WPScan
Overview
Sección titulada «Overview»WPScan is a free, open-source WordPress security scanner that identifies vulnerable plugins, themes, weak passwords, and WordPress core vulnerabilities. It integrates with WPVulnDB, a comprehensive vulnerability database, to provide actionable security insights for WordPress administrators and security researchers.
Installation
Sección titulada «Installation»Via RubyGems
Sección titulada «Via RubyGems»gem install wpscanVerify installation:
wpscan --versionVia Docker
Sección titulada «Via Docker»docker pull wpscanteam/wpscan:latest
# Run WPScan in Docker
docker run -it --rm wpscanteam/wpscan:latest --url http://target.comVia Package Manager (Linux)
Sección titulada «Via Package Manager (Linux)»# Ubuntu/Debian
sudo apt-get install wpscan
# Kali Linux (pre-installed)
wpscan --versionManual Installation from Source
Sección titulada «Manual Installation from Source»git clone https://github.com/wpscanteam/wpscan.git
cd wpscan
bundle install
./wpscan.rb --versionAPI Token Setup
Sección titulada «API Token Setup»Obtaining a Free API Token
Sección titulada «Obtaining a Free API Token»- Register at wpscan.com
- Verify your email
- Copy your API token from the dashboard
- Limit: 25 requests/day (free tier)
Configuring API Token
Sección titulada «Configuring API Token»Store token in ~/.wpscan/scan.json:
mkdir -p ~/.wpscan
cat > ~/.wpscan/scan.json << 'EOF'
{
"general_settings": {
"api_token": "YOUR_API_TOKEN_HERE"
}
}
EOFOr pass token via command line:
wpscan --url http://target.com --api-token YOUR_API_TOKENBasic Scanning
Sección titulada «Basic Scanning»Simple Target Scan
Sección titulada «Simple Target Scan»# Basic scan (no API token)
wpscan --url http://target.com
# Scan with API token
wpscan --url http://target.com --api-token YOUR_TOKENSpecify WordPress Path
Sección titulada «Specify WordPress Path»# Target is at /wordpress/wp-admin
wpscan --url http://target.com/wordpress --api-token YOUR_TOKENFollow Redirects
Sección titulada «Follow Redirects»wpscan --url http://target.com --follow-redirects --api-token YOUR_TOKENEnumeration Options
Sección titulada «Enumeration Options»Enumerate WordPress Version
Sección titulada «Enumerate WordPress Version»wpscan --url http://target.com --enumerate vpEnumerate Plugins
Sección titulada «Enumerate Plugins»# All plugins
wpscan --url http://target.com --enumerate p
# Vulnerable plugins only
wpscan --url http://target.com --enumerate vp
# Popular plugins (default: 100)
wpscan --url http://target.com --enumerate p --plugins-detection aggressiveEnumerate Themes
Sección titulada «Enumerate Themes»# All themes
wpscan --url http://target.com --enumerate t
# Vulnerable themes only
wpscan --url http://target.com --enumerate vtEnumerate Users
Sección titulada «Enumerate Users»# Enumerate usernames
wpscan --url http://target.com --enumerate u
# Enumerate specific user range
wpscan --url http://target.com --enumerate u --detection-mode passiveEnumerate All Components
Sección titulada «Enumerate All Components»# Shorthand: v = vulnerable, p = plugins, t = themes, u = users, tt = timthumbs, cb = config backups
wpscan --url http://target.com --enumerate vp,vt,uDetection Modes
Sección titulada «Detection Modes»| Mode | Speed | Accuracy | Use Case |
|---|---|---|---|
passive | Fast | Low | Quick reconnaissance |
aggressive | Slow | High | In-depth testing (authorized only) |
mixed | Medium | Medium | Balanced approach |
# Passive enumeration (stealthy)
wpscan --url http://target.com --enumerate p --detection-mode passive
# Aggressive enumeration (thorough, detectable)
wpscan --url http://target.com --enumerate p --detection-mode aggressiveVersion Detection
Sección titulada «Version Detection»Core WordPress Version
Sección titulada «Core WordPress Version»wpscan --url http://target.com --enumerate vpPlugin Versions
Sección titulada «Plugin Versions»wpscan --url http://target.com --enumerate pTheme Versions
Sección titulada «Theme Versions»wpscan --url http://target.com --enumerate tCheck Against CVE Database
Sección titulada «Check Against CVE Database»# Requires API token for vulnerability matching
wpscan --url http://target.com --enumerate vp --api-token YOUR_TOKENPassword Attacks
Sección titulada «Password Attacks»Brute Force Attack
Sección titulada «Brute Force Attack»# Using rockyou.txt wordlist
wpscan --url http://target.com --usernames admin --passwords /usr/share/wordlists/rockyou.txt
# Brute force specific user
wpscan --url http://target.com --usernames admin --wordlist /path/to/wordlist.txtMultiple Users
Sección titulada «Multiple Users»# Try multiple usernames from file
wpscan --url http://target.com --usernames-list users.txt --passwords passwords.txtCustom Wordlists
Sección titulada «Custom Wordlists»# Generate custom wordlist
wpscan --url http://target.com --usernames admin,editor,test --passwords passwords.txt
# Single password, multiple users
wpscan --url http://target.com --usernames admin --passwords password123Throttling and Rate Limiting
Sección titulada «Throttling and Rate Limiting»# Throttle requests (milliseconds between requests)
wpscan --url http://target.com --usernames admin --passwords passwords.txt --throttle 100
# Max threads (default: 5)
wpscan --url http://target.com --usernames admin --passwords passwords.txt --max-threads 10Vulnerability Detection
Sección titulada «Vulnerability Detection»Vulnerable Plugins
Sección titulada «Vulnerable Plugins»# Enumerate and check for vulnerabilities
wpscan --url http://target.com --enumerate vp --api-token YOUR_TOKENVulnerable Themes
Sección titulada «Vulnerable Themes»wpscan --url http://target.com --enumerate vt --api-token YOUR_TOKENVulnerable Core
Sección titulada «Vulnerable Core»# WordPress core vulnerabilities
wpscan --url http://target.com --enumerate vp --api-token YOUR_TOKENCommon Vulnerabilities Found
Sección titulada «Common Vulnerabilities Found»| Type | Severity | Example |
|---|---|---|
| SQL Injection | High | Easily exploitable injection flaws in plugins |
| Arbitrary File Upload | High | Unprotected upload endpoints |
| Privilege Escalation | High | Unauthenticated admin account creation |
| Cross-Site Scripting (XSS) | Medium | Stored/reflected XSS in plugin output |
| Local File Inclusion (LFI) | Medium | Directory traversal via plugin paths |
| Authentication Bypass | High | Weak authentication mechanisms |
| Insecure Deserialization | High | PHP object injection |
Output Formats
Sección titulada «Output Formats»JSON Output
Sección titulada «JSON Output»wpscan --url http://target.com --api-token YOUR_TOKEN --format json -o report.jsonCLI Output (Default)
Sección titulada «CLI Output (Default)»wpscan --url http://target.com --api-token YOUR_TOKENHTML Report
Sección titulada «HTML Report»wpscan --url http://target.com --api-token YOUR_TOKEN --format html -o report.htmlExport and Parse Results
Sección titulada «Export and Parse Results»# Parse JSON report
cat report.json | jq '.vulnerabilities'
# Count vulnerabilities
cat report.json | jq '.vulnerabilities | length'
# Extract plugin vulnerabilities
cat report.json | jq '.plugins | keys'Stealthy Scanning
Sección titulada «Stealthy Scanning»Random User Agent
Sección titulada «Random User Agent»wpscan --url http://target.com --random-user-agentPassive Detection Only
Sección titulada «Passive Detection Only»wpscan --url http://target.com --enumerate u --detection-mode passiveSlow Throttling
Sección titulada «Slow Throttling»# 500ms delay between requests
wpscan --url http://target.com --enumerate p --throttle 500Avoid Detection
Sección titulada «Avoid Detection»# Combine techniques for stealth
wpscan --url http://target.com \
--enumerate p,u \
--detection-mode passive \
--random-user-agent \
--throttle 300 \
--api-token YOUR_TOKENCommon Findings and Exploitation
Sección titulada «Common Findings and Exploitation»Admin User Enumeration
Sección titulada «Admin User Enumeration»Finding: Usernames admin, administrator, root discovered
Exploitation: Brute force password, check for weak credentials
wpscan --url http://target.com --usernames admin --passwords common.txtOutdated WordPress Core
Sección titulada «Outdated WordPress Core»Finding: WordPress 5.x.x detected (vulnerable version available)
Exploitation: Apply security patch or update via WordPress admin panel
Vulnerable Plugin (Example: Elementor < 3.0)
Sección titulada «Vulnerable Plugin (Example: Elementor < 3.0)»Finding: Elementor 2.9.14 detected (SQL injection in CVE-2021-12345)
Exploitation: Update plugin or disable until patch available
# Confirm via WPVulnDB API
wpscan --url http://target.com --enumerate vp --api-token YOUR_TOKENXML-RPC Enabled
Sección titulada «XML-RPC Enabled»Finding: /xmlrpc.php accessible
Exploitation: Disable XML-RPC if not needed
# Detect XML-RPC
curl -I http://target.com/xmlrpc.phpDirectory Listing Enabled
Sección titulada «Directory Listing Enabled»Finding: /wp-content/ directory browsable
Exploitation: Add .htaccess to restrict directory listing
# Create .htaccess in WordPress root
cat > /var/www/html/.htaccess << 'EOF'
<FilesMatch "^\.">
Deny from all
</FilesMatch>
EOFWPScan API
Sección titulada «WPScan API»API Endpoints
Sección titulada «API Endpoints»Get vulnerability information for specific plugins:
curl "https://vulners.com/search?type=wordpress-plugin&q=plugin-name"Query WPVulnDB via WPScan
Sección titulada «Query WPVulnDB via WPScan»# Check specific plugin version for vulnerabilities
wpscan --url http://target.com --enumerate vp --api-token YOUR_TOKENCI/CD Integration
Sección titulada «CI/CD Integration»GitHub Actions
Sección titulada «GitHub Actions»name: WPScan
on: [push]
jobs:
wpscan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run WPScan
uses: wpscanteam/action-wpscan@master
with:
url: 'http://target.com'
token: ${{ secrets.WPSCAN_TOKEN }}Jenkins Pipeline
Sección titulada «Jenkins Pipeline»pipeline {
agent any
stages {
stage('WPScan') {
steps {
sh '''
wpscan --url http://target.com \
--api-token ${WPSCAN_TOKEN} \
--format json -o wpscan-report.json
'''
}
}
}
}Docker Compose for Testing
Sección titulada «Docker Compose for Testing»version: '3'
services:
wordpress:
image: wordpress:latest
environment:
WORDPRESS_DB_HOST: db
WORDPRESS_DB_NAME: wordpress
WORDPRESS_DB_USER: wp
WORDPRESS_DB_PASSWORD: password
ports:
- "8080:80"
wpscan:
image: wpscanteam/wpscan:latest
depends_on:
- wordpress
command: --url http://wordpressAdvanced Options
Sección titulada «Advanced Options»Proxy Configuration
Sección titulada «Proxy Configuration»# Use HTTP proxy
wpscan --url http://target.com --proxy http://127.0.0.1:8080
# Use SOCKS5 proxy
wpscan --url http://target.com --proxy socks5://127.0.0.1:1080Custom Headers
Sección titulada «Custom Headers»# Add custom header (e.g., for bypass)
wpscan --url http://target.com --headers "X-Custom-Header: value"SSL/TLS Configuration
Sección titulada «SSL/TLS Configuration»# Disable SSL verification (not recommended)
wpscan --url https://target.com --disable-ssl-verification
# Use specific certificate
wpscan --url https://target.com --certificate /path/to/cert.pemAggressive Scanning with All Options
Sección titulada «Aggressive Scanning with All Options»wpscan --url http://target.com \
--enumerate vp,vt,u,cb,dbe,m,wp \
--detection-mode aggressive \
--api-token YOUR_TOKEN \
--random-user-agent \
--max-threads 10 \
--format json -o full-report.jsonBest Practices
Sección titulada «Best Practices»| Practice | Benefit |
|---|---|
| Use API token | Unlock vulnerability database matching |
| Scan authorized targets only | Legal and ethical compliance |
| Test in staging environment | Avoid production impact |
| Regular scanning | Catch new vulnerabilities early |
| Update plugin/theme list | Ensure current vulnerability data |
| Combine with manual review | Find logic flaws WPScan misses |
| Monitor WordPress updates | Patch promptly when available |
Common Issues and Troubleshooting
Sección titulada «Common Issues and Troubleshooting»Target Not Reachable
Sección titulada «Target Not Reachable»# Test connectivity first
curl -I http://target.com
# Specify timeout
wpscan --url http://target.com --request-timeout 15API Token Limit Reached
Sección titulada «API Token Limit Reached»# Without token (limited data)
wpscan --url http://target.com --enumerate p
# Purchase premium token for higher limits
# Visit: https://wpscan.comFalse Positives in Results
Sección titulada «False Positives in Results»# Manually verify findings
curl http://target.com/wp-content/plugins/plugin-name/
# Check WPVulnDB database for confirmationSlow Scanning
Sección titulada «Slow Scanning»# Increase threads for faster enumeration
wpscan --url http://target.com --max-threads 25 --enumerate pResources
Sección titulada «Resources»- Official Documentation: https://github.com/wpscanteam/wpscan
- WPVulnDB Database: https://www.wpvulndb.com
- WPScan Website: https://wpscan.com
- Vulnerability Reporting: https://wpscan.com/report
- Community: https://www.wordpress.org/support/