Releases: wpscanteam/wpscan
Releases · wpscanteam/wpscan
Release list
v4.0.1
What's Changed
Fixed
- Updated WPScan CLI to use WPScan API v4, which includes correct handling of backported/multi-range vulnerability fixes by @Initsogar in #2053
Maintenance
- Fixed
WPSCAN_API_TOKENtest isolation by @Initsogar in #2049 - Fixed a RuboCop compatibility issue around safe navigation and empty checks by @Initsogar in #2062
- Docker release workflow now pushes the versioned image tag and, for stable releases, the
latesttag in the same release build by @ArSn in #2058 - Implemented additional previously skipped specs by @Initsogar in #2048
- Updated pinned GitHub Actions and Docker build workflow dependencies
Full Changelog: v4.0.0...v4.0.1
v4.0.0
What's Changed
⚠️ Breaking Changes: This is a major version release (4.0.0) and contains breaking changes. It is not 100% backwards compatible with version 3.x. Please review the changes below.
TL;DR for upgrading from 3.x
- Ruby 3.3+ required (Ruby 4.0 supported)
- WPScan no longer auto-scans plugins by default—use
-e apto scan plugins - New
--wp-authoption for accurate WordPress authentication-based enumeration - New
--expect-samlflag for SAML authentication support - New
--format jsonl(streaming) and--format sarifoutput formats - New installations use XDG directories (
~/.cache/wpscan/db,~/.config/wpscan/)
Added
--wp-authoption for WordPress Application Password authentication providing authoritative plugin/theme inventory by @ArSn in #2021--format jsonlstreaming output format for real-time results by @ArSn in #2012--format sarifoutput format for CI/CD integration by @ArSn in #2000--max-retries Noption for automatic brute force request retry by @Initsogar in #2028--wordlist-skip Noption to resume interrupted brute force attacks by @Initsogar in #2025--follow-redirectoption to automatically follow HTTP redirects by @Initsogar in #1995--proxy-target-onlyoption for selective proxy usage by @ArSn in #1975--expect-samlflag for SAML authentication support by @Initsogar in #2035--exclude-vulnsoption for UUID-based vulnerability exclusion by @Initsogar in #2017- Backup folder enumeration via
-e backup-foldersor-e bfby @Initsogar in #2024 - Ruby 4.0 support by @Usiel in #1953
- XDG Base Directory support for new installations:
~/.cache/wpscan/dband~/.config/wpscan/(existing installations continue using~/.wpscan/) by @alichtman in #1815 and @noraj in #2029 - HTTP status code tracking with warnings for excessive errors by @Initsogar in #2009
- Proof-of-Concept information in vulnerability output by @Initsogar in #2005
- Last updated date for plugins and themes from WordPress.org API by @ArSn in #2015
- Active install count for detected plugins and themes by @ArSn in #2013
- Audit information (command line and hostname) in scan output by @Initsogar in #2006
- Comprehensive test coverage: E2E integration tests, acceptance tests, and implemented skipped tests by @Initsogar and @ArSn in #1978, #1989, #2023, #2037
- Dynamic finder for SearchWP premium plugin by @ArSn in #1993
- AGENTS.md file for AI coding assistant guidance by @Initsogar in #1966
Changed
- Plugin, theme, and user results now stream to output in real-time by @ArSn in #2027
- Improved color handling: file output defaults to no color, respects
NO_COLORenvironment variable and TTY detection by @ArSn in #2031 --plugins-listand--themes-listnow override-eoptions by @ArSn in #2011- Merged cms_scanner gem into wpscan codebase including 8.5k+ lines of tests by @ArSn in #1977, #1979
- Integrated opt_parse_validator gem into repository by @ArSn in #1980
- Temporary directory now respects
$TMPDIRenvironment variable by @ArSn in #1994 - Limited maximum redirects to prevent infinite loops by @ArSn in #2022
- Maximum PHP log file size limit (20 MiB default) to prevent memory exhaustion by @ArSn in #1992
- Standardized on Pathname objects for path handling across codebase by @Initsogar in #2034, #2038
- Improved error messages across the board (database updates, API errors, permissions, thresholds) by @Initsogar and @ArSn in #1997, #1998, #2002, #2020, #2026, #2032
- Improved CI/CD workflow with optimizations and better coverage reporting by @Initsogar and @ArSn in #1963, #1965, #1976, #2007
Removed
- Default plugin and config backup enumeration - must use explicit
-eflag by @Initsogar in #2008 --timthumbs-detection,--config-backups-detection,--db-exports-detection, and--medias-detectionoptions by @Initsogar in #2033- Support for Ruby 3.0, 3.1, and 3.2 - minimum version is now 3.3 by @ArSn in #1973
Fixed
Errno::ENAMETOOLONGerror when using long comma-separated lists by @Initsogar in #1996- Non-JSON responses from WPScan API now handled gracefully by @Initsogar in #2001
- Invalid WordPress JSON response handling by @alexsanford in #1818
Security
- Improved security and code quality tooling: Qlty CI integration, GitHub Actions pinning, template injection fix, replaced CodeClimate by @ArSn in #2039, #2040, #2042, #2043
New Contributors
- @dkmyta made their first contribution in #1905
- @l0pens made their first contribution in #1913
- @Initsogar made their first contribution in #1961
- @Usiel made their first contribution in #1953
- @lambdakilo made their first contribution in #1847
- @AMetIR made their first contribution in #1740
- @alichtman made their first contribution in #1815
- @musaabhasan made their first contribution in #2003
- @noraj made their first contribution in #2029
Thank you to everyone who contributed to this release!
Full Changelog: v3.8.28...v4.0.0
v3.8.28
v3.8.27
v3.8.26
What's Changed
- Re-add ruby 3.2 to build by @alexsanford in #1803
- README: Inline to code block for macOS download by @devidw in #1711
- Fixed #1759 by @0n1shi in #1787
- Fix case where a theme slug is all non-latin characters by @alexsanford in #1814
- Updates DFs by @erwanlr in #1820
- Bump docker/login-action from 2.2.0 to 3.0.0 by @dependabot in #1807
- Bump docker/build-push-action from 4 to 5 by @dependabot in #1805
- Bump docker/setup-buildx-action from 2 to 3 by @dependabot in #1804
- Bump docker/setup-qemu-action from 2 to 3 by @dependabot in #1806
- Update simplecov requirement from ~> 0.21.0 to ~> 0.22.0 by @dependabot in #1765
- Updates Deps by @erwanlr in #1854
- Populate valid versions from metadata, too by @Nirusu in #1850
- Bump docker/build-push-action from 5 to 6 by @dependabot in #1857
- Bump docker/login-action from 3.0.0 to 3.3.0 by @dependabot in #1856
- Updates cms-scanner dep by @erwanlr in #1855
New Contributors
- @alexsanford made their first contribution in #1803
- @devidw made their first contribution in #1711
- @0n1shi made their first contribution in #1787
- @Nirusu made their first contribution in #1850
Full Changelog: v3.8.25...v3.8.26
v3.8.25
What's Changed
- Bump actions/checkout from 3 to 4 by @dependabot in #1798
- Update webmock requirement from ~> 3.18.1 to ~> 3.19.1 by @dependabot in #1797
- Bump docker/login-action from 2.1.0 to 2.2.0 by @dependabot in #1785
Full Changelog: v3.8.24...v3.8.25
v3.8.24
v3.8.23
v3.8.22
See https://github.com/wpscanteam/CMSScanner/releases/tag/v0.13.8
- Minor:
- Better handling of redirection, ie when target http->https (or the opposite), the target URL will be changed to the new one automatically to avoid scanning the http version and getting 301 which could result in items being missed
- Better handling of unsupported HEAD method by checking for 501 and timeout as well