wpscanteam / wpscan

WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via contact@wpscan.com
https://wpscan.com/wordpress-cli-scanner
Other
8.62k stars 1.27k forks source link

WPScan is not detecting plugins #1750

Closed raadsec closed 1 year ago

raadsec commented 2 years ago

I am using WPScan to scan a vulnerable WordPress site that contains vulnerable plugin installed. The tool didn't detect any plugins at all

Command that i am using: wpscan --url http://site/ --wp-content-dir wp-content --enumerate ap --clear-cache --wp-plugins-dir wp-content/plugins --stealthy --random-user-agent

erwanlr commented 2 years ago

The --stealthy option will only perform passive detection, so some plugins might not be detected. You should use --plugins-detection mixed instead. Be aware that due to the --enumerate ap, all plugins will be checked, which could take some time

Btw, any reason to use the --wp-content-dir and --wp-plugins-dir options with their default values ?

raadsec commented 2 years ago

In general the tool is unable to detect plugins, so i used the mentioned arguments in order to play around and make the tool work, but unfortunately no success

ocervell commented 1 year ago

Same issue here with the site blog.terabox.com (for a bug bounty), not detecting any of the plugins. I've tried a combination of all the above-specified options. I ran a nuclei scan with the wordpress workflow and it does find the outdated plugins so I'm not sure why wpscan can't.

Command:

wpscan --random-user-agent --force --plugins-detection mixed -o /tmp/wpscan_2023_09_05-09_03_40_348948_AM.json --url https://blog.terabox.com/ -f json --max-threads 50
alexsanford commented 1 year ago

I ran a test enumerating the most popular plugins on the given site, and I found several. I used the following command.

@raadsec @ocervell could you please confirm whether the command works for you?

wpscan --random-user-agent --force --plugins-detection mixed -e p --url https://blog.terabox.com

ocervell commented 1 year ago

It's working on the latest update, thanks !

alexsanford commented 1 year ago

Good to hear! Feel free to reach out again if you run into further issues 🙂