WPScan
Official Documentation: https://github.com/wpscanteam/wpscan/wiki/WPScan-User-Documentation¶
Cheat Sheet: WPScan Commands¶
Purpose¶
WPScan is a WordPress-specific vulnerability scanner that finds plugins, themes, exposed usernames, and known vulnerabilities in WordPress sites.
Scenarios¶
- CTF: Identify vulnerable plugins or default admin pages in a WordPress challenge to find exploitation paths.
- Real world: Quickly check a WordPress site for known plugin/theme vulnerabilities and exposures.
All needed info to run¶
- Target URL (WordPress site).
- WPScan requires an API token for the WPScan Vulnerability DB for higher rate limits: get a free API token from WPScan (recommended).
- Common flags:
--url <url>→ target--enumerate p,t,u→ enumerate plugins (p), themes (t), users (u)--api-token <token>→ use API token--plugins-detection mixed→ detection mode-e vp,vt,tt,ap→ enumerate vulnerable plugins/themes etc. (short forms)-o <file>→ save output- Some scans (full plugin checks) are noisy — respect rate limits and permissions.
Example commands & outputs¶
# Basic WPScan (passive, no token)
$ wpscan --url http://example.com --enumerate u
# Output snippet:
# [+] Enumerated Users:
# - admin (ID: 1)
# - editor
# Full scan with API token and plugin enumeration (recommended)
$ wpscan --url https://example.com --enumerate p,t --api-token YOUR_TOKEN -o wpscan-report.txt
# Output snippet:
# [+] Found 67 Plugins
# [+] Vulnerable plugin: revslider (CVE-2014-XXXX) - outdated
# Report saved to wpscan-report.txt
WPScan Basics
- Register for a free API token at the WPScan website to avoid heavy rate-limiting.
- WPScan focuses on known vulnerabilities — it won’t find custom backdoors or unindexed issues.
- Use
--enumeratecarefully; enumerating users/plugins can be noisy and may trigger protections. - Always have authorization before scanning third-party WordPress sites.