | | https://www.wordfence.com/wordfence-intelligence-terms-and-conditions/ | | URL | https://www.wordfence.com/threat-intel/vulnerabilities/id/df7eca9b-e353-49e7-870 | | | 6-89c1787637e9?source=api-prod | | Affected versions | <10.5.3 | | Reported at | 2026-03-10T00:00:00+00:00 | +-------------------+----------------------------------------------------------------------------------+ ```

允许安装特定的安全建议，编辑 `composer.json`： ``` { "config": { "audit": { "ignore": { "roots/wordpress-no-content": { "apply": "all", "reason": "We live dangerously and don't care about this one" }, "CVE-2026-3589": { "apply": "block", "reason": "Waiting for FooBar add-on v1.2.3 to be released. Allow during updates but still report in audits" } } } } } ``` 以上所有都是 Composer 的功能。WP Sec Adv 仅仅是将 Wordfence 漏洞数据源转换为 Composer 可用的格式。 了解更多信息，请访问： - https://getcomposer.org/doc/06-config.md#audit - https://getcomposer.org/doc/03-cli.md#audit - https://blog.packagist.com/discover-security-advisories-with-composers-audit-command/ - https://www.wordfence.com/help/wordfence-intelligence/v3-accessing-and-consuming-the-vulnerability-data-feed/ ## 禁用安全阻断 除了临时使用的 `--no-security-blocking` 标志外，您还可以通过以下方式持久地禁用安全阻断： ``` composer config audit.block-insecure false ``` 或者，手动编辑 `composer.json`： ``` { "config": { "audit": { "block-insecure": false } } } ``` ## 包解析 Composer 包名由 `vendor` 和 `project` 组成，例如：`my-vendor/my-project`，而 WordPress 主题和插件仅由 `slug` 标识。 WP Sec Adv 通过 `project` 和 `slug` 将 Composer 包与 WordPress 主题和插件进行匹配。例如： | Composer | WordPress | | ----------------------------------- | ------------------ | | `wp-plugin/woocommerce` | `woocommerce` | | `wpackagist-plugin/woocommerce` | `woocommerce` | | `my-mirror/woocommerce` | `woocommerce` | | `gravity/gravityforms` | `gravityforms` | | `my-mirror/gravityforms` | `gravityforms` | | `wp-theme/twentytwentyfive` | `twentytwentyfive` | | `wpackagist-theme/twentytwentyfive` | `twentytwentyfive` | | `my-mirror/twentytwentyfive` | `twentytwentyfive` | ### `exclude` 如果发生命名冲突，请将 `exclude` 添加到仓库配置中。 例如，此设置可以防止将 `spatie/ignition` 错误匹配为 [Ignition 主题](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/ignition#:~:text=Ignition)： ``` "repositories": [ { "name": "wp-packages", "type": "composer", "url": "https://repo.wp-packages.org" }, { "name": "wpsecadv", "type": "composer", - "url": "https://repo-wpsecadv.typist.tech" + "url": "https://repo-wpsecadv.typist.tech", + "exclude": [ + "spatie/ignition" + ] } ], ``` ### `only` 为了避免不匹配并加快 Composer 操作，请将 `only` 添加到仓库配置中： ``` "repositories": [ { "name": "wp-packages", "type": "composer", "url": "https://repo.wp-packages.org" }, { "name": "wpsecadv", "type": "composer", - "url": "https://repo-wpsecadv.typist.tech" + "url": "https://repo-wpsecadv.typist.tech", + "only": [ + "wp-plugin/*", + "wp-theme/*", + "wp-core/*", + "wpackagist-plugin/*", + "wpackagist-theme/*", + "roots/wordpress-no-content", + "roots/wordpress-full", + "johnpbloch/wordpress-core", + "deliciousbrains-plugin/*", + "gravity/*", + "yoast/*", + "my-mirror/*" + ] } ], ``` 根据您的情况调整 `only` 数组。 ## 持续监控 ### GitHub Actions ``` name: Audit Dependencies on: workflow_dispatch: schedule: - cron: '0 9 * * *' # Once a day pull_request: push: permissions: contents: read jobs: build: runs-on: ubuntu-latest steps: - name: Checkout composer.json & composer.lock uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false sparse-checkout: | composer.json composer.lock - name: Setup PHP uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 with: php-version: '8.5' - name: Checks for security vulnerability advisories run: composer audit --locked ``` ## 最佳实践 - 推荐使用详细的 `config.audit.ignore` 对象以及 [`apply` 和 `reason`](https://getcomposer.org/doc/06-config.md#detailed-format-with-apply-scope-)，以便您将来可以审查这些决定 - 除非您设置了[持续监控](#continuous-monitoring)，否则仅将 [`config.audit.block-insecure`](https://getcomposer.org/doc/06-config.md#block-insecure) 作为紧急或短期措施使用 - 将 [`only`](#only) 范围缩小到仅覆盖您的 WordPress 核心、插件和主题 - 检查漏洞建议详情。即使已修补，损害可能已经造成 ## 自托管 待办！ ## Wordfence WP Sec Adv 的建议数据来源于 [Wordfence vulnerability data feed](https://www.wordfence.com/help/wordfence-intelligence/v3-accessing-and-consuming-the-vulnerability-data-feed/)。感谢 Wordfence 团队免费向所有人开放此数据源。 该数据源带有[署名要求](https://www.wordfence.com/help/wordfence-intelligence/v3-accessing-and-consuming-the-vulnerability-data-feed/#mitre_attribution_requirement)。然而，Composer 没有显示版权的机制。因此，WP Sec Adv 将版权详情附加到建议标题中。 ## 致谢 [`WP Sec Adv`](https://github.com/typisttech/wpsecadv) 是一个 [Typist Tech](https://typist.tech) 项目，由 [Tang Rufus](https://x.com/TangRufus) 维护，他是一名[可供雇佣](https://typist.tech/contact/)的自由职业开发者。 完整贡献者列表可以在[这里](https://github.com/typisttech/wpsecadv/graphs/contributors)找到。 ## 版权与许可 本项目是依据 MIT 许可证条款分发的[自由软件](https://www.gnu.org/philosophy/free-sw.en.html)。完整许可证请参见 [LICENSE](./LICENSE)。 ## 贡献 欢迎反馈、错误报告和 Pull Request。

标签：Composer, CVE, EVTX分析, LNA, OpenVAS, PHP, Typist Tech, Web安全, WordPress, WP Sec Adv, 云安全监控, 依赖管理, 安全通告, 开发运维, 插件安全, 数字签名, 蓝队分析, 静态分析