Search the Community

Introduction WPScan is a free and automated black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites. You can use it to remotely scan WordPress installations, to find vulnerabilities within the core version, plugins, and themes. It’s maintained by the WPScan Team. v3.8.22 Latest Minor: Better handling of redirection, ie when target http->https (or the opposite), the target URL will be changed to the new one automatically to avoid scanning the http version and getting 301 which could result in items being missed Better handling of unsupported HEAD method by checking for 501 and timeout as well [hide][Hidden Content]]

Introduction WPScan is a free and automated black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites. You can use it to remotely scan WordPress installations, to find vulnerabilities within the core version, plugins, and themes. Minor: When checking the full response during Enumeration, valid_response_codes are now also considered --exclude-usernames option added [hide][Hidden Content]]

Introduction WPScan is a free and automated black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites. You can use it to remotely scan WordPress installations, to find vulnerabilities within the core version, plugins, and themes. Minor: Updated number of daily free API requests in the output [hide][Hidden Content]]

Introduction WPScan is a free and automated black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites. You can use it to remotely scan WordPress installations, to find vulnerabilities within the core version, plugins, and themes Minor: Fixed exception raised in rescue statement when error happened in OptParseValidator, causing multiple stacktraces to be displayed rather than the error message. DB Export pattern updated to detect file with CREATE/ALTER DATABASE statements – Ref #1599 [hide][Hidden Content]]

Introduction WPScan is a free and automated black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites. You can use it to remotely scan WordPress installations, to find vulnerabilities within the core version, plugins, and themes. Minor: Target URL added to the JSON output when an error occurs before controller#run – Ref #1594 --force option added to scan target despite returning a 403 when checking its availability – Ref #1592 Add an InterestingFinding check (php_disabled) to detect whether or not PHP is disabled – Ref #1593 [hide][Hidden Content]]

Introduction WPScan is a free and automated black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites. You can use it to remotely scan WordPress installations, to find vulnerabilities within the core version, plugins, and themes. It’s maintained by the WPScan Team. Minor: Updated dependencies. Installation should be faster and easier regarding Nokogiri [hide][Hidden Content]]

Introduction WPScan is a free and automated black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites. You can use it to remotely scan WordPress installations, to find vulnerabilities within the core version, plugins, and themes. It’s maintained by the WPScan Team. Minor: Updated ruby to 2.7.2 Updated some leftover of wpscan.org to the correct domain/URL Updated some leftover of WPVulnDB to the correct name Fixed API retry not properly working due to caching Fixed incorrect detection of an invalid API Token provided #1579 [hide][Hidden Content]]

Introduction WPScan is a free and automated black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites. You can use it to remotely scan WordPress installations, to find vulnerabilities within the core version, plugins, and themes. Minor: Added a login-uri CLI option to set the URI of the login page (if different from wp-login.php) – Ref #1554 [hide][Hidden Content]]

Introduction WPScan is a free and automated black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites. You can use it to remotely scan WordPress installations, to find vulnerabilities within the core version, plugins, and themes. It’s maintained by the WPScan Team. [hide][Hidden Content]]

Introduction WPScan is a free and automated black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites. You can use it to remotely scan WordPress installations, to find vulnerabilities within the core version, plugins, and themes. It’s maintained by the WPScan Team. [hide][Hidden Content]]

Introduction WPScan is a free and automated black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites. You can use it to remotely scan WordPress installations, to find vulnerabilities within the core version, plugins, and themes. It’s maintained by the WPScan Team. Minor: Updated WP Duplicator installer-log.txt detection, Thanks to @dwisiswant0 – Ref #1540 [hide][Hidden Content]]

Introduction WPScan is a free and automated black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites. You can use it to remotely scan WordPress installations, to find vulnerabilities within the core version, plugins, and themes. It’s maintained by the WPScan Team. Minor: Be more informative in CLI output with InterestingFindings – Ref #1510 Better CLI error messages for Path validators [hide][Hidden Content]]

Introduction WPScan is a free and automated black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites. You can use it to remotely scan WordPress installations, to find vulnerabilities within the core version, plugins, and themes. It’s maintained by the WPScan Team. Minor: Fixed Theme author incorrectly detected – Ref #1520 Password Attack: Fixed disabled XMLRPC method not being correctly detected in blog with a language other than English – Ref #1522 [hide][Hidden Content]]

Introduction WPScan is a free and automated black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites. You can use it to remotely scan WordPress installations, to find vulnerabilities within the core version, plugins, and themes. It’s maintained by the WPScan Team. Minor Fixes a potential InvalidProgressBar error with the xmlrpc_multicall pwd attack Long option/s now displayed when a required one is missing – Ref #1500 Fixes Crash when URL does not contain a TLD, such as dc-2 Password Attack: When an error occurs, the response body is only displayed when --verbose is used When using an output format other than the CLI (such as -f json), the progress bar log will only contain unique errors (before duplicate could occur, leading to an increase of Memory usage) Check for wp-login.php availability before doing password attack on it – Ref #1519 Uses an enumerator to read the wordlist (rather than the whole file at once) during password attacks, reducing the memory usage – Ref #1518 [hide][Hidden Content]]

Introduction WPScan is a free and automated black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites. You can use it to remotely scan WordPress installations, to find vulnerabilities within the core version, plugins, and themes. It’s maintained by the WPScan Team. For usage examples check: WPScan Usage Example [Enumeration + Exploit] Minor Fixes a potential InvalidProgressBar error with the xmlrpc_multicall pwd attack Long option/s now displayed when a required one is missing – Ref #1500 Fixes Crash when URL does not contain a TLD, such as dc-2 [HIDE][Hidden Content]]

Introduction WPScan is a free and automated black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites. You can use it to remotely scan WordPress installations, to find vulnerabilities within the core version, plugins, and themes. It’s maintained by the WPScan Team. Added Youtube references from the API in output Added CVSS score and vector output. This will only be displayed for users with an enterprise token [HIDE][Hidden Content]]

Introduction WPScan is a free and automated black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites. You can use it to remotely scan WordPress installations, to find vulnerabilities within the core version, plugins, and themes. It’s maintained by the WPScan Team. Major: Support for Ruby 2.4 removed as EOL reached. Minor: Icon displayed when valid credentials found during password attack changed from notice to warning [!] Help messages for --plugins-detection and --plugins-version-detection updated – Ref #1472 [HIDE][Hidden Content]]

Introduction WPScan is a free and automated black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites. You can use it to remotely scan WordPress installations, to find vulnerabilities within the core version, plugins, and themes. It’s maintained by the WPScan Team. v3.7.11 Fixes incorrect detection of error responses when performing Password Attack via XMLRPC in some cases. Fixes non detection of users via the WP JSON method when blog uses Basic Auth or a proxy is given. Fixes reference error when debug log is identified Fixes wrong number of argument error with old versions of activesupport (< 5.2) from opt_parse_validator. [HIDE][Hidden Content]]

Introduction WPScan is a free and automated black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites. You can use it to remotely scan WordPress installations, to find vulnerabilities within the core version, plugins, and themes. It’s maintained by the WPScan Team. v3.7.10 Message added to error raised when there is a checksum mismatch during update, asking the user to try again in a few minute. Fixes non detection of plugins/themes when the main 404 is a redirection and the plugins/themes checked return empty 200 responses [HIDE][Hidden Content]]

WPScan is a black box WordPress vulnerability scanner. Changelog v3.7.9 Avoid sending irrelevant request params (such as cookies and headers) when updating and checking VulnAPI – Ref #1451 Target IP address added to output – Ref #1088 Time to detect non WP sites greatly reduced when there are a lot of links in the homepage. Passive scanning time reduced when there are a lot of links in the homepage. [HIDE][Hidden Content]]

Introduction WPScan is a free and automated black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites. You can use it to remotely scan WordPress installations, to find vulnerabilities within the core version, plugins, and themes. It’s maintained by the WPScan Team. Fixed DB Exports not detected in some cases – Ref #1426 [HIDE][Hidden Content]]

Introduction WPScan is a free and automated black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites. You can use it to remotely scan WordPress installations, to find vulnerabilities within the core version, plugins, and themes. It’s maintained by the WPScan Team. Added the Referer header to all requests to target blog – Ref #1376 Added long option name in errors raised when loading an invalid option value from a file – Ref wpscanteam/OptParseValidator#33 [HIDE][Hidden Content]]

WPScan is a black box WordPress vulnerability scanner. Changelog v3.6.1 User Agent when updating the DB is now the default one (WPScan v<VERSION> ([Hidden Content])) Fixed crash when theme or plugin slug contain illegal characters to create a class – #1374 [HIDE][Hidden Content]]

Introduction WPScan is a free and automated black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites. You can use it to remotely scan WordPress installations, to find vulnerabilities within the core version, plugins, and themes. It’s maintained by the WPScan Team. Reduces starting time by not creating all DF. Plugin and Theme Versions DF are now created when they are needed. Fixes a bug where stats were not being displayed in some cases upon error in threads Fixes long generation time of target urls before enumeration when the blog had no sub directory detected. Dev: Potential Readme filenames can now be overridden via the DF config, leading to less requests done when looking for Readmes, and avoiding false positive due to old readme files which were checked first – #1364 Some DF methods renamed to avoid confusion with DB methods (ie #db_data -> #df_data) [Hidden Content]

Introduction WPScan is a free and automated black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites. You can use it to remotely scan WordPress installations, to find vulnerabilities within the core version, plugins, and themes. It’s maintained by the WPScan Team. Features: Detects known vulnerabilities in the WordPress core, plugins and themes, Detects weak user’s credentials (usernames & passwords), Checks overall WordPress security (mis)configuration, Runs brute force penetration testings, WordPress Version enumeration (from generator meta tag), It can perform full server headers scanning, Also performs miscellaneous WordPress checks (directory used, theme names, custom dirs, etc.). It has vulnerability database, which is regularly updated. [HIDE][Hidden Content]]