Releases: wpscanteam/wpscan
Releases · wpscanteam/wpscan
v3.6.3
v3.6.2
v3.6.1
v3.6.0
- Reduces starting time by not creating all DF. Plugin and Theme Versions DF are now created when they are needed.
- Fixes a bug where stats were not being displayed in some cases upon error in threads
- Fixes long generation time of target urls before enumeration when the blog had no sub directory detected.
Dev:
- Potential Readme filenames can now be overridden via the DF config, leading to less requests done when looking for Readmes, and avoiding false positive due to old readme files which were checked first - #1364
- Some DF methods renamed to avoid confusion with DB methods (ie #db_data -> #df_data)
v3.5.5
v3.5.4
- Fixes an issue in Target#scope_url_pattern when the Target url was invalid according to PublicSuffix, such as an IPv6 address - #1341
- Removes the
vulnerabilitieskey from plugin and theme version, which was always empty, when using JSON output. Vulnerabilities are always at .vulnerabilities - #1344 - Updated Dependencies
v3.5.3
Improvements:
- Detection of wp-content:
- Default wp-content is now checked directly (depends on detection-mode) while not detected via the homepage passively
- Scope supplied is now considered when checking for the wp-content - #1278
contentattribute of meta tags are now checked- Improvement of the detection from raw JS code
- When enumerating plugins and themes, 301 are now ignored - Was causing more False Positive than False Negative
- Wildcards in
--scope, such as--scope *.cdn.orgproperly processed - Some Error Messages have been reworked - #1335
- Detection of Wordpress hosted blogs improved
- Object allocations of Addressable::URI reduced by 50%
v3.5.2
Fixes an error when running wpscan without any argument - wpscanteam/CMSScanner#88
v3.5.1
- Support of Ruby 2.3 removed as its supported ended (https://www.ruby-lang.org/en/news/2019/03/31/support-of-ruby-2-3-has-ended/)
- Fixes a regression in the users detection - #1330
- Default user agent list now handled by the related CLI option, rather than 'hardcoded' in the CMSScanner::Browser - Fixes #1328 (caused by using --random-user-agent on the first DB update)
Dev Stuff:
- Parsed options are now accessible the ParsedCli class from everywhere, rather than just the controllers
v3.5.0
Changes/Improvements:
- All enumeration processes, and most other checks now use HEAD requests and then perform a GET when suitable (related to the long wanted #211). This reduces the data received, especially with custom 404 returning a lot of data
- Make sure files which can return a lot of data, such as SQL dumps, are checked with a Range header - #1322
- Running Stats (Requests done, Memory used and so on) are now always displayed at the end of the scan, when the scan is valid, ie not CLI errors, not Wordpress Error etc (so once the URL and Started time are displayed, stats will be output at the end no matter what)
- More accurate memory usage, by getting the starting memory when a scan is initialised
- Additional detection of the WP-JSON API via the source of the homepage -#1319
- Detection of wp-content dir from RAW JavaScript
- Password Attack against the wp-login.php improved to avoid False Positive
- Minified version of static files also checked when trying to determine WP version - #1311
- Check errors 500 as well as custom 401/403 during plugin/theme enumeration - #1090
Removals:
- WPScan is no longer checking for the changelog URLs when displaying plugins and themes. Versions detection from changelogs are still performed
Fixes:
- Regression of the wp-content detection, when a sub-dir was present - #1318 (was due to ab5f46e#diff-20e4355dc81ed51bf07e7536399f448d)
- Empty usernames being detected from RSS feed - #1317
- BackTrace error always displayed when wp-content dir not detected - #1313
Dev Stuff: