Merge with master

lib/wpscan/db/plugin.rb

@@ -4,9 +4,9 @@ module WPScan
   module DB
     # Plugin DB
     class Plugin < WpItem
-      # @return [ String ]
-      def self.db_file
-        @db_file ||= DB_DIR.join('plugins.json').to_s
+      # @return [ Hash ]
+      def self.metadata
+        @metadata ||= super['plugins'] || {}
       end
     end
   end

lib/wpscan/db/plugins.rb

@@ -5,8 +5,8 @@ module WPScan
     # WP Plugins
     class Plugins < WpItems
       # @return [ JSON ]
-      def self.db
-        Plugin.db
+      def self.metadata
+        Plugin.metadata
       end
     end
   end

lib/wpscan/db/theme.rb

@@ -4,9 +4,9 @@ module WPScan
   module DB
     # Theme DB
     class Theme < WpItem
-      # @return [ String ]
-      def self.db_file
-        @db_file ||= DB_DIR.join('themes.json').to_s
+      # @return [ Hash ]
+      def self.metadata
+        @metadata ||= super['themes'] || {}
       end
     end
   end

lib/wpscan/db/themes.rb

@@ -5,8 +5,8 @@ module WPScan
     # WP Themes
     class Themes < WpItems
       # @return [ JSON ]
-      def self.db
-        Theme.db
+      def self.metadata
+        Theme.metadata
       end
     end
   end

lib/wpscan/db/updater.rb

@@ -7,12 +7,15 @@ module WPScan
     class Updater
       # /!\ Might want to also update the Enumeration#cli_options when some filenames are changed here
       FILES = %w[
-        plugins.json themes.json wordpresses.json
+        metadata.json wp_fingerprints.json
         timthumbs-v3.txt config_backups.txt db_exports.txt
-        dynamic_finders.yml wp_fingerprints.json LICENSE
+        dynamic_finders.yml LICENSE
       ].freeze
 
-      OLD_FILES = %w[wordpress.db user-agents.txt dynamic_finders_01.yml].freeze
+      OLD_FILES = %w[
+        wordpress.db user-agents.txt dynamic_finders_01.yml
+        wordpresses.json plugins.json themes.json
+      ].freeze
 
       attr_reader :repo_directory
 

lib/wpscan/db/vuln_api.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+module WPScan
+  module DB
+    # WPVulnDB API
+    class VulnApi
+      NON_ERROR_CODES = [200, 401, 404].freeze
+
+      class << self
+        attr_accessor :token
+      end
+
+      # @return [ Addressable::URI ]
+      def self.uri
+        @uri ||= Addressable::URI.parse('https://wpvulndb.com/api/v3/')
+      end
+
+      # @param [ String ] path
+      # @param [ Hash ] params
+      #
+      # @return [ Hash ]
+      def self.get(path, params = {})
+        return {} unless token
+
+        res = Browser.get(uri.join(path), params.merge(request_params))
+
+        return JSON.parse(res.body) if NON_ERROR_CODES.include?(res.code)
+
+        raise Error::HTTP, res
+      rescue Error::HTTP => e
+        retries ||= 0
+
+        if (retries += 1) <= 3
+          sleep(1)
+          retry
+        end
+
+        { 'http_error' => e }
+      end
+
+      # @return [ Hash ]
+      def self.plugin_data(slug)
+        get("plugins/#{slug}")&.dig(slug) || {}
+      end
+
+      # @return [ Hash ]
+      def self.theme_data(slug)
+        get("themes/#{slug}")&.dig(slug) || {}
+      end
+
+      # @return [ Hash ]
+      def self.wordpress_data(version_number)
+        get("wordpresses/#{version_number.tr('.', '')}")&.dig(version_number) || {}
+      end
+
+      # @return [ Hash ]
+      def self.status
+        json = get('status', params: { version: WPScan::VERSION }, cache_ttl: 0)
+
+        json['requests_remaining'] = 'Unlimited' if json['requests_remaining'] == -1
+
+        json
+      end
+
+      # @return [ Hash ]
+      def self.request_params
+        {
+          headers: {
+            'Host' => uri.host, # Reset in case user provided a --vhost for the target
+            'Referer' => nil, # Removes referer set by the cmsscanner to the target url
+            'User-Agent' => Browser.instance.default_user_agent,
+            'Authorization' => "Token token=#{token}"
+          }
+        }
+      end
+    end
+  end
+end

lib/wpscan/db/wp_item.rb

@@ -6,14 +6,19 @@ module WPScan
     class WpItem
       # @param [ String ] identifier The plugin/theme slug or version number
       #
-      # @return [ Hash ] The JSON data from the DB associated to the identifier
-      def self.db_data(identifier)
-        db[identifier] || {}
+      # @return [ Hash ] The JSON data from the metadata associated to the identifier
+      def self.metadata_at(identifier)
+        metadata[identifier] || {}
       end
 
       # @return [ JSON ]
-      def self.db
-        @db ||= read_json_file(db_file)
+      def self.metadata
+        @metadata ||= read_json_file(metadata_file)
+      end
+
+      # @return [ String ]
+      def self.metadata_file
+        @metadata_file ||= DB_DIR.join('metadata.json').to_s
       end
     end
   end

lib/wpscan/db/wp_items.rb

@@ -6,17 +6,17 @@ module WPScan
     class WpItems
       # @return [ Array<String> ] The slug of all items
       def self.all_slugs
-        db.keys
+        metadata.keys
       end
 
       # @return [ Array<String> ] The slug of all popular items
       def self.popular_slugs
-        db.select { |_key, item| item['popular'] == true }.keys
+        metadata.select { |_key, item| item['popular'] == true }.keys
       end
 
       # @return [ Array<String> ] The slug of all vulnerable items
       def self.vulnerable_slugs
-        db.reject { |_key, item| item['vulnerabilities'].empty? }.keys
+        metadata.select { |_key, item| item['vulnerabilities'] == true }.keys
       end
     end
   end

lib/wpscan/db/wp_version.rb

@@ -4,9 +4,9 @@ module WPScan
   module DB
     # WP Version
     class Version < WpItem
-      # @return [ String ]
-      def self.db_file
-        @db_file ||= DB_DIR.join('wordpresses.json').to_s
+      # @return [ Hash ]
+      def self.metadata
+        @metadata ||= super['wordpress'] || {}
       end
     end
   end