WPScan - WordPress Security Scanner
WPScan is a black box WordPress vulnerability scanner.
Features
- Username enumeration (from author querystring and location header)
- Weak password cracking (multithreaded)
- Version enumeration (from generator meta tag and from client side files)
- Vulnerability enumeration (based on version)
- Plugin enumeration (2220 most popular by default)
- Plugin vulnerability enumeration (based on plugin name)
- Plugin enumeration list generation
- Other misc WordPress checks (theme name, dir listing, …)
- Windows not supported
- Ruby >= 1.9.2 – Recommended: 1.9.3
- Curl >= 7.21 – Recommended: latest – FYI the 7.29 has a segfault
- RubyGems – Recommended: latest
- Git
Changelog v2.4
New- ‘–batch’ switch option added – Fix #454
- Add random-agent
- Added more CLI options
- Switch over to nist – Fix #301
- New choice added when a redirection is detected – Fix #438
- Removed ‘Total WordPress Sites in the World’ counter from stats
- Old wpscan repo links removed – Fix #440
- Fingerprinting Dev script removed
- Useless code removed
- Rspecs update
- Forcing Travis notify the team
- Ruby 2.1.1 added to Travis
- Equal output layout for interaction questions
- Only output error trace if verbose if enabled
- Memory improvements during wp-items enumerations
- Fixed broken link checker, fixed some broken links
- Couple more 404s fixed
- Themes & Plugins list updated
- WP 3.8.2 & 3.7.2 Fingerprints added – Fix #448
- WP 3.8.3 & 3.7.3 fingerprints
- WP 3.9 fingerprints
- Fix #380 – Redirects in WP 3.6-3.0
- Fix #413 – Check the version of the Timthumbs files found
- Fix #429 – Error WpScan Cache Browser
- Fix #431 – Version number comparison between ’2.3.3′ and ’0.42b’
- Fix #439 – Detect if the target goes down during the scan
- Fix #451 – Do not rely only on files in wp-content for fingerprinting
- Fix #453 – Documentation or inplemention of option parameters
- Fix #455 – Fails with a message if the target returns a 403 during the wordpress check
- Update WordPress Vulnerabilities
- Fixed some duplicate vulnerabilities
- Total vulnerable versions: 79; 1 is new
- Total vulnerable plugins: 748; 55 are new
- Total vulnerable themes: 292; 41 are new
- Total version vulnerabilities: 617; 326 are new
- Total plugin vulnerabilities: 1162; 146 are new
- Total theme vulnerabilities: 330; 47 are new