wpscan v3.7 releases: black box WordPress vulnerability scanner
WPScan is a black box WordPress vulnerability scanner.
- Vulnerabilities retrieved from the API directly (requires an API Token). Other data, such as latest plugin version etc is also retrieved from API when Token is provided (otherwise it will be from the local DB).
- Removed Secunia and OSVDB references (via CMSScanner 0.5.8)
- Updated packetstorm and SecurityFocus reference URLs to use HTTPS rather than HTTP (via CMSScanner 0.5.8)
- Removed sitepress-multilingual-cms
DF causing False Positive – Ref #1386
- 404 are now ignored with the BodyPatten DF – Ref #1386
- The –disable-tls-checks now tries to downgrade to TLSv1 to avoid SSL errors – Ref #1380
- Ruby >= 2.2.2 – Recommended: 2.3.3
- Curl >= 7.21 – Recommended: latest – FYI the 7.29 has a segfault
- RubyGems – Recommended: latest
gem install wpscan
git clone https://github.com/wpscanteam/wpscan
bundle install && rake install
Open a terminal and type wpscan –help (if you built wpscan from the source, you should type the command outside of the git repo)
The DB is located at ~/.wpscan/db
WPScan can load all options (including the –url) from configuration files, the following locations are checked (order: first to last):
If those files exist, options from them will be loaded and overridden if found twice.
Running wpscan in the current directory (pwd), is the same as wpscan -v –proxy socks5://127.0.0.1:9090 –url http://target.tld
Copyright 2011-2018 WPScan Team.