Home » Linux » Scanner » Vulnerability enumeration » Weak password cracking » WordPress » WordPress Security Scanner » WordPress Username enumeration » WPScan » WPScan - WordPress Security Scanner

WPScan - WordPress Security Scanner

in , , , , , , , - on 10:42 AM - No comments
wpscan-wordpress-security-scanner

WPScan is a black box WordPress vulnerability scanner.
Features

  • Username enumeration (from author querystring and location header)
  • Weak password cracking (multithreaded)
  • Version enumeration (from generator meta tag and from client side files)
  • Vulnerability enumeration (based on version)
  • Plugin enumeration (2220 most popular by default)
  • Plugin vulnerability enumeration (based on plugin name)
  • Plugin enumeration list generation
  • Other misc WordPress checks (theme name, dir listing, …)

Prerequisites:

  • Windows not supported
  • Ruby >= 1.9.2 – Recommended: 1.9.3
  • Curl >= 7.21 – Recommended: latest – FYI the 7.29 has a segfault
  • RubyGems – Recommended: latest
  • Git

Changelog v2.4

New

  • ‘–batch’ switch option added – Fix #454
  • Add random-agent
  • Added more CLI options
  • Switch over to nist – Fix #301
  • New choice added when a redirection is detected – Fix #438

Removed

  • Removed ‘Total WordPress Sites in the World’ counter from stats
  • Old wpscan repo links removed – Fix #440
  • Fingerprinting Dev script removed
  • Useless code removed

General core

  • Rspecs update
  • Forcing Travis notify the team
  • Ruby 2.1.1 added to Travis
  • Equal output layout for interaction questions
  • Only output error trace if verbose if enabled
  • Memory improvements during wp-items enumerations
  • Fixed broken link checker, fixed some broken links
  • Couple more 404s fixed
  • Themes & Plugins list updated

WordPress Fingerprints

  • WP 3.8.2 & 3.7.2 Fingerprints added – Fix #448
  • WP 3.8.3 & 3.7.3 fingerprints
  • WP 3.9 fingerprints

Fixed issues

  • Fix #380 – Redirects in WP 3.6-3.0
  • Fix #413 – Check the version of the Timthumbs files found
  • Fix #429 – Error WpScan Cache Browser
  • Fix #431 – Version number comparison between ’2.3.3′ and ’0.42b’
  • Fix #439 – Detect if the target goes down during the scan
  • Fix #451 – Do not rely only on files in wp-content for fingerprinting
  • Fix #453 – Documentation or inplemention of option parameters
  • Fix #455 – Fails with a message if the target returns a 403 during the wordpress check

Vulnerabilities

  • Update WordPress Vulnerabilities
  • Fixed some duplicate vulnerabilities
  • WPScan Database Statistics:
  • Total vulnerable versions: 79; 1 is new
  • Total vulnerable plugins: 748; 55 are new
  • Total vulnerable themes: 292; 41 are new
  • Total version vulnerabilities: 617; 326 are new
  • Total plugin vulnerabilities: 1162; 146 are new
  • Total theme vulnerabilities: 330; 47 are new
If you are like to add your tool in our blog feel free to contact us. We are always ready to add it for free.
Labels: , , , , , , ,

Post a Comment