_______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.28 @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [i] Updating the Database ... [i] File(s) Updated: | metadata.json | wp_fingerprints.json | timthumbs-v3.txt | config_backups.txt | db_exports.txt | dynamic_finders.yml | LICENSE | sponsor.txt [i] Update completed. [+] URL: https://pages.fareharbor.com/ [192.0.66.151] [+] Effective URL: https://pages.fareharbor.com/submit/ [+] Started: Mon Jan 12 10:49:31 2026 Interesting Finding(s): [+] Headers | Interesting Entries: | - server: nginx | - x-hacker: If you're reading this, you should visit https://join.a8c.com/viphacker and apply to join the fun, mention this header. | - x-powered-by: WordPress VIP | - host-header: a9130478a60e5f9135f765b23f26593b | - x-rq: bom3 0 40 9980 | Found By: Headers (Passive Detection) | Confidence: 100% [+] robots.txt found: https://pages.fareharbor.com/robots.txt | Interesting Entries: | - /wp-admin/ | - /wp-admin/admin-ajax.php | Found By: Robots Txt (Aggressive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: https://pages.fareharbor.com/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] This site seems to be a multisite | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | Reference: http://codex.wordpress.org/Glossary#Multisite [+] This site has 'Must Use Plugins': https://pages.fareharbor.com/wp-content/mu-plugins/ | Found By: Direct Access (Aggressive Detection) | Confidence: 80% | Reference: http://codex.wordpress.org/Must_Use_Plugins [+] The external WP-Cron seems to be enabled: https://pages.fareharbor.com/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 Fingerprinting the version -: |====================================================================================================================================================| [+] WordPress version 6.8.3 identified (Outdated, released on 2025-09-30). | Found By: Query Parameter In Login Page (Aggressive Detection) | - https://pages.fareharbor.com/wp-admin/js/password-strength-meter.min.js?ver=6.8.3 | - https://pages.fareharbor.com/wp-admin/js/user-profile.min.js?ver=6.8.3 [+] WordPress theme in use: help-center | Location: https://pages.fareharbor.com/wp-content/themes/help-center/ | Readme: https://pages.fareharbor.com/wp-content/themes/help-center/readme.txt | Style URL: https://pages.fareharbor.com/wp-content/themes/help-center/style.css | Style Name: FareHarbor Help Center | Author: FH.me Engineering | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | The version could not be determined. [+] Enumerating All Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] * | Location: https://pages.fareharbor.com/wp-content/plugins/*/ | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | The version could not be determined. [+] advanced-custom-fields-pro | Location: https://pages.fareharbor.com/wp-content/plugins/advanced-custom-fields-pro/ | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | [!] 14 vulnerabilities identified: | | [!] Title: Advanced Custom Field Pro < 5.9.1 - Authenticated Reflected Cross-Site Scripting (XSS) | Fixed in: 5.9.1 | References: | - https://wpscan.com/vulnerability/d1e9c995-37bd-4952-b88e-945e02e3c83f | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24241 | - https://github.com/jdordonezn/Reflected-XSS-in-WordPress-for-ACF-PRO-before-5.9.1-plugin/issues/1 | - https://www.advancedcustomfields.com/blog/acf-5-9-1-release/ | | [!] Title: Advanced Custom Fields < 5.11 - Subscriber+ Arbitrary ACF Data/Field Groups View and Fields Move | Fixed in: 5.11 | References: | - https://wpscan.com/vulnerability/f322619a-e85d-4931-8785-eb9cf30cef7f | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20865 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20866 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20867 | - https://wordpress.org/plugins/advanced-custom-fields/#developers | - https://jvn.jp/en/jp/JVN09136401/ | | [!] Title: Advanced Custom Fields < 5.12.1 - Contributor+ Database Information Access | Fixed in: 5.12.1 | References: | - https://wpscan.com/vulnerability/413576a8-0f20-465e-80cf-7cb0cb22bded | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23183 | - https://jvn.jp/en/jp/JVN42543427/ | | [!] Title: Advanced Custom Fields 5.0-5.12.2 - Unauthenticated File Upload | Fixed in: 5.12.3 | References: | - https://wpscan.com/vulnerability/3fde5336-552c-4861-8b4d-89a16735c0e2 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2594 | - https://www.pritect.net/blog/advanced-custom-fields-5-12-3-can-allow-unauthenticated-users-to-upload-arbitrary-files | | [!] Title: Advanced Custom Fields < 5.12.5 - Contributor+ PHP Object Injection | Fixed in: 5.12.5 | References: | - https://wpscan.com/vulnerability/cf376ca2-92f6-44ff-929a-ace809460a33 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1196 | | [!] Title: Advanced Custom Fields < 6.1.0 - Contributor+ PHP Object Injection | Fixed in: 6.1.0 | References: | - https://wpscan.com/vulnerability/8e5ec88e-0e66-44e4-bbf2-74155d849ede | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1196 | | [!] Title: Advanced Custom Fields < 6.1.6 - Reflected XSS | Fixed in: 6.1.6 | References: | - https://wpscan.com/vulnerability/95ded80f-a47b-411e-bd17-050439bf565f | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30777 | | [!] Title: Advanced Custom Fields < 6.2.5 - Contributor+ Stored Cross-Site Scripting via Custom Field | Fixed in: 6.2.5 | References: | - https://wpscan.com/vulnerability/9a536e07-6e99-45c1-9233-f7cee5c29ea4 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6701 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/e3593dfd-7b2a-4d01-8af0-725b444dc81b | | [!] Title: Advanced Custom Fields < 6.3 - Contributor+ Custom Field Access | Fixed in: 6.3 | References: | - https://wpscan.com/vulnerability/430224c4-d6e3-4ca8-b1bc-b2229a9bcf12 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4565 | | [!] Title: Advanced Custom Fields Pro < 6.2.10 - Authenticated (Contributor+) Code Injection | Fixed in: 6.2.10 | References: | - https://wpscan.com/vulnerability/1f007bf2-8cd5-4fb9-8b2a-9e979ff2673e | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34761 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/2923afdd-36b7-4181-aade-d757a70a06c0 | | [!] Title: Advanced Custom Fields Pro < 6.2.10 - Authenticated (Contributor+) Local File Inclusion | Fixed in: 6.2.10 | References: | - https://wpscan.com/vulnerability/7e1871a1-489b-4751-af6e-8cf6c5623f75 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34762 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/297c7411-5065-458c-8cad-4f6243610b8a | | [!] Title: Advanced Custom Fields <= 6.3.5 - Authenticated Stored Cross-Site Scripting | Fixed in: 6.3.6 | References: | - https://wpscan.com/vulnerability/df3f764f-b925-4341-9c4c-9d01ecb1b352 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45429 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/51178e18-ae8b-4a7f-974d-23346a8dbc52 | | [!] Title: Secure Custom Fields < 6.3.6.3 - Admin+ Remote Code Execution | Fixed in: 6.3.9 | References: | - https://wpscan.com/vulnerability/dd3cc8d8-4dff-47f9-b036-5d09f2c7e5f2 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9529 | | [!] Title: Secure Custom Fields < 6.3.6.3 - Admin+ Stored XSS | Fixed in: 6.3.9 | References: | - https://wpscan.com/vulnerability/9291ad3e-3618-4dbc-ae86-698e7c4d4182 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49593 | - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/advanced-custom-fields/advanced-custom-fields-638-secure-custom-fields-6362-authenticated-admin-stored-cross-site-scripting | | The version could not be determined. [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups -: |======================================================================================================================================================| [i] No Config Backups Found. [+] WPScan DB API OK | Plan: free | Requests Done (during the scan): 4 | Requests Remaining: 21 [+] Finished: Mon Jan 12 10:54:40 2026 [+] Requests Done: 1528 [+] Cached Requests: 5 [+] Data Sent: 526.353 KB [+] Data Received: 55.904 MB [+] Memory used: 367.473 MB [+] Elapsed time: 00:05:09