_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                        Version v2.4.1
     Sponsored by the RandomStorm Open Source Initiative
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://testovaci.web/
[+] Started: Fri Nov 28 09:14:36 2014

[+] robots.txt available under: 'http://testovaci.web/robots.txt'
[+] Interesting entry from robots.txt: http://testovaci.web
[!] The WordPress 'http://testovaci.web/readme.html' file exists
[+] Interesting header: SERVER: Apache/2.2.16 (Debian) PHP/5.3.3-7+squeeze14 with Suhosin-Patch mod_ssl/2.2.16 OpenSSL/0.9.8o
[+] Interesting header: X-POWERED-BY: PHP/5.3.3-7+squeeze14
[+] XML-RPC Interface available under: http://testovaci.web/xmlrpc.php

[+] WordPress version 3.0.4 identified from meta generator
[!] 8 vulnerabilities identified from the version number

[!] Title: XSS vulnerability in swfupload in WordPress
    Reference: http://seclists.org/fulldisclosure/2012/Nov/51

[!] Title: XMLRPC Pingback API Internal/External Port Scanning
    Reference: https://github.com/FireFart/WordpressPingbackPortScanner

[!] Title: WordPress XMLRPC pingback additional issues
    Reference: http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html

[!] Title: wp-admin/press-this.php - Privilege Escalation
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-5270
[i] Fixed in: 3.0.6

[!] Title: Cross-site scripting (XSS) vulnerability in wp-includes/default-filters.php
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6633
[i] Fixed in: 3.3.3

[!] Title: wp-admin/media-upload.php sensitive information disclosure or bypass
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6634
[i] Fixed in: 3.3.3

[!] Title: wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6635
[i] Fixed in: 3.3.3

[!] Title: Crafted String URL Redirect Restriction Bypass
    Reference: http://packetstormsecurity.com/files/123589/
    Reference: http://core.trac.wordpress.org/changeset/25323
    Reference: http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4339
    Reference: http://secunia.com/advisories/54803
    Reference: http://osvdb.org/97212
    Reference: http://www.exploit-db.com/exploits/28958/
[i] Fixed in: 3.6.1

[+] WordPress theme in use: nejakasablona

[+] Name: nejakasablona
 |  Location: http://testovaci.web/wp-content/themes/nejakasablona/
 |  Style URL: http://testovaci.web/wp-content/themes/nejakasablona/style.css
 |  Description: 

[+] Enumerating installed plugins  ...



  : |=========================================================================================================================================================================================================================================================================|

[+] We found 25 plugins:

[+] Name: add-local-avatar
 |  Location: http://testovaci.web/wp-content/plugins/add-local-avatar/
 |  Readme: http://testovaci.web/wp-content/plugins/add-local-avatar/readme.txt

[+] Name: adrotate - v3.6.6
 |  Location: http://testovaci.web/wp-content/plugins/adrotate/
 |  Readme: http://testovaci.web/wp-content/plugins/adrotate/readme.txt

[!] Title: AdRotate <= 3.9.4 - clicktracker.php track Parameter SQL Injection
    Reference: http://packetstormsecurity.com/files/125330/
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1854
    Reference: http://secunia.com/advisories/57079
    Reference: http://osvdb.org/103578
    Reference: http://www.exploit-db.com/exploits/31834/
[i] Fixed in: 3.9.5

[!] Title: AdRotate <= 3.6.6 - SQL Injection Vulnerability
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4671
    Reference: http://secunia.com/advisories/46814
    Reference: http://osvdb.org/77507
    Reference: http://www.exploit-db.com/exploits/18114/
[i] Fixed in: 3.6.8

[!] Title: AdRotate <= 3.6.5 - SQL Injection Vulnerability
    Reference: http://unconciousmind.blogspot.com/2011/09/wordpress-adrotate-plugin-365-sql.html
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4671
    Reference: http://osvdb.org/77507
    Reference: http://www.exploit-db.com/exploits/17888/
[i] Fixed in: 3.6.8

[+] Name: akismet
 |  Location: http://testovaci.web/wp-content/plugins/akismet/
 |  Readme: http://testovaci.web/wp-content/plugins/akismet/readme.txt

[+] Name: antispam-bee
 |  Location: http://testovaci.web/wp-content/plugins/antispam-bee/
 |  Readme: http://testovaci.web/wp-content/plugins/antispam-bee/readme.txt

[+] Name: breadcrumb-navxt - v3.4.1
 |  Location: http://testovaci.web/wp-content/plugins/breadcrumb-navxt/
 |  Readme: http://testovaci.web/wp-content/plugins/breadcrumb-navxt/readme.txt

[+] Name: contact-form-7 - v2.4.2
 |  Location: http://testovaci.web/wp-content/plugins/contact-form-7/
 |  Readme: http://testovaci.web/wp-content/plugins/contact-form-7/readme.txt

[!] Title: Contact Form 7 <= 3.7.1 - Security Bypass Vulnerability
    Reference: http://www.securityfocus.com/bid/66381/
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2265
[i] Fixed in: 3.7.2

[!] Title: Contact Form 7 3.5.3 - Crafted File Extension Upload Remote Code Execution
    Reference: http://packetstormsecurity.com/files/125018/
    Reference: http://seclists.org/fulldisclosure/2014/Feb/0
    Reference: http://osvdb.org/102776

[!] Title: Contact Form 7 <= 3.5.2 - Arbitrary File Upload Remote Code Execution
    Reference: http://packetstormsecurity.com/files/124154/
    Reference: http://osvdb.org/100189
[i] Fixed in: 3.5.3

[+] Name: eshop
 |  Location: http://testovaci.web/wp-content/plugins/eshop/

[!] Title: eShop - wp-admin/admin.php Multiple Parameter XSS
    Reference: http://seclists.org/bugtraq/2011/Aug/52
    Reference: http://secunia.com/advisories/45553
    Reference: http://osvdb.org/74464
[i] Fixed in: 6.2.9

[+] Name: members - v0.1.1
 |  Location: http://testovaci.web/wp-content/plugins/members/
 |  Readme: http://testovaci.web/wp-content/plugins/members/readme.txt

[+] Name: ple-navigation
 |  Location: http://testovaci.web/wp-content/plugins/ple-navigation/
 |  Readme: http://testovaci.web/wp-content/plugins/ple-navigation/readme.txt

[+] Name: post-plugin-library - v2.6.2.1
 |  Location: http://testovaci.web/wp-content/plugins/post-plugin-library/
 |  Readme: http://testovaci.web/wp-content/plugins/post-plugin-library/readme.txt

[+] Name: redirection
 |  Location: http://testovaci.web/wp-content/plugins/redirection/
 |  Readme: http://testovaci.web/wp-content/plugins/redirection/readme.txt

[!] Title: Redirection 2.3.3 - view/admin/item.php URL Handling Reflected XSS
    Reference: http://osvdb.org/101774
[i] Fixed in: 2.3.4

[!] Title: Redirection - wp-admin/tools.php id Parameter XSS
    Reference: http://secunia.com/advisories/45782
    Reference: http://osvdb.org/74783
[i] Fixed in: 2.2.9

[+] Name: rss-import - v4.9.9
 |  Location: http://testovaci.web/wp-content/plugins/rss-import/
 |  Readme: http://testovaci.web/wp-content/plugins/rss-import/readme.txt

[+] Name: sem-external-links
 |  Location: http://testovaci.web/wp-content/plugins/sem-external-links/
 |  Readme: http://testovaci.web/wp-content/plugins/sem-external-links/readme.txt

[+] Name: similar-posts - v2.6.2.0
 |  Location: http://testovaci.web/wp-content/plugins/similar-posts/
 |  Readme: http://testovaci.web/wp-content/plugins/similar-posts/readme.txt

[+] Name: smooth-slider - v2.3.2
 |  Location: http://testovaci.web/wp-content/plugins/smooth-slider/
 |  Readme: http://testovaci.web/wp-content/plugins/smooth-slider/readme.txt

[+] Name: sociable - v3.5.2
 |  Location: http://testovaci.web/wp-content/plugins/sociable/
 |  Readme: http://testovaci.web/wp-content/plugins/sociable/readme.txt

[+] Name: syntax-highlighter-mt - v2.2.2
 |  Location: http://testovaci.web/wp-content/plugins/syntax-highlighter-mt/
 |  Readme: http://testovaci.web/wp-content/plugins/syntax-highlighter-mt/readme.txt

[+] Name: wiziapp-create-your-own-native-iphone-app - vv1.2.4b
 |  Location: http://testovaci.web/wp-content/plugins/wiziapp-create-your-own-native-iphone-app/
 |  Readme: http://testovaci.web/wp-content/plugins/wiziapp-create-your-own-native-iphone-app/readme.txt

[+] Name: wp-db-backup - v2.2.3
 |  Location: http://testovaci.web/wp-content/plugins/wp-db-backup/
 |  Readme: http://testovaci.web/wp-content/plugins/wp-db-backup/readme.txt

[+] Name: wp-memory-usage
 |  Location: http://testovaci.web/wp-content/plugins/wp-memory-usage/
 |  Readme: http://testovaci.web/wp-content/plugins/wp-memory-usage/readme.txt

[+] Name: wp-pagenavi - v2.73
 |  Location: http://testovaci.web/wp-content/plugins/wp-pagenavi/
 |  Readme: http://testovaci.web/wp-content/plugins/wp-pagenavi/readme.txt

[+] Name: wp-postviews - v1.50
 |  Location: http://testovaci.web/wp-content/plugins/wp-postviews/
 |  Readme: http://testovaci.web/wp-content/plugins/wp-postviews/readme.txt

[!] Title: WP-PostViews - "search_input" Cross-Site Scripting Vulnerability
    Reference: http://secunia.com/advisories/50982

[!] Title: WP-PostViews 1.62 - Setting Manipulation CSRF
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3252
    Reference: http://secunia.com/advisories/53127
    Reference: http://osvdb.org/93096
[i] Fixed in: 1.63

[+] Name: wp-spamfree
 |  Location: http://testovaci.web/wp-content/plugins/wp-spamfree/
 |  Readme: http://testovaci.web/wp-content/plugins/wp-spamfree/readme.txt

[!] Title: WP-SpamFree 3.2.1 - Spam SQL Injection Vulnerability
    Reference: http://www.exploit-db.com/exploits/17970/

[+] Name: wp-super-cache - v0.9.7
 |  Location: http://testovaci.web/wp-content/plugins/wp-super-cache/
 |  Readme: http://testovaci.web/wp-content/plugins/wp-super-cache/readme.txt

[!] Title: WP-Super-Cache 1.3 - Remote Code Execution
    Reference: http://www.acunetix.com/blog/web-security-zone/wp-plugins-remote-code-execution/
    Reference: http://wordpress.org/support/topic/pwn3d
    Reference: http://blog.sucuri.net/2013/04/update-wp-super-cache-and-w3tc-immediately-remote-code-execution-vulnerability-disclosed.html
[i] Fixed in: 1.3.1

[!] Title: WP Super Cache 1.3 - trunk/wp-cache.php wp_nonce_url Function URI XSS
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2008
    Reference: http://osvdb.org/92832
[i] Fixed in: 1.3.1

[!] Title: WP Super Cache 1.3 - trunk/plugins/wptouch.php URI XSS
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2008
    Reference: http://osvdb.org/92831
[i] Fixed in: 1.3.1

[!] Title: WP Super Cache 1.3 - trunk/plugins/searchengine.php URI XSS
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2008
    Reference: http://osvdb.org/92830
[i] Fixed in: 1.3.1

[!] Title: WP Super Cache 1.3 - trunk/plugins/domain-mapping.php URI XSS
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2008
    Reference: http://osvdb.org/92829
[i] Fixed in: 1.3.1

[!] Title: WP Super Cache 1.3 - trunk/plugins/badbehaviour.php URI XSS
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2008
    Reference: http://osvdb.org/92828
[i] Fixed in: 1.3.1

[!] Title: WP Super Cache 1.3 - trunk/plugins/awaitingmoderation.php URI XSS
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2008
    Reference: http://osvdb.org/92827
[i] Fixed in: 1.3.1

[+] Name: wptouch - v1.9.34
 |  Location: http://testovaci.web/wp-content/plugins/wptouch/
 |  Readme: http://testovaci.web/wp-content/plugins/wptouch/readme.txt

[+] Finished: Fri Nov 28 09:26:27 2014
[+] Memory used: 10.266 MB
[+] Elapsed time: 00:11:51