Closed GottemHams closed 4 years ago
Thanks for the report, it's fixed in master (and will be available in a bit via docker).
Once the specs are finished running, I will release a new minor version (3.7.8) with the fix.
3.7.8 released!
Can confirm that it works again, thanks. =]
Subject of the issue
When you wanna test a website that is protected by CloudFlare, you may sometimes need to pass a
CF-Connecting-IP
header. The WPVulnDB API itself also seems to be behind CF and wpscan is using the value from the header for that connection as well. Since CF doesn't know my server's IP as a "trusted proxy IP" for wpvulndb.com and returns a 403 instead.Your environment
gem install wpscan
method)Steps to reproduce
Simply add
--headers 'CF-Connecting-IP: 123.123.123.123'
to thewpscan
call, this triggers the bug even when you're testing a site not behind CloudFlare.Expected behavior
wpscan should probably use the
--headers
argument only for the connection to the actual website and not also for the API calls.Actual behavior
What have you already tried
Manual curl output: