Exploring WordPress Vulnerabilities-WPScan

 WPSCAN logoWPScan is a free, for non-commercial use, black box WordPress security scanner written for security professionals and blog maintainers to test the security of their sites.You can also find out if any weak passwords, users, and security configuration issues are present. The database at https://wpscan.com/ is used to check for vulnerable software and the WPScan team maintains the ever-growing list of vulnerabilities.

As you can find there is two type. One is WordPress plugin.The other is Linux based WordPress Security Scanner. Today we are going to look at how to use Linux based WordPress Security Scanner to exploring WordPress Vulnerabilities.

You can click here to get help to install WPScan to your Linux machine.

Once you have finished installing WPScan, you can use the  wpscan --h  command to confirm that your installation was successful as following image.

wpscan help
"WPScan --h" result

You can now update WPScan database using the  wpscan --update  update command and the output will look like this.

WPScan database update

Now we can start the scanning process for identification of WordPress vulnerable themes,plugins,users etc.This will let you know if your website has a high risk of becoming infected.
You can use following basic command to perform a quick scan and it will provide your website's basic issues such as exposed WordPress version numbers.
  wpscan --url  <Website URL> 

Example: wpscan --url http://techblog.domains.lk/

Result for above command looks like this.

We can also look for specific vulnerabilities by adding arguments to the end of this basic command.

The WPScan CLI tool uses the WPScan API to retrieve WordPress vulnerability data in real time. For WPScan to retrieve the vulnerability data an API token must be supplied via the  --api-token  option, or via a configuration file. An API token can be obtained by registering an account on WPScan.


WPScan  Enumeration Scan

When enumerating the WordPress version, installed plugins or installed themes, you can use three different "modes", which are:

            • passive
            • aggressive
            • mixed

If you want the most results use the "mixed" mode. However, if you are worried that the server may not be able to handle a large number of requests, use the "passive" mode. The default mode is "mixed", with the exception of plugin enumeration, which is "passive". You will need to manually override the plugin detection mode, if you want to use anything other than the default, with the  --plugins-detection  option.

WPScan can enumerate various things from a remote WordPress application, such as plugins, themes, usernames, backed up files wp-config.php files, Timthumb files, database exports and more. To use WPScan's enumeration capabilities supply the  -e  option.

The following enumeration options exist:

          • vp (Vulnerable plugins)
          • ap (All plugins)
          • p (Popular plugins)
          • vt (Vulnerable themes)
          • at (All themes)
          • t (Popular themes)
          • tt (Timthumbs)
          • cb (Config backups)
          • dbe (Db exports)
          • u (User IDs range. e.g: u1-5)
          • m (Media IDs range. e.g m1-15)

As a black box scanner WPScan does not have access to source code. It uses enumeration techniques just like a real attacker would to find information about a WordPress target. Some of the most commonly enumeration scans that WPScan does during a scan are:

  • Detecting the versions of WordPress core, plugins and themes,
  • Checks for publicly accessible wp-config.php backups, or other database exports,
  • Enumeration of WordPress users.  
 Flowing command pattern can be used to scan vulnerabilities with enumerations and API key. 
wpscan --url  <Website URL> -e <enumarete option> --api-token <API Token>

  • Checking for Vulnerable Plugins:-
    wpscan --url http://techblog.domains.lk/ -e vp --api-token <your API Token>

  • Checking for Vulnerable Themes :-
    wpscan --url http://techblog.domains.lk/ -e vt --api-token <your API Token>

  • Checking for User Enumeration :-
    wpscan --url http://techblog.domains.lk/ -e u --api-token <your API Token>
Output from the above command may look like this,
If vulnerable plugins or themes  are found you will see red exclamation icons as above and references to further information. Any vulnerable plugin should be replaced and removed if you cannot update it to patch the vulnerability.

WPScan can not only enumerate the versions of themes and plugins running on a WordPress site, but it can also check those theme and plugin versions against the massive WordPress vulnerability database.

Additionally, WPScan will also let you know if the version of WordPress you are running contains security vulnerabilities, in which case you would need to upgrade to the latest version of WordPress.


Next  time we will be discussed more about WPScan search results and reporting methods.




[1] https://github.com/wpscanteam/wpscan

[2] https://github.com/wpscanteam/wpscan/wiki/WPScan-User-Documentation