WPTK - Site vulnerabilities found

[biggdogg285]

Hello,

Upon a new installation of WordPress via the WPTK, an email is sent out to new customers (see attached). This is for WordPress <= 6.2 - Unauth. Blind SSRF vulnerability. We already disabled POST requests to the xmlrpc.php server-wide.

Is there a way to skip this initial vulnerability email to new customers or execute something so they don't get this? It's making new customers nervous out of the gate with their WordPress installation. These emails are important, so I don't want to disable them for current customers; it's just this problem with new customers and a brand-new install of WordPress.

Thanks.

 

[cPRex]

Hey there! In the WordPress Toolkit settings area, you should be able to disable the "Client" option on the highlighted line to disable that message from being sent to end users. The server admin will still get the notification.

 

[biggdogg285]

I have seen that option, but wouldn't that disable vulnerability emails moving forward as well? The problem is this initial email rather than subsequent emails.

 

[cPRex]

Thanks for the clarification - no, that currently isn't an option. You're welcome to submit a feature request at https://support.cpanel.net/hc/en-us...an-I-submit-a-feature-request-for-WP-Toolkit-