Core Capabilities

WPScan enumerates installed plugins, themes, and WordPress core versions, then cross-references them against the WPScan Vulnerability Database — the largest curated collection of WordPress-specific CVEs and security advisories. The scanner detects vulnerable plugin versions, exposed wp-config.php backup files, directory listing vulnerabilities, weak user passwords via dictionary attacks, and XML-RPC attack surfaces.

How It Works

The CLI accepts a target URL and performs passive and aggressive detection passes. Plugin enumeration supports three modes: passive (HTTP response analysis), aggressive (direct file probing), and mixed (combining both). The tool outputs findings in CLI, JSON, or YAML format, making it easy to integrate into CI/CD pipelines and automated security audits.

Key Features

User enumeration discovers WordPress admin accounts. Password brute-forcing tests accounts against wordlists. The scanner checks for TimThumb vulnerabilities, database exports, and full path disclosure. WPScan supports HTTP proxies, custom headers, random user agents, and Tor for anonymized scanning. The API token system provides real-time vulnerability data lookups.

Integration Points

WPScan integrates with CI/CD pipelines via its JSON output format. It runs in Docker containers for isolated scanning environments. The Ruby gem architecture allows programmatic use in custom security automation scripts. Results can feed into vulnerability management platforms for tracking and remediation workflows.