WPScan is a WordPress vulnerability scanner created in the Ruby language. Sucuri sponsors this project and it is hosted open source on github. WPScan uses Sucuri’s vulnerability database for WordPress core, plugins and themes it creates a report on your site’s known security vulnerabilities which could be exploited by a hacker or script kiddie.
Install WPScan
On Ubuntu 18.04 we are going to install some WPScan dependencies
sudo apt update
sudo apt install curl git libcurl4-openssl-dev make zlib1g-dev gawk g++ gcc libreadline6-dev libssl-dev libyaml-dev libsqlite3-dev sqlite3 autoconf libgdbm-dev libncurses5-dev automake libtool bison pkg-config ruby ruby-bundler ruby-dev -y
Now install WPScan using Ruby’s gem installer
gem install wpscan
You will see this output
Fetching: mini_portile2-2.4.0.gem (100%)
Successfully installed mini_portile2-2.4.0
Fetching: nokogiri-1.10.3.gem (100%)
Building native extensions. This could take a while...
Successfully installed nokogiri-1.10.3
Fetching: concurrent-ruby-1.1.5.gem (100%)
Successfully installed concurrent-ruby-1.1.5
Fetching: i18n-1.6.0.gem (100%)
HEADS UP! i18n 1.1 changed fallbacks to exclude default locale.
But that may break your application.
Please check your Rails app for 'config.i18n.fallbacks = true'.
If you're using I18n (>= 1.1.0) and Rails (< 5.2.2), this should be
'config.i18n.fallbacks = [I18n.default_locale]'.
If not, fallbacks will be broken in your app by I18n 1.1.x.
For more info see:
https://github.com/svenfuchs/i18n/releases/tag/v1.1.0
Successfully installed i18n-1.6.0
Fetching: thread_safe-0.3.6.gem (100%)
Successfully installed thread_safe-0.3.6
Fetching: tzinfo-1.2.5.gem (100%)
Successfully installed tzinfo-1.2.5
Fetching: activesupport-5.2.3.gem (100%)
Successfully installed activesupport-5.2.3
Fetching: public_suffix-3.1.1.gem (100%)
Successfully installed public_suffix-3.1.1
Fetching: addressable-2.6.0.gem (100%)
Successfully installed addressable-2.6.0
Fetching: opt_parse_validator-1.7.3.gem (100%)
Successfully installed opt_parse_validator-1.7.3
Fetching: ruby-progressbar-1.10.1.gem (100%)
Successfully installed ruby-progressbar-1.10.1
Fetching: ffi-1.11.1.gem (100%)
Building native extensions. This could take a while...
Successfully installed ffi-1.11.1
Fetching: ethon-0.12.0.gem (100%)
Successfully installed ethon-0.12.0
Fetching: typhoeus-1.3.1.gem (100%)
Successfully installed typhoeus-1.3.1
Fetching: xmlrpc-0.3.0.gem (100%)
Successfully installed xmlrpc-0.3.0
Fetching: yajl-ruby-1.4.1.gem (100%)
Building native extensions. This could take a while...
Successfully installed yajl-ruby-1.4.1
Fetching: cms_scanner-0.5.4.gem (100%)
Successfully installed cms_scanner-0.5.4
Fetching: wpscan-3.6.1.gem (100%)
Successfully installed wpscan-3.6.1
Parsing documentation for mini_portile2-2.4.0
Installing ri documentation for mini_portile2-2.4.0
Parsing documentation for nokogiri-1.10.3
Installing ri documentation for nokogiri-1.10.3
Parsing documentation for concurrent-ruby-1.1.5
Installing ri documentation for concurrent-ruby-1.1.5
Parsing documentation for i18n-1.6.0
Installing ri documentation for i18n-1.6.0
Parsing documentation for thread_safe-0.3.6
Installing ri documentation for thread_safe-0.3.6
Parsing documentation for tzinfo-1.2.5
Installing ri documentation for tzinfo-1.2.5
Parsing documentation for activesupport-5.2.3
Installing ri documentation for activesupport-5.2.3
Parsing documentation for public_suffix-3.1.1
Installing ri documentation for public_suffix-3.1.1
Parsing documentation for addressable-2.6.0
Installing ri documentation for addressable-2.6.0
Parsing documentation for opt_parse_validator-1.7.3
Installing ri documentation for opt_parse_validator-1.7.3
Parsing documentation for ruby-progressbar-1.10.1
Installing ri documentation for ruby-progressbar-1.10.1
Parsing documentation for ffi-1.11.1
Installing ri documentation for ffi-1.11.1
Parsing documentation for ethon-0.12.0
Installing ri documentation for ethon-0.12.0
Parsing documentation for typhoeus-1.3.1
Installing ri documentation for typhoeus-1.3.1
Parsing documentation for xmlrpc-0.3.0
Installing ri documentation for xmlrpc-0.3.0
Parsing documentation for yajl-ruby-1.4.1
Installing ri documentation for yajl-ruby-1.4.1
Parsing documentation for cms_scanner-0.5.4
Installing ri documentation for cms_scanner-0.5.4
Parsing documentation for wpscan-3.6.1
Installing ri documentation for wpscan-3.6.1
Done installing documentation for mini_portile2, nokogiri, concurrent-ruby, i18n, thread_safe, tzinfo, activesupport, public_suffix, addressable, opt_parse_validator, ruby-progressbar, ffi, ethon, typhoeus, xmlrpc, yajl-ruby, cms_scanner, wpscan after 35 seconds
18 gems installed
Now we can move on to using WPScan to check some sites for vulnerabilities.
You should get permission from site owners before you scan their sites!
Using WPScan
Update the WP Scan vulnerability database first with this WPScan command
wpscan --update
You will see output like this
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.6.1
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
Now scan your website with WPScan, replace the url value below.
wpscan --url=https://wp-bullet.com
Output
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.6.1
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[+] URL: https://wp-bullet.com/
[+] Started: Wed Jul 24 19:09:21 2019
Interesting Finding(s):
[+] https://wp-bullet.com/
| Interesting Entries:
| - X-UA-Compatible: IE=edge
| - WP-Bullet-Fastcgi-Cache: HIT
| - CF-Cache-Status: MISS
| - Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
| - Server: cloudflare
| - CF-RAY: 4fb8301a3b98d26a-DFW
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] https://wp-bullet.com/robots.txt
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] https://wp-bullet.com/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] https://wp-bullet.com/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] This site has 'Must Use Plugins': https://wp-bullet.com/wp-content/mu-plugins/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 80%
| Reference: http://codex.wordpress.org/Must_Use_Plugins
[+] https://wp-bullet.com/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.2.2 identified (Latest, released on 2019-06-18).
| Detected By: Query Parameter In Install Page (Aggressive Detection)
| - https://wp-bullet.com/wp-includes/css/buttons.min.css?ver=5.2.2
| - https://wp-bullet.com/wp-admin/css/install.min.css?ver=5.2.2
| - https://wp-bullet.com/wp-includes/css/dashicons.min.css?ver=5.2.2
| Confirmed By: Query Parameter In Upgrade Page (Aggressive Detection)
| - https://wp-bullet.com/wp-includes/css/buttons.min.css?ver=5.2.2
| - https://wp-bullet.com/wp-admin/css/install.min.css?ver=5.2.2
[+] WordPress theme in use: wpbullet
| Location: https://wp-bullet.com/wp-content/themes/wpbullet/
| Readme: https://wp-bullet.com/wp-content/themes/wpbullet/readme.txt
| Style URL: https://wp-bullet.com/wp-content/themes/wpbullet/style.css
| Style Name: WP Bullet
| Style URI: https://generatepress.com/mantle/
| Description: Mantle is a GeneratePress child theme. Using GeneratePress you can alter the child theme to your tas...
| Author: Thomas Usborne
| Author URI: http://edge22.com
|
| Detected By: Css Style (Passive Detection)
| Confirmed By: Urls In Homepage (Passive Detection)
|
| Version: 1.2.33 (80% confidence)
| Detected By: Style (Passive Detection)
| - https://wp-bullet.com/wp-content/themes/wpbullet/style.css, Match: 'Version: 1.2.33'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] easy-digital-downloads
| Location: https://wp-bullet.com/wp-content/plugins/easy-digital-downloads/
| Latest Version: 2.9.16 (up to date)
| Last Updated: 2019-06-12T04:36:00.000Z
|
| Detected By: Urls In Homepage (Passive Detection)
| Confirmed By: Meta Tag (Passive Detection)
|
| Version: 2.9.16 (100% confidence)
| Detected By: Meta Tag (Passive Detection)
| - https://wp-bullet.com/, Match: 'Easy Digital Downloads v2.9.16'
| Confirmed By: Readme - Stable Tag (Aggressive Detection)
| - https://wp-bullet.com/wp-content/plugins/easy-digital-downloads/readme.txt
[+] edd-all-access
| Location: https://wp-bullet.com/wp-content/plugins/edd-all-access/
|
| Detected By: Urls In Homepage (Passive Detection)
|
| The version could not be determined.
[+] edd-recurring
| Location: https://wp-bullet.com/wp-content/plugins/edd-recurring/
|
| Detected By: Urls In Homepage (Passive Detection)
|
| The version could not be determined.
[+] edd-reviews
| Location: https://wp-bullet.com/wp-content/plugins/edd-reviews/
|
| Detected By: Urls In Homepage (Passive Detection)
|
| Version: 2.1.10 (80% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
| - https://wp-bullet.com/wp-content/plugins/edd-reviews/readme.txt
[+] elementor
| Location: https://wp-bullet.com/wp-content/plugins/elementor/
| Last Updated: 2019-07-23T09:45:00.000Z
| [!] The version is out of date, the latest version is 2.6.6
|
| Detected By: Urls In Homepage (Passive Detection)
|
| Version: 2.5.16 (100% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
| - https://wp-bullet.com/wp-content/plugins/elementor/readme.txt
| Confirmed By: Javascript Comment (Aggressive Detection)
| - https://wp-bullet.com/wp-content/plugins/elementor/assets/js/admin-feedback.js, Match: 'elementor - v2.5.16'
[+] elementor-pro
| Location: https://wp-bullet.com/wp-content/plugins/elementor-pro/
|
| Detected By: Urls In Homepage (Passive Detection)
|
| The version could not be determined.
[+] gp-premium
| Location: https://wp-bullet.com/wp-content/plugins/gp-premium/
|
| Detected By: Urls In Homepage (Passive Detection)
|
| The version could not be determined.
[+] svg-support
| Location: https://wp-bullet.com/wp-content/plugins/svg-support/
| Latest Version: 2.3.15
| Last Updated: 2018-12-17T00:39:00.000Z
|
| Detected By: Urls In Homepage (Passive Detection)
|
| The version could not be determined.
[+] wordpress-seo
| Location: https://wp-bullet.com/wp-content/plugins/wordpress-seo/
| Last Updated: 2019-07-23T06:46:00.000Z
| [!] The version is out of date, the latest version is 11.7
|
| Detected By: Comment (Passive Detection)
|
| [!] 1 vulnerability identified:
|
| [!] Title: Yoast SEO 1.2.0-11.5 - Authenticated Stored XSS
| Fixed in: 11.6
| References:
| - https://wpvulndb.com/vulnerabilities/9445
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13478
| - https://gist.github.com/sybrew/2f53625104ee013d2f599ac254f635ee
| - https://github.com/Yoast/wordpress-seo/pull/13221
| - https://yoast.com/yoast-seo-11.6/
|
| Version: 11.5 (60% confidence)
| Detected By: Comment (Passive Detection)
| - https://wp-bullet.com/, Match: 'optimized with the Yoast SEO plugin v11.5 -'
[+] wp-bullet
| Location: https://wp-bullet.com/wp-content/plugins/wp-bullet/
|
| Detected By: Urls In Homepage (Passive Detection)
|
| The version could not be determined.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:02 <============================================================================================================================> (21 / 21) 100.00% Time: 00:00:02
[i] No Config Backups Found.
[+] Finished: Wed Jul 24 19:10:03 2019
[+] Requests Done: 97
[+] Cached Requests: 7
[+] Data Sent: 31.707 KB
[+] Data Received: 640.083 KB
[+] Memory used: 176.219 MB
[+] Elapsed time: 00:00:41
Looks like Yoast needs to be updated 🙂
If you want to try to detect even more plugins then you can use the aggressive mode.
Aggressive plugin detection can take up to 2 hours at least!
wpscan --url=https://wp-bullet.com --plugins-detection=aggressive