WPScan
WPScan capabilities
- The version of WordPress installed and any associated vulnerabilities
- What plugins are installed and any associated vulnerabilities
- What themes are installed and any associated vulnerabilities
- Username enumeration
- Users with weak passwords via password brute forcing
- Backed up and publicly accessible wp-config.php files
- Database dumps that may be publicly accessible
- If error logs are exposed by plugins
- Media file enumeration
- Vulnerable Timthumb files
- If the WordPress readme file is present
- If WP-Cron is enabled
- If user registration is enabled
- Full Path Disclose
- Upload directory listing and much more…
Update the local database of WPScan
The local database can be updated with the following command:
wpscan --update
Enumeration Modes
When enumerating the WordPress version, installed plugins or installed themes, you can use three different “modes”, which are:
- passive
- aggressive
- mixed
The following enumeration options exist:
vp(Vulnerable plugins)ap(All plugins)p(Popular plugins)vt(Vulnerable themes)at(All themes)t(Popular themes)tt(Timthumbs)cb(Config backups)dbe(Db exports)u(User IDs range. e.g: u1-5)m(Media IDs range. e.g m1-15)
If no option is supplied to the -e flag, then the default will be: vp,vt,tt,cb,dbe,u,m
Cheat Sheet
Enumerate all plugins with known vulnerabilities
wpscan --url example.com -e vp
Password brute force attack
wpscan --url example.com -e u --passwords /path/to/password_file.txt