What is WPScan ??
π What is WPScan?
WPScan is an open-source WordPress security scanner used to:
- Identify WordPress version
- Enumerate plugins, themes, users
- Detect known vulnerabilities (CVEs)
- Map issues to real exploits & fixes
π It is mainly used by:
- Penetration testers
- Bug bounty hunters
- Security auditors
- Blue teams (defensive assessments)
Why WPScan exists
WordPress powers ~40% of the internet.
Most attacks happen because of:
- Outdated plugins
- Vulnerable themes
- Weak configurations
WPScan automates recon + vulnerability mapping for WordPress.
π§ How WPScan works (conceptually)
WPScan uses:
- Passive checks (safe, no noise)
- Active checks (requests that may be logged)
- Fingerprinting techniques
- WPScan vulnerability database
With an API key, it links findings to:
- CVE IDs
- Severity
- Fixed versions
- References
π§ͺ What WPScan can detect
1οΈβ£ WordPress Core
- WordPress version
- Known vulnerabilities
- Missing security headers
2οΈβ£ Plugins (BIGGEST ATTACK SURFACE)
- Installed plugins
- Plugin versions
- Vulnerabilities in plugins
- Exploit references
Example:
Plugin: contact-form-7
Vulnerability: Unauthenticated File Upload
3οΈβ£ Themes
- Active theme
- Outdated themes
- Vulnerabilities in themes
4οΈβ£ User Enumeration
Finds usernames via:
- REST API
- Author archives
- Login error messages
Why this matters:
- Enables brute-force
- Password spraying
- Credential stuffing
5οΈβ£ Configuration Issues
- XML-RPC enabled
- Directory listing
- Exposed debug info
- Weak permissions
βοΈ Common WPScan features
| Feature | Purpose |
|---|---|
| Passive scan | Safe, stealthy |
| Aggressive scan | Deeper, noisier |
| Enumeration | Plugins, themes, users |
| API integration | CVE details |
| Output formats | TXT, JSON |
| Random User-Agent | Bypass basic WAF |
| TLS bypass | Scan misconfigured HTTPS |
π§Ύ Example WPScan command
wpscan --url https://target.com -e ap,at,u
Explanation:
-e apβ all plugins-e atβ all themes-e uβ users
π WPScan API Key (VERY IMPORTANT)
Without API key:
- Limited vulnerability info
With API key:
- CVE IDs
- Severity
- Fixed versions
- References
This is what turns WPScan from scanner β pentest tool.
βοΈ WPScan in real pentesting
WPScan is used in the recon phase, not exploitation.
Typical flow:
- Identify WordPress
- Run WPScan
- Analyze vulnerable plugin/theme
- Search exploit (Exploit-DB, GitHub)
- Manual validation
- Report impact
β οΈ What WPScan is NOT
Important to tell students:
β Not an exploit tool
β Not a brute-force tool by default
β Not a βhack WordPress in one clickβ tool
It gives intel, not shells.
π Legal & ethical usage
Only scan:
- Your own sites
- Labs
- Authorized targets
Unauthorized scanning = illegal.