(We are not closing any of our other products or services, just the online WPScan.io SaaS!)
WPScan.io started life in 2015 when we contracted a Rails development company to create a SaaS web front end on top of our WPScan CLI tool. Unfortunately, at that time, we only had the budget to complete around 50% of the work, as we were still a community project making hardly any money.
The project sat in this half finished state for three years, until 2018, when we had a little bit more money to hire a freelance Rails developer.
This is a copy of the WPScan User Documentation. Please refer to the Github Wiki version for the most up to date information.
WPScan is a free, for non-commercial use, black box WordPress security scanner written for security professionals and blog maintainers to test the security of their sites.
WPScan is written in the Ruby programming language. The first version of WPScan was released on the 16th of June 2011.
WordPress is undisputedly the most popular Content Management System (CMS) in use today. With the most commonly quoted figure being the one published by w3techs, putting WordPress at 37.7% of all websites today (July 2020) and growing. It is no surprise then that WordPress is also the most targeted CMS by hackers.
Despite what some believe, WordPress is a secure CMS, depending on what your definition of “secure” is.
Yesterday, June 10th, WordPress released version 5.4.2, which was a security and maintenance release.
Version 5.4.2 of WordPress fixes 6 separate security issues. Three of which addressed authenticated Cross-Site Scripting (XSS) vulnerabilities. One addressing an potential Open Redirect vulnerability. One privilege escalation vulnerability, and one issue where password protected posts and pages comments could be exposed in certain circumstances.
As well as the 5.4.2 minor version release, WordPress also released security fix for WordPress versions as far back as WordPress version 3.7, which was released in 2013. This is the full list of minor versions that WordPress released to fix the six security issues:
Since we launched our WordPress vulnerability database in 2014, we have been lacking one important factor, vulnerability risk scores. This was partly due to not being able to decide on which risk scoring system to use, not having the time to implement the system, and not having the time to assign risk scores to new vulnerabilities, if the system was implemented.
Today we’re happy to announce that all new WordPress vulnerability database vulnerabilities will come with a CVSS risk score. However, these will be limited to the API and to Enterprise users for now.