What is WPScan ?
WPScan is a WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.It can also be used for enumeration.
When to Use ?
- When you want to fingerprint the installed WordPress version
- When you want to show vulnerabilities in the WordPress that is used
- When you want to enumerate plugins and themes that are used and show their vulnerabilities
- When you want to enumerate the WordPress users
How it Works ?
The scanner connects to the target WordPress website and does a series of passive checks to identify the WordPress version, plugins, themes and users.
By analyzing the HTML source code and the HTTP headers, WPScan manages to extract all the necessary information to perform the assessment. The vulnerabilities presented are determined based on the specific versions of WordPress or plugins/themes that have been identified.
The tool also has a database of WordPress vulnerabilities which is maintained and updated periodically.
Example:
Enumerating Users using WPScan