false positive of 500 http status code

[GHA193]

Description

Added --exclude-content-based 'Internal Server Error' option, plugins with status code 500 will also report vulnerabilities. Please advise.

Your environment

Version of WPScan: Docker latest version (3.8.20)

Command

docker run --rm -v /tmp/wpscandb:/wpscan/.wpscan/db wpscanteam/wpscan --force --ignore-main-redirect --disable-tls-checks -f cli -e vt,vp --ua customer_ua --api-token mytoken --proxy http://proxyip:port --exclude-content-based Internal Server Error --url https://mywebsite.org/

Output

.................. [+] user-access-manager	Location: https://mywebsite.org/wp-content/plugins/user-access-manager/	Latest Version: 2.2.15	Last Updated: 2021-06-07T12:37:00.000Z
Found By: Urls In Homepage (Passive Detection)
[!] 2 vulnerabilities identified:
[!] Title: User Access Manager <= 2.0.8 - Authenticated Reflected Cross-Site Scripting (XSS)
Fixed in: 2.0.9
References:
- https://wpscan.com/vulnerability/b0c6828b-44c1-4772-9b05-fb5afda6d386
- https://www.defensecode.com/advisories/DC-2017-01-021_WordPress_User_Access_Manager_Plugin_Advisory.pdf
- https://seclists.org/bugtraq/2017/May/31
[!] Title: User Access Manager < 1.2 - CSRF
Fixed in: 1.2
References:
- https://wpscan.com/vulnerability/4c7582a3-b4ec-43fd-94dd-0a472c621c99
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5328
The version could not be determined.

..................

Note

https://mywebsite.org/wp-content/plugins/user-access-manager/ status code is 500.

[erwanlr]

| Found By: Urls In Homepage (Passive Detection)

Which means that in the homepage of the blog, there is something like https://mywebsite.org/wp-content/plugins/user-access-manager/, usually the plugin loading CSS/JS etc there. The 500 from checking https://mywebsite.org/wp-content/plugins/user-access-manager/ directly were ignored as not reported in the output.

The vulnerabilities are reported because the version could not be determined

[GHA193]

Alright, thanks for your help.