Find vulnerabilities and exploits in WordPress core, plugins and themes
Unlock the full power and feature of our WordPress Vulnerability Scanner - WPScan! Compare pricing plans and discover more tools and features.
Here is a WordPress Vulnerability Scanner - WPScan sample report:
This tool helps you discover security issues and vulnerabilities in the target WordPress website using the most advanced WordPress scanner: WPScan.
You can speed-up your penetration test using this scanner since it is already installed, configured and ready-to-go. Quickly discover vulnerable plugins, themes and other configuration issues.
Check if your own installation of WordPress is updated and properly configured. Enumerate your existing plugins and verify if they are at the latest version.
If you are a web development company, you can also show this report to your clients and prove that you have implemented the proper security measures in the WordPress website.
| Parameter | Description |
|---|---|
| Target URL | This is the url of the WordPress website that will be scanned. All urls must start with http or https. Don't forget to specify the complete path to the base directory of the WordPress installation. Ex. http://targetwp.com/blog/. |
| Detection Mode - Passive | Runs a non-intrusive detection i.e it sents a few requests to the server. It commonly scans the home page for any vulnerability. The passive mode is less likely to be detected by IDS/IPS solutions |
| Detection Mode - Aggressive | Performs a more intrusive scan as it sends numerous requests to the server. This approach has a greater chance of finding the correct WordPress version, to enumerate users and to better find the plugins. |
| Enumerate | Select at least one option of what you want to enumerate: usernames, vulnerable themes and/ or vulnerable plugins. The thresholds for themes and plugins are very high, to prevent the scan from stopping. However, it may take longer to finish. |
Since WordPress is a widely used platform, it often becomes a target for hackers. Their attacks are facilitated by the high number of outdated WordPress installations and outdated plugins and themes. These old versions of WordPress components contain vulnerabilities and security weaknesses that can be exploited.
A WordPress hack often starts by identifying which version of WordPress is running and what are the installed plugins and themes. The next step is to fingerprint the running versions of those components and to search for public vulnerabilities affecting them. A lot of public exploits are also available online.
For instance, a well known WordPress plugin called Revolution Slider is affected by multiple high risk vulnerabilities in some of its older versions.
http://vulnerable_wordpress.xx/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php