Scan Your WordPress For Security Vulnerabilities With WPScan

Mattias Geniar, Sunday, May 10, 2015 - last modified: Sunday, August 2, 2015

If you're comfortable at the CLI, WPScan is super easy to get going.

The project is open source on Github and uses the WPScan Vulnerability Database, an open dataset of known WordPress vulnerabilities.

Installation on a Mac is a piece of cake. Other methods and operating systems are documented on Github.

$ git clone https://github.com/wpscanteam/wpscan.git
$ cd wpscan
$ bundle install --without test

The first time you run wpscan.rb, you'll be prompted to update the vulnerability database.

$ ./wpscan.rb

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o [A]bort, default: [N]Y

[i] Updating the Database ...
[i] Update completed.

To scan your own site, simply pass the --url parameter.

$ ./wpscan.rb --url https://ma.ttias.be
...
[+] robots.txt available under: 'https://ma.ttias.be/robots.txt'
[!] The WordPress 'https://ma.ttias.be/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: nginx
[+] XML-RPC Interface available under: https://ma.ttias.be/xmlrpc.php
...
[+] WordPress version 4.x.x identified from meta generator
...
[+] Enumerating plugins from passive detection ...
 | 9 plugins found:
...

[+] Finished: Sun May 10 16:19:35 2015
[+] Requests Done: 126
[+] Memory used: 20.738 MB
[+] Elapsed time: 00:00:12

It enumerates all known themes and plugins, detects the WordPress version and gives you a nice summary. In my case, I still had to remove a readme.html file that exposes the version number.

If it happens to find a known vulnerability, you'll be notified in the output. Like the example below:

 ...
[!] Title: Jetpack <= 3.5.2 - DOM Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7964
    Reference: https://blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss-millions-of-wordpress-websites-affected-millions-of-wordpress-websites-affected.html

This was from an old WordPress I had lying around that hadn't been updated in a while.

Very useful tool, I would recommend it to everyone to at least scan your own site once!



Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear!. Follow me on Twitter as @mattiasgeniar.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Comments

BOK Sunday, July 5, 2015 at 12:51 - Reply

FYI there is also a container image available: https://registry.hub.docker.com/u/wpscanteam/wpscan/ Saves all the hassle with Gems or rvm.


Leave a Reply

Your email address will not be published. Required fields are marked *

Inbound links