[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-7651":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":25,"hasPages":25,"topics":26,"createdAt":10,"pushedAt":10,"updatedAt":34,"readmeContent":35,"aiSummary":36,"trendingCount":16,"starSnapshotCount":16,"syncStatus":17,"lastSyncTime":37,"discoverSource":38},7651,"wpscan","wpscanteam\u002Fwpscan","wpscanteam","WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via contact@wpscan.com","https:\u002F\u002Fwpscan.com\u002Fwordpress-cli-scanner",null,"Ruby",9624,1337,257,27,0,2,11,62,7,81.08,"Other",false,"master",true,[27,28,29,30,31,32,5,33],"hacking-tool","scan","scanner","security","security-scanner","wordpress","wpvulndb","2026-06-12 04:00:35","\u003Cp align=\"center\">\n  \u003Ca href=\"https:\u002F\u002Fwpscan.com\u002F\">\n    \u003Cimg src=\"https:\u002F\u002Fraw.githubusercontent.com\u002Fwpscanteam\u002Fwpscan\u002Fgh-pages\u002Fimages\u002Fwpscan_logo.png\" alt=\"WPScan logo\">\n  \u003C\u002Fa>\n\u003C\u002Fp>\n\n\u003Ch3 align=\"center\">WPScan\u003C\u002Fh3>\n\n\u003Cp align=\"center\">\n  WordPress Security Scanner\n  \u003Cbr>\n  \u003Cbr>\n  \u003Ca href=\"https:\u002F\u002Fwpscan.com\u002F\" title=\"homepage\" target=\"_blank\">WPScan WordPress Vulnerability Database\u003C\u002Fa> - \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwpscan\u002F\" title=\"wordpress security plugin\" target=\"_blank\">WordPress Security Plugin\u003C\u002Fa>\n\u003C\u002Fp>\n\n\u003Cp align=\"center\">\n  \u003Ca href=\"https:\u002F\u002Fbadge.fury.io\u002Frb\u002Fwpscan\" target=\"_blank\">\u003Cimg src=\"https:\u002F\u002Fbadge.fury.io\u002Frb\u002Fwpscan.svg\">\u003C\u002Fa>\n  \u003Ca href=\"https:\u002F\u002Fhub.docker.com\u002Fr\u002Fwpscanteam\u002Fwpscan\u002F\" target=\"_blank\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fdocker\u002Fpulls\u002Fwpscanteam\u002Fwpscan.svg\">\u003C\u002Fa>\n  \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fwpscanteam\u002Fwpscan\u002Factions?query=workflow%3ABuild\" target=\"_blank\">\u003Cimg src=\"https:\u002F\u002Fgithub.com\u002Fwpscanteam\u002Fwpscan\u002Fworkflows\u002FBuild\u002Fbadge.svg\">\u003C\u002Fa>\n  \u003Ca href=\"https:\u002F\u002Fcodeclimate.com\u002Fgithub\u002Fwpscanteam\u002Fwpscan\" target=\"_blank\">\u003Cimg src=\"https:\u002F\u002Fcodeclimate.com\u002Fgithub\u002Fwpscanteam\u002Fwpscan\u002Fbadges\u002Fgpa.svg\">\u003C\u002Fa>\n\u003C\u002Fp>\n\n# INSTALL\n\n## Prerequisites\n\n- (Optional but highly recommended: [rbenv](https:\u002F\u002Fgithub.com\u002Frbenv\u002Frbenv))\n- Ruby >= 3.3 - Recommended: latest stable\n- Curl >= 7.72 - Recommended: latest stable\n  - The 7.29 has a segfault\n  - The \u003C 7.72 could result in `Stream error in the HTTP\u002F2 framing layer` in some cases\n- RubyGems - Recommended: latest stable\n- Nokogiri might require packages to be installed via your package manager depending on your OS, see https:\u002F\u002Fnokogiri.org\u002Ftutorials\u002Finstalling_nokogiri.html\n\n### In a Pentesting distribution\n\nWhen using a pentesting distribution (such as Kali Linux), it is recommended to install\u002Fupdate wpscan via the package manager if available.\n\n### In macOSX via Homebrew\n\n```shell\nbrew install wpscanteam\u002Ftap\u002Fwpscan\n```\n\n### From RubyGems\n\n```shell\ngem install wpscan\n```\n\nOn MacOSX, if a ```Gem::FilePermissionError``` is raised due to Apple's System Integrity Protection (SIP), either install RVM and install wpscan again, or run ```sudo gem install -n \u002Fusr\u002Flocal\u002Fbin wpscan``` (see [#1286](https:\u002F\u002Fgithub.com\u002Fwpscanteam\u002Fwpscan\u002Fissues\u002F1286))\n\n# Updating\n\nYou can update the local database by using ```wpscan --update```\n\nUpdating WPScan itself is either done via ```gem update wpscan``` or the packages manager (this is quite important for distributions such as in Kali Linux: ```apt-get update && apt-get upgrade```) depending on how WPScan was (pre)installed\n\n# Docker\n\nPull the repo with ```docker pull wpscanteam\u002Fwpscan```\n\nEnumerating usernames\n\n```shell\ndocker run -it --rm -v wpscan-db:\u002Fwpscan\u002F.cache\u002Fwpscan\u002Fdb wpscanteam\u002Fwpscan --url https:\u002F\u002Ftarget.tld\u002F --enumerate u\n```\n\nEnumerating a range of usernames\n\n```shell\ndocker run -it --rm -v wpscan-db:\u002Fwpscan\u002F.cache\u002Fwpscan\u002Fdb wpscanteam\u002Fwpscan --url https:\u002F\u002Ftarget.tld\u002F --enumerate u1-100\n```\n\n** replace u1-100 with a range of your choice.\n\n## Persisting the local database\n\nThe image ships with a copy of the local database baked in at build time. Because the example commands above use `--rm`, any database update performed during a run is discarded when the container exits, so the next run starts again from the (potentially stale) baked-in copy.\n\nMounting a named volume at `\u002Fwpscan\u002F.cache\u002Fwpscan\u002Fdb` (the `wpscan` user's cache directory inside the container) keeps the database across runs, so `wpscan --update` only re-downloads files whose checksums actually changed and the 5-day staleness prompt behaves as it would for a local install:\n\n```shell\ndocker run -it --rm -v wpscan-db:\u002Fwpscan\u002F.cache\u002Fwpscan\u002Fdb wpscanteam\u002Fwpscan --update\n```\n\nThe named volume is created automatically on first use if it doesn't already exist.\n\n# Usage\n\nFull user documentation can be found here; https:\u002F\u002Fgithub.com\u002Fwpscanteam\u002Fwpscan\u002Fwiki\u002FWPScan-User-Documentation\n\n```wpscan --url blog.tld``` This will scan the blog using default options with a good compromise between speed and accuracy. For example, the plugins will be checked passively but their version with a mixed detection mode (passively + aggressively). Potential config backup files will also be checked, along with other interesting findings.\n\nIf a more stealthy approach is required, then ```wpscan --stealthy --url blog.tld``` can be used.\nAs a result, when using the ```--enumerate``` option, don't forget to set the ```--plugins-detection``` accordingly, as its default is 'passive'.\n\nFor more options, open a terminal and type ```wpscan --help``` (if you built wpscan from the source, you should type the command outside of the git repo)\n\n## Database Location\n\nThe database location follows the [XDG Base Directory Specification](https:\u002F\u002Fspecifications.freedesktop.org\u002Fbasedir-spec\u002Fbasedir-spec-latest.html):\n\n- **New installations**: `~\u002F.cache\u002Fwpscan\u002Fdb` (or `$XDG_CACHE_HOME\u002Fwpscan\u002Fdb` if set)\n- **Existing installations**: `~\u002F.wpscan\u002Fdb` (legacy path, maintained for backward compatibility)\n\nRuntime files such as the default HTTP cache and cookie jar are stored under `$TMPDIR\u002Fwpscan` when\n`$TMPDIR` is set. Otherwise they use the same per-user XDG cache directory, for example\n`~\u002F.cache\u002Fwpscan\u002Fcache` and `~\u002F.cache\u002Fwpscan\u002Fcookie_jar.txt`. These defaults can be overridden\nwith `--cache-dir` and `--cookie-jar`.\n\nTo migrate an existing installation to the XDG path:\n\n```shell\nmv ~\u002F.wpscan ~\u002F.cache\u002Fwpscan\n```\n\n## Optional: WordPress Vulnerability Database API\n\nThe WPScan CLI tool uses the [WordPress Vulnerability Database API](https:\u002F\u002Fwpscan.com\u002Fapi) to retrieve WordPress vulnerability data in real-time. For WPScan to retrieve the vulnerability data an API token must be supplied via the `--api-token` option, or via a configuration file, as discussed below. An API token can be obtained by registering an account on [WPScan.com](https:\u002F\u002Fwpscan.com\u002Fregister).\n\nUp to **25** API requests per day are given free of charge, that should be suitable to scan most WordPress websites at least once per day. When the daily 25 API requests are exhausted, WPScan will continue to work as normal but without any vulnerability data.\n\n### How many API requests do you need?\n\n- Our WordPress scanner makes one API request for the WordPress version, one request per installed plugin, and one request per the installed theme.\n- On average, a WordPress website has 22 installed plugins.\n\n## Load CLI options from file\u002Fs\n\nWPScan can load all options (including the `--url`) from configuration files, the following locations are checked (order: first to last):\n\n- `~\u002F.wpscan\u002Fscan.json`\n- `~\u002F.wpscan\u002Fscan.yml`\n- `pwd\u002F.wpscan\u002Fscan.json`\n- `pwd\u002F.wpscan\u002Fscan.yml`\n\nIf those files exist, options from the `cli_options` key will be loaded and overridden if found twice.\n\ne.g:\n\n`~\u002F.wpscan\u002Fscan.yml`:\n\n```yml\ncli_options:\n  proxy: 'http:\u002F\u002F127.0.0.1:8080'\n  verbose: true\n```\n\n`pwd\u002F.wpscan\u002Fscan.yml`:\n\n```yml\ncli_options:\n  proxy: 'socks5:\u002F\u002F127.0.0.1:9090'\n  url: 'http:\u002F\u002Ftarget.tld'\n```\n\nRunning ```wpscan``` in the current directory (pwd) is the same as ```wpscan -v --proxy socks5:\u002F\u002F127.0.0.1:9090 --url http:\u002F\u002Ftarget.tld```\n\nOther command line options can be added by using snake case convention. e.g:\n```yml\ncli_options:\n  user_agent: \"Testing UA\"\n  max_threads: 1\n  headers: \"Custom-Header: aaaa; Another Header: bbb\"\n```\n\n## Save API Token in a file\n\nThe feature mentioned above is useful to keep the API Token in a config file and not have to supply it via the CLI each time. To do so, create the ~\u002F.wpscan\u002Fscan.yml file containing the below:\n\n```yml\ncli_options:\n  api_token: 'YOUR_API_TOKEN'\n```\n\n## Load API Token From ENV (since v3.7.10)\n\nThe API Token will be automatically loaded from the ENV variable `WPSCAN_API_TOKEN` if present. If the `--api-token` CLI option is also provided, the value from the CLI will be used.\n\n\n## Enumerating usernames\n\n```shell\nwpscan --url https:\u002F\u002Ftarget.tld\u002F --enumerate u\n```\n\nEnumerating a range of usernames\n\n```shell\nwpscan --url https:\u002F\u002Ftarget.tld\u002F --enumerate u1-100\n```\n\n** replace u1-100 with a range of your choice.\n\n# LICENSE\n\n## WPScan Public Source License\n\nThe WPScan software (henceforth referred to simply as \"WPScan\") is dual-licensed - Copyright 2011-2019 WPScan Team.\n\nCases that include the commercialization of WPScan require a commercial, non-free license. Otherwise, WPScan can be used without charge under the terms set out below.\n\n### 1. Definitions\n\n1.1 \"License\" means this document.\n\n1.2 \"Contributor\" means each individual or legal entity that creates, contributes to the creation of, or owns WPScan.\n\n1.3 \"WPScan Team\" means WPScan’s core developers.\n\n### 2. Commercialization\n\nCommercial use is one intended for commercial advantage or monetary compensation.\n\nExample cases of commercialization are:\n\n- Using WPScan to provide commercial managed\u002FSoftware-as-a-Service services.\n- Distributing WPScan as a commercial product or as part of one.\n- Using WPScan as a value-added service\u002Fproduct.\n\nExample cases that do not require a commercial license, and thus fall under the terms set out below, include (but are not limited to):\n\n- Penetration testers (or penetration testing organizations) using WPScan as part of their assessment toolkit.\n- Penetration Testing Linux Distributions including but not limited to Kali Linux, SamuraiWTF, BackBox Linux.\n- Using WPScan to test your own systems.\n- Any non-commercial use of WPScan.\n\nIf you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - contact@wpscan.com.\n\nFree-use Terms and Conditions;\n\n### 3. Redistribution\n\nRedistribution is permitted under the following conditions:\n\n- Unmodified License is provided with WPScan.\n- Unmodified Copyright notices are provided with WPScan.\n- Does not conflict with the commercialization clause.\n\n### 4. Copying\n\nCopying is permitted so long as it does not conflict with the Redistribution clause.\n\n### 5. Modification\n\nModification is permitted so long as it does not conflict with the Redistribution clause.\n\n### 6. Contributions\n\nAny Contributions assume the Contributor grants the WPScan Team the unlimited, non-exclusive right to reuse, modify and relicense the Contributor's content.\n\n### 7. Support, updates, and maintenance \n\nWPScan is provided under an AS-IS basis and without any support, updates, or maintenance. Support, updates and maintenance may be given according to the sole discretion of the WPScan Team.\n\n### 8. Disclaimer of Warranty\n\nWPScan is provided under this License on an “as is” basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the WPScan is free of defects, merchantable, fit for a particular purpose or non-infringing.\n\n### 9. Limitation of Liability\n\nTo the extent permitted under Law, WPScan is provided under an AS-IS basis. The WPScan Team shall never, and without any limit, be liable for any damage, cost, expense or any other payment incurred as a result of WPScan's actions, failure, bugs, and\u002For any other interaction between WPScan and end-equipment, computers, other software or any 3rd party, end-equipment, computer or services.\n\n### 10. Disclaimer\n\nRunning WPScan against websites without prior mutual consent may be illegal in your country. The WPScan Team accepts no liability and is not responsible for any misuse or damage caused by WPScan.\n\n### 11. Trademark\n\nThe \"wpscan\" term is a registered trademark. This License does not grant the use of the \"wpscan\" trademark or the use of the WPScan logo.\n","WPScan 是一个专门用于检测 WordPress 网站安全性的扫描工具。它能够识别 WordPress 的版本、插件、主题及其漏洞，支持枚举用户名等功能，并且可以定期更新其漏洞数据库以保持最新状态。该工具基于 Ruby 语言开发，具有强大的命令行界面，适合安全专家和博客维护者使用。无论是进行渗透测试还是日常的安全检查，WPScan 都能提供详尽的报告来帮助用户发现潜在的安全风险。","2026-06-11 03:13:34","top_language"]