{"vulnerability": "CVE-2016-5385", "sightings": [{"uuid": "365debad-6c12-4d70-a9a0-0e0ed91dca31", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2016-5385", "type": "seen", "source": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-02", "content": "", "creation_timestamp": "2026-01-27T11:00:00.000000Z"}, {"uuid": "8cff9cbe-0df5-4830-b6d5-648c214226b6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2016-5385", "type": "seen", "source": "https://gist.github.com/alexishida/b71bdf593101e8b985c0fc509c6f04f3", "content": "# Mitiga\u00e7\u00f5es de ataque\n\nBrute-force de login: rate limit em /wp-login.php (5 req/min) e bloqueio total do xmlrpc.php (vetor cl\u00e1ssico de amplifica\u00e7\u00e3o e brute-force via system.multicall).\nEnumera\u00e7\u00e3o de usu\u00e1rios: bloqueia ?author=N.\nPath traversal / SQLi / XSS via query string: WAF leve com regex.\nUpload malicioso: bloqueia execu\u00e7\u00e3o de .php em wp-content/uploads, wp-includes e cache.\nInformation disclosure: oculta readme.html, license.txt, wp-config-sample.php, .env, .git, dumps SQL, logs.\nSlowloris / DoS leve: timeouts curtos e limit_conn.\nBots ofensivos (wpscan, sqlmap, nikto): bloqueio por User-Agent.\nHttpoxy (CVE-2016-5385): HTTP_PROXY \"\" no fastcgi.\n\nHeaders de seguran\u00e7a: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.\nTLS: s\u00f3 TLS 1.2/1.3, ciphers modernos, OCSP stapling.\nPontos que voc\u00ea precisa ajustar antes de subir:\n\nAs 4 zonas de limit_req_zone e os dois map precisam ir no http {} do nginx.conf (deixei comentado no topo).\nCaminho do socket PHP-FPM (php8.2-fpm.sock) \u2014 confira sua vers\u00e3o.\nDom\u00ednio, root e certificados.\nSe usar Jetpack ou app m\u00f3vel do WP, descomente a alternativa do xmlrpc.php em vez do bloqueio total.\nA CSP est\u00e1 permissiva (unsafe-inline/unsafe-eval) porque WP + plugins quebram com CSP estrita \u2014 recomendo subir primeiro como Content-Security-Policy-Report-Only e ir apertando.\n\nComplementos que recomendo fora do nginx, j\u00e1 que isto cobre s\u00f3 a camada de borda:\n\nfail2ban com jail para wordpress.access.log (404 em massa, 401, POST em wp-login).\nPermiss\u00f5es de arquivo: wp-config.php 640, owner separado do usu\u00e1rio do PHP-FPM.\nDISALLOW_FILE_EDIT e DISALLOW_FILE_MODS no wp-config.php.\nAuto-update de core/plugins ou pipeline de patching.\nBackup off-site testado.", "creation_timestamp": "2026-05-07T04:12:29.000000Z"}]}