-
WPScan is an automated WordPress scanner and enumeration tool. It determines if the various themes and plugins used by a WordPress site are outdated or vulnerable.
-
Installation
gem install wpscan- Verify the installation
wpscan --hh-
WPScan can pull in vulnerability information from external sources to enhance our scans. Obtain an API token from WPVulDB to scan for vulnerability and exploit PoC. The token can be used with wpscan command with --api-token parameter.
-
Scan the target
wpscan --url http://blog.inlanefreight.com --enumerate --api-token Kffr4fdJzy9qVcTk<SNIP>- Credentials attack
wpscan --password-attack -t 20 -U $NAME/$NAME_LIST -P $PASS/$PASS_LIST --url $TARGET --api-token $TOKEN