Skip to content

Releases: wpscanteam/wpscan

v4.0.1

Choose a tag to compare

@Initsogar Initsogar released this 08 Jul 18:34
dd1565a

What's Changed

Fixed

  • Updated WPScan CLI to use WPScan API v4, which includes correct handling of backported/multi-range vulnerability fixes by @Initsogar in #2053

Maintenance

  • Fixed WPSCAN_API_TOKEN test isolation by @Initsogar in #2049
  • Fixed a RuboCop compatibility issue around safe navigation and empty checks by @Initsogar in #2062
  • Docker release workflow now pushes the versioned image tag and, for stable releases, the latest tag in the same release build by @ArSn in #2058
  • Implemented additional previously skipped specs by @Initsogar in #2048
  • Updated pinned GitHub Actions and Docker build workflow dependencies

Full Changelog: v4.0.0...v4.0.1

v4.0.0

Choose a tag to compare

@Initsogar Initsogar released this 19 May 15:12
55d2176

What's Changed

⚠️ Breaking Changes: This is a major version release (4.0.0) and contains breaking changes. It is not 100% backwards compatible with version 3.x. Please review the changes below.

TL;DR for upgrading from 3.x

  • Ruby 3.3+ required (Ruby 4.0 supported)
  • WPScan no longer auto-scans plugins by default—use -e ap to scan plugins
  • New --wp-auth option for accurate WordPress authentication-based enumeration
  • New --expect-saml flag for SAML authentication support
  • New --format jsonl (streaming) and --format sarif output formats
  • New installations use XDG directories (~/.cache/wpscan/db, ~/.config/wpscan/)

Added

  • --wp-auth option for WordPress Application Password authentication providing authoritative plugin/theme inventory by @ArSn in #2021
  • --format jsonl streaming output format for real-time results by @ArSn in #2012
  • --format sarif output format for CI/CD integration by @ArSn in #2000
  • --max-retries N option for automatic brute force request retry by @Initsogar in #2028
  • --wordlist-skip N option to resume interrupted brute force attacks by @Initsogar in #2025
  • --follow-redirect option to automatically follow HTTP redirects by @Initsogar in #1995
  • --proxy-target-only option for selective proxy usage by @ArSn in #1975
  • --expect-saml flag for SAML authentication support by @Initsogar in #2035
  • --exclude-vulns option for UUID-based vulnerability exclusion by @Initsogar in #2017
  • Backup folder enumeration via -e backup-folders or -e bf by @Initsogar in #2024
  • Ruby 4.0 support by @Usiel in #1953
  • XDG Base Directory support for new installations: ~/.cache/wpscan/db and ~/.config/wpscan/ (existing installations continue using ~/.wpscan/) by @alichtman in #1815 and @noraj in #2029
  • HTTP status code tracking with warnings for excessive errors by @Initsogar in #2009
  • Proof-of-Concept information in vulnerability output by @Initsogar in #2005
  • Last updated date for plugins and themes from WordPress.org API by @ArSn in #2015
  • Active install count for detected plugins and themes by @ArSn in #2013
  • Audit information (command line and hostname) in scan output by @Initsogar in #2006
  • Comprehensive test coverage: E2E integration tests, acceptance tests, and implemented skipped tests by @Initsogar and @ArSn in #1978, #1989, #2023, #2037
  • Dynamic finder for SearchWP premium plugin by @ArSn in #1993
  • AGENTS.md file for AI coding assistant guidance by @Initsogar in #1966

Changed

  • Plugin, theme, and user results now stream to output in real-time by @ArSn in #2027
  • Improved color handling: file output defaults to no color, respects NO_COLOR environment variable and TTY detection by @ArSn in #2031
  • --plugins-list and --themes-list now override -e options by @ArSn in #2011
  • Merged cms_scanner gem into wpscan codebase including 8.5k+ lines of tests by @ArSn in #1977, #1979
  • Integrated opt_parse_validator gem into repository by @ArSn in #1980
  • Temporary directory now respects $TMPDIR environment variable by @ArSn in #1994
  • Limited maximum redirects to prevent infinite loops by @ArSn in #2022
  • Maximum PHP log file size limit (20 MiB default) to prevent memory exhaustion by @ArSn in #1992
  • Standardized on Pathname objects for path handling across codebase by @Initsogar in #2034, #2038
  • Improved error messages across the board (database updates, API errors, permissions, thresholds) by @Initsogar and @ArSn in #1997, #1998, #2002, #2020, #2026, #2032
  • Improved CI/CD workflow with optimizations and better coverage reporting by @Initsogar and @ArSn in #1963, #1965, #1976, #2007

Removed

  • Default plugin and config backup enumeration - must use explicit -e flag by @Initsogar in #2008
  • --timthumbs-detection, --config-backups-detection, --db-exports-detection, and --medias-detection options by @Initsogar in #2033
  • Support for Ruby 3.0, 3.1, and 3.2 - minimum version is now 3.3 by @ArSn in #1973

Fixed

  • Errno::ENAMETOOLONG error when using long comma-separated lists by @Initsogar in #1996
  • Non-JSON responses from WPScan API now handled gracefully by @Initsogar in #2001
  • Invalid WordPress JSON response handling by @alexsanford in #1818

Security

  • Improved security and code quality tooling: Qlty CI integration, GitHub Actions pinning, template injection fix, replaced CodeClimate by @ArSn in #2039, #2040, #2042, #2043

New Contributors

Thank you to everyone who contributed to this release!

Full Changelog: v3.8.28...v4.0.0

v3.8.28

Choose a tag to compare

@erwanlr erwanlr released this 24 Feb 16:05
885cbbf
  • Minor:
    • Updated deps
    • Support for Ruby 3.4
    • Fixed parsing error when using ruby 3.4 - Ref #1881
    • Updated Docker Image to use Ruby 3.4.2
    • Fixed a typo in the Readme - Ref #1884

v3.8.27

Choose a tag to compare

@erwanlr erwanlr released this 05 Sep 15:06
ad125f9

What's Changed

Full Changelog: v3.8.26...v3.8.27

v3.8.26

Choose a tag to compare

@erwanlr erwanlr released this 05 Sep 11:39
911478d

What's Changed

New Contributors

Full Changelog: v3.8.25...v3.8.26

v3.8.25

Choose a tag to compare

@alexsanford alexsanford released this 29 Sep 12:22

What's Changed

Full Changelog: v3.8.24...v3.8.25

v3.8.24

Choose a tag to compare

@ArSn ArSn released this 09 Jun 12:43

This is a management release to ensure that the gem is properly pushed to the rubygems channel, as this has failed with the last tagged release. No functionality has changed since v3.8.23.

v3.8.23

Choose a tag to compare

@ArSn ArSn released this 08 Jun 15:17
  • Minor:
    • Updated --password-attack help text to mentions that xmlrpc multi call attack will only work against WP < 4.4 - Ref #1755
    • Fixed a small bug where the API calls would fail when both a proxy with authentication and an API token were used at the same time - ref #1783

v3.8.22

Choose a tag to compare

@erwanlr erwanlr released this 04 Apr 14:04

See https://github.com/wpscanteam/CMSScanner/releases/tag/v0.13.8

  • Minor:
    • Better handling of redirection, ie when target http->https (or the opposite), the target URL will be changed to the new one automatically to avoid scanning the http version and getting 301 which could result in items being missed
    • Better handling of unsupported HEAD method by checking for 501 and timeout as well

v3.8.21

Choose a tag to compare

@erwanlr erwanlr released this 22 Feb 16:22
  • Minor
    • Improved plugin version detection via changelog section in the Readme - Ref #1692
    • Fixed deprecation warnings - Ref #1709