Bumps version

Update rubocop requirement from ~> 0.62.0 to ~> 0.63.0

.dockerignore

@@ -0,0 +1,16 @@
+git/
+bundle/
+.idea/
+.yardoc/
+cache/
+coverage/
+spec/
+.*
+**/*.md
+*.md
+!README.md
+Dockerfile
+**/*.orig
+*.orig
+bin/wpscan-*
+.wpscan/

.github/CONTRIBUTING.md

@@ -0,0 +1,5 @@
+# Contributing to WPScan
+
+## Licensing
+
+By submitting code contributions to the WPScan development team via Github Pull Requests, or any other method, it is understood that the contributor is offering the WPScan company (company number 	83421476900012), which is registered in France, the unlimited, non-exclusive right to reuse, modify, and relicense the code.

.github/ISSUE_TEMPLATE.md

@@ -0,0 +1,27 @@
+### Subject of the issue
+Describe your issue here.
+
+### Your environment
+* Version of WPScan:
+* Version of Ruby:
+* Operating System (OS):
+
+### Steps to reproduce
+Tell us how to reproduce this issue.
+
+### Expected behavior
+Tell us what should happen.
+
+### Actual behavior
+Tell us what happens instead.
+
+### What have you already tried
+Tell us what you have already tried to do to fix the issue you are having.
+
+Things you have tried (where relevant):
+
+* Update WPScan to the latest version [ ]
+* Update Ruby to the latest version [ ]
+* Ensure you can reach the target site using cURL [ ]
+* Proxied WPScan through a HTTP proxy to view the raw traffic [ ]
+* Ensure you are using a supported Operating System (Linux and macOS) [ ]

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,3 @@
+## Licensing
+
+By submitting code contributions to the WPScan development team via Github Pull Requests, or any other method, it is understood that the contributor is offering the WPScan company (company number 	83421476900012), which is registered in France, the unlimited, non-exclusive right to reuse, modify, and relicense the code.

.gitignore

@@ -1,9 +1,26 @@
-cache/*
+*.gem
+*.rbc
+.bundle
+.config
 coverage
+pkg
+rdoc
+Gemfile.lock
+
+# YARD artifacts
+.yardoc
+_yardoc
+doc/
+.wpscan/
+
+.ash_history
 .DS_Store
 .DS_Store?
-*.sublime-*
-.idea
-.*.swp
-Gemfile.lock
-log.txt
+.idea/
+
+# Old files from v2
+cache/
+data/
+
+# Profiling reports
+bin/memprof*.report

.rspec

@@ -1,2 +1,3 @@
 --color
 --fail-fast
+--require spec_helper

.rubocop.yml

@@ -0,0 +1,26 @@
+AllCops:
+  TargetRubyVersion: 2.3
+  Exclude:
+  - '*.gemspec'
+  - 'vendor/**/*'
+ClassVars:
+  Enabled: false
+LineLength:
+  Max: 120
+MethodLength:
+  Max: 20
+Lint/UriEscapeUnescape:
+  Enabled: false
+Metrics/AbcSize:
+  Max: 25
+Metrics/BlockLength:
+  Exclude:
+  - 'spec/**/*'
+Metrics/ClassLength:
+  Max: 150
+Metrics/CyclomaticComplexity:
+  Max: 8
+Style/Documentation:
+  Enabled: false
+Style/FormatStringToken:
+  Enabled: false

.ruby-gemset

@@ -0,0 +1 @@
+wpscanv3

.ruby-version

@@ -0,0 +1 @@
+2.6.2

.simplecov

@@ -1,6 +1,4 @@
 SimpleCov.start do
-  add_filter "/spec/"
-  add_filter "_helper.rb"
-  add_filter "environment.rb"
-  add_filter "_plugin.rb"
-end
+  add_filter '/spec/'
+  add_filter 'helper'
+end

.travis.yml

@@ -1,6 +1,40 @@
 language: ruby
+sudo: false
+cache: bundler
 rvm:
-  - "1.9.2"
-  - "1.9.3"
-  - "2.0.0"
-script: bundle exec rspec --format documentation
+  - 2.3.0
+  - 2.3.1
+  - 2.3.2
+  - 2.3.3
+  - 2.3.4
+  - 2.3.5
+  - 2.3.6
+  - 2.3.7
+  - 2.3.8
+  - 2.4.1
+  - 2.4.2
+  - 2.4.3
+  - 2.4.4
+  - 2.4.5
+  - 2.5.0
+  - 2.5.1
+  - 2.5.2
+  - 2.5.3
+  - 2.5.4
+  - 2.5.5
+  - 2.6.0
+  - 2.6.1
+  - 2.6.2
+  - ruby-head
+before_install:
+  - "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
+  - gem update --system
+matrix:
+  allow_failures:
+    - rvm: ruby-head
+script:
+  - bundle exec rubocop
+  - bundle exec rspec
+notifications:
+  email:
+    - team@wpscan.org

CREDITS

@@ -1,19 +0,0 @@
-**CREDITS**
-
-This file is to give credit to WPScan's contributors. If you feel your name should be in here, email ryandewhurst at gmail.
-
-*WPScan Team*
-
-Erwan.LR - @erwan_lr - (Project Developer)
-Christian Mehlmauer - @_FireFart_ - (Project Developer)
-Gianluca Brindisi - @gbrindisi (Project Developer)
-Ryan Dewhurst - @ethicalhack3r (Project Lead)
-
-*Other Contributors*
-
-Alip AKA Undead - alip.aswalid at gmail.com
-michee08 - Reported and gave potential solutions to bugs.
-Callum Pember - Implemented proxy support - callumpember at gmail.com
-g0tmi1k - Additional timthumb checks + bug reports.
-Melvin Lammerts - Reported a couple of fake vulnerabilities - melvin at 12k.nl
-Paolo Perego - @thesp0nge - Basic authentication

Dockerfile

@@ -0,0 +1,38 @@
+FROM ruby:2.6.2-alpine3.9 AS builder
+LABEL maintainer="WPScan Team <team@wpscan.org>"
+
+ARG BUNDLER_ARGS="--jobs=8 --without test development"
+
+RUN echo "gem: --no-ri --no-rdoc" > /etc/gemrc
+
+COPY . /wpscan
+
+RUN apk add --no-cache git libcurl ruby-dev libffi-dev make gcc musl-dev zlib-dev procps sqlite-dev && \
+  bundle install --system --clean --no-cache --gemfile=/wpscan/Gemfile $BUNDLER_ARGS && \
+  # temp fix for https://github.com/bundler/bundler/issues/6680
+  rm -rf /usr/local/bundle/cache
+
+WORKDIR /wpscan
+RUN rake install --trace
+
+# needed so non superusers can read gems
+RUN chmod -R a+r /usr/local/bundle
+
+
+FROM ruby:2.6.2-alpine3.9
+LABEL maintainer="WPScan Team <team@wpscan.org>"
+
+RUN adduser -h /wpscan -g WPScan -D wpscan
+
+COPY --from=builder /usr/local/bundle /usr/local/bundle
+RUN chown -R wpscan:wpscan /wpscan
+
+# runtime dependencies
+RUN apk add --no-cache libcurl procps sqlite-libs
+
+
+USER wpscan
+RUN /usr/local/bundle/bin/wpscan --update --verbose
+
+ENTRYPOINT ["/usr/local/bundle/bin/wpscan"]
+CMD ["--help"]

Gemfile

@@ -1,11 +1,4 @@
-source "https://rubygems.org"
+# frozen_string_literal: true
 
-gem "typhoeus", "~>0.6.2"
-gem "nokogiri"
-gem "json"
-
-group :development, :test do
-  gem "webmock", "~>1.9.3"
-  gem "simplecov"
-  gem "rspec", :require => "spec"
-end
+source 'https://rubygems.org'
+gemspec

LICENSE

@@ -0,0 +1,74 @@
+WPScan Public Source License
+
+The WPScan software (henceforth referred to simply as "WPScan") is dual-licensed - Copyright 2011-2019 WPScan Team.
+
+Cases that include commercialization of WPScan require a commercial, non-free license. Otherwise, WPScan can be used without charge under the terms set out below.
+
+1. Definitions
+
+1.1 "License" means this document.
+1.2 "Contributor" means each individual or legal entity that creates, contributes to the creation of, or owns WPScan.
+1.3 "WPScan Team" means WPScan’s core developers.
+
+2. Commercialization
+
+A commercial use is one intended for commercial advantage or monetary compensation.
+
+Example cases of commercialization are:
+
+ - Using WPScan to provide commercial managed/Software-as-a-Service services.
+ - Distributing WPScan as a commercial product or as part of one.
+ - Using WPScan as a value added service/product.
+
+Example cases which do not require a commercial license, and thus fall under the terms set out below, include (but are not limited to):
+
+ - Penetration testers (or penetration testing organizations) using WPScan as part of their assessment toolkit.
+ - Penetration Testing Linux Distributions including but not limited to Kali Linux, SamuraiWTF, BackBox Linux.
+ - Using WPScan to test your own systems.
+ - Any non-commercial use of WPScan.
+
+If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - team@wpscan.org.
+
+We may grant commercial licenses at no monetary cost at our own discretion if the commercial usage is deemed by the WPScan Team to significantly benefit WPScan.
+
+Free-use Terms and Conditions;
+
+3. Redistribution
+
+Redistribution is permitted under the following conditions:
+
+ - Unmodified License is provided with WPScan.
+ - Unmodified Copyright notices are provided with WPScan.
+ - Does not conflict with the commercialization clause.
+
+4. Copying
+
+Copying is permitted so long as it does not conflict with the Redistribution clause.
+
+5. Modification
+
+Modification is permitted so long as it does not conflict with the Redistribution clause.
+
+6. Contributions
+
+Any Contributions assume the Contributor grants the WPScan Team the unlimited, non-exclusive right to reuse, modify and relicense the Contributor's content.
+
+7. Support
+
+WPScan is provided under an AS-IS basis and without any support, updates or maintenance. Support, updates and maintenance may be given according to the sole discretion of the WPScan Team.
+
+8. Disclaimer of Warranty
+
+WPScan is provided under this License on an "as is" basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the WPScan is free of defects, merchantable, fit for a particular purpose or non-infringing.
+
+9. Limitation of Liability
+
+To the extent permitted under Law, WPScan is provided under an AS-IS basis. The WPScan Team shall never, and without any limit, be liable for any damage, cost, expense or any other payment incurred as a result of WPScan's actions, failure, bugs and/or any other interaction between WPScan and end-equipment, computers, other software or any 3rd party, end-equipment, computer or services.
+
+10. Disclaimer
+
+Running WPScan against websites without prior mutual consent may be illegal in your country. The WPScan Team accept no liability and are not responsible for any misuse or damage caused by WPScan.
+
+11. Trademark
+
+The "wpscan" term is a registered trademark. This License does not grant the use of the "wpscan" trademark or the use of the WPScan logo.

README

@@ -1,210 +0,0 @@
-__________________________________________________
- __          _______   _____
- \ \        / /  __ \ / ____|
-  \ \  /\  / /| |__) | (___   ___  __ _ _ __
-   \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
-    \  /\  /  | |     ____) | (__| (_| | | | |
-     \/  \/   |_|    |_____/ \___|\__,_|_| |_|
-__________________________________________________
-
-==LICENSE==
-
-WPScan - WordPress Security Scanner
-Copyright (C) 2011-2013 The WPScan Team
-
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation, either version 3 of the License, or
-(at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License
-along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-ryandewhurst at gmail
-
-==INSTALL==
-
-  WPScan comes pre-installed on the following Linux distributions:
-
-   * BackBox Linux
-   * BackTrack Linux (outdated WPScan installed, update needed)
-   * Pentoo
-   * SamuraiWTF
-
-  Prerequisites:
-
-   * Windows not supported
-   * Ruby => 1.9
-   * RubyGems
-   * Git
-
-  -> Installing on Debian/Ubuntu:
-
-    sudo apt-get install libcurl4-gnutls-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev
-    git clone https://github.com/wpscanteam/wpscan.git
-    cd wpscan
-    sudo gem install bundler && bundle install --without test development
-
-  -> Installing on Fedora:
-
-    sudo yum install libcurl-devel
-    git clone https://github.com/wpscanteam/wpscan.git
-    cd wpscan
-    sudo gem install bundler && bundle install --without test development
-
-  -> Installing on Archlinux:
-
-    pacman -Sy ruby
-    pacman -Sy libyaml
-
-    git clone https://github.com/wpscanteam/wpscan.git
-    cd wpscan
-    sudo gem install bundler && bundle install --without test development
-
-    gem install typhoeus
-    gem install nokogiri
-
-  -> Installing on Mac OS X:
-
-    git clone https://github.com/wpscanteam/wpscan.git
-    cd wpscan
-    sudo gem install bundler && bundle install --without test development
-
-==KNOWN ISSUES==
-
-  - Typhoeus segmentation fault:
-      Update cURL to version => 7.21 (may have to install from source)
-      See http://code.google.com/p/wpscan/issues/detail?id=81
-
-  - Proxy not working:
-      Update cURL to version => 7.21.7 (may have to install from source).
-
-      Installation from sources :
-        - Grab the sources from http://curl.haxx.se/download.html
-        - Decompress the archive
-        - Open the folder with the extracted files
-        - Run ./configure
-        - Run make
-        - Run sudo make install
-        - Run sudo ldconfig
-
-  - cannot load such file -- readline:
-      Run sudo aptitude install libreadline5-dev libncurses5-dev
-
-      Then, open the directory of the readline gem (you have to locate it)
-
-      cd ~/.rvm/src/ruby-1.9.2-p180/ext/readline
-      ruby extconf.rb
-      make
-      make install
-
-      See http://vvv.tobiassjosten.net/ruby-on-rails/fixing-readline-for-the-ruby-on-rails-console/ for more details
-
-
-==WPSCAN ARGUMENTS==
-
---update   Update to the latest revision
-
---url   | -u <target url>  The WordPress URL/domain to scan.
-
---force | -f Forces WPScan to not check if the remote site is running WordPress.
-
---enumerate | -e [option(s)]  Enumeration.
-  option :
-    u        usernames from id 1 to 10
-    u[10-20] usernames from id 10 to 20 (you must write [] chars)
-    p        plugins
-    vp       only vulnerable plugins
-    ap       all plugins (can take a long time)
-    tt       timthumbs
-    t        themes
-    vp       only vulnerable themes
-    at       all themes (can take a long time)
-  Multiple values are allowed : '-e tt,p' will enumerate timthumbs and plugins
-  If no option is supplied, the default is 'vt,tt,u,vp'
-
---exclude-content-based '<regexp or string>'  Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied
-                                              You do not need to provide the regexp delimiters, but you must write the quotes (simple or double)
-
---config-file | -c <config file> Use the specified config file
-
---follow-redirection  If the target url has a redirection, it will be followed without asking if you wanted to do so or not
-
---wp-content-dir <wp content dir>  WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. Subdirectories are allowed
-
---wp-plugins-dir <wp plugins dir>  Same thing than --wp-content-dir but for the plugins directory. If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed
-
---proxy <[protocol://]host:port>  Supply a proxy (will override the one from conf/browser.conf.json).
-                                  HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported. If no protocol is given (format host:port), HTTP will be used
-
---proxy-auth <username:password>  Supply the proxy login credentials (will override the one from conf/browser.conf.json).
-
---basic-auth <username:password>  Set the HTTP Basic authentication
-
---wordlist | -w <wordlist>  Supply a wordlist for the password bruter and do the brute.
-
---threads  | -t <number of threads>  The number of threads to use when multi-threading requests. (will override the value from conf/browser.conf.json)
-
---username | -U <username>  Only brute force the supplied username.
-
---help     | -h This help screen.
-
---verbose  | -v Verbose output.
-
-==WPSCAN EXAMPLES==
-
-Do 'non-intrusive' checks...
-
-  ruby wpscan.rb --url www.example.com
-
-Do wordlist password brute force on enumerated users using 50 threads...
-
-  ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50
-
-Do wordlist password brute force on the 'admin' username only...
-
-  ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin
-
-Enumerate installed plugins...
-
-  ruby wpscan.rb --url www.example.com --enumerate p
-
-==WPSTOOLS ARGUMENTS==
-
---help    | -h   This help screen.
---Verbose | -v   Verbose output.
---update  | -u   Update to the latest revision.
---generate_plugin_list [number of pages]  Generate a new data/plugins.txt file. (supply number of *pages* to parse, default : 150)
---gpl  Alias for --generate_plugin_list
---check-local-vulnerable-files | --clvf <local directory>  Perform a recursive scan in the <local directory> to find vulnerable files or shells
-
-==WPSTOOLS EXAMPLES==
-
-- Generate a new 'most popular' plugin list, up to 150 pages ...
-ruby wpstools.rb --generate_plugin_list 150
-
-- Locally scan a wordpress installation for vulnerable files or shells :
-ruby wpstools.rb --check-local-vulnerable-files /var/www/wordpress/
-
-===PROJECT HOME===
-
-www.wpscan.org
-
-===REPOSITORY===
-
-https://github.com/wpscanteam/wpscan
-
-===ISSUES===
-
-https://github.com/wpscanteam/wpscan/issues
-
-===SPONSOR===
-
-WPScan is sponsored by the RandomStorm Open Source Initiative.
-
-Visit RandomStorm at http://www.randomstorm.com

README.md

@@ -1,232 +1,203 @@
-![alt text](http://dvwa.co.uk/images/wpscan_logo_407x80.png "WPScan - WordPress Security Scanner")
+<p align="center">
+  <a href="https://wpscan.org/">
+    <img src="https://raw.githubusercontent.com/wpscanteam/wpscan/gh-pages/images/wpscan_logo.png" alt="WPScan logo">
+  </a>
+</p>
 
-#### LICENSE
+<h3 align="center">WPScan</h3>
 
-WPScan - WordPress Security Scanner
-Copyright (C), 2011-2013 The WPScan Team
+<p align="center">
+  WordPress Vulnerability Scanner
+  <br>
+  <br>
+  <a href="https://wpscan.org/" title="homepage" target="_blank">Homepage</a> - <a href="https://wpscan.io/" title="wpscan.io" target="_blank">WPScan.io</a> - <a href="https://wpvulndb.com/" title="vulnerability database" target="_blank">Vulnerability Database</a> - <a href="https://wordpress.org/plugins/wpscan/" title="wordpress plugin" target="_blank">WordPress Plugin</a>
+</p>
 
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation, either version 3 of the License, or
-(at your option) any later version.
+<p align="center">
+  <a href="https://badge.fury.io/rb/wpscan" target="_blank"><img src="https://badge.fury.io/rb/wpscan.svg"></a>
+  <a href="https://travis-ci.org/wpscanteam/wpscan" target="_blank"><img src="https://travis-ci.org/wpscanteam/wpscan.svg?branch=master"></a>
+  <a href="https://codeclimate.com/github/wpscanteam/wpscan" target="_blank"><img src="https://codeclimate.com/github/wpscanteam/wpscan/badges/gpa.svg"></a>
+  <a href="https://www.patreon.com/wpscan" target="_blank"><img src="https://img.shields.io/badge/patreon-donate-green.svg"></a>
+</p>
 
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU General Public License for more details.
+# INSTALL
 
-You should have received a copy of the GNU General Public License
-along with this program.  If not, see <http://www.gnu.org/licenses/>.
+## Prerequisites
 
-ryandewhurst at gmail
+- (Optional but highly recommended: [RVM](https://rvm.io/rvm/install))
+- Ruby >= 2.3 - Recommended: latest
+  - Ruby 2.5.0 to 2.5.3 can cause an 'undefined symbol: rmpd_util_str_to_d' error in some systems, see [#1283](https://github.com/wpscanteam/wpscan/issues/1283)
+- Curl >= 7.21  - Recommended: latest
+  - The 7.29 has a segfault
+- RubyGems      - Recommended: latest
 
-#### INSTALL
+### From RubyGems (Recommended)
 
-WPScan comes pre-installed on the following Linux distributions:
+```shell
+gem install wpscan
+```
 
-- [BackBox Linux](http://www.backbox.org/)
-- [BackTrack Linux](http://www.backtrack-linux.org/) (outdated WPScan installed, update needed)
-- [Pentoo](http://www.pentoo.ch/)
-- [SamuraiWTF](http://samurai.inguardians.com/)
+On MacOSX, if a ```Gem::FilePermissionError``` is raised due to the Apple's System Integrity Protection (SIP), either install RVM and install wpscan again, or run ```sudo gem install -n /usr/local/bin wpscan``` (see [#1286](https://github.com/wpscanteam/wpscan/issues/1286))
 
-Prerequisites:
+### From sources (NOT Recommended)
 
-- Windows not supported
-- Ruby => 1.9
-- RubyGems
-- Git
+Prerequisites: Git
 
-*Installing on Debian/Ubuntu:*
+```shell
+git clone https://github.com/wpscanteam/wpscan
 
-```sudo apt-get install libcurl4-gnutls-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev```
+cd wpscan/
 
-```git clone https://github.com/wpscanteam/wpscan.git```
+bundle install && rake install
+```
 
-```cd wpscan```
+# Updating
 
-```sudo gem install bundler && bundle install --without test development```
+You can update the local database by using ```wpscan --update```
 
-*Installing on Fedora:*
+Updating WPScan itself is either done via ```gem update wpscan``` or the packages manager (this is quite important for distributions such as in Kali Linux: ```apt-get update && apt-get upgrade```) depending how WPScan was (pre)installed
 
-```sudo yum install libcurl-devel```
+# Docker
 
-```git clone https://github.com/wpscanteam/wpscan.git```
+Pull the repo with ```docker pull wpscanteam/wpscan```
 
-```cd wpscan```
+Enumerating usernames
 
-```sudo gem install bundler && bundle install --without test development```
+```shell
+docker run -it --rm wpscanteam/wpscan --url https://target.tld/ --enumerate u
+```
 
-*Installing on Archlinux:*
+Enumerating a range of usernames
 
-```pacman -Sy ruby```
+```shell
+docker run -it --rm wpscanteam/wpscan --url https://target.tld/ --enumerate u1-100
+```
 
-```pacman -Sy libyaml```
+** replace u1-100 with a range of your choice.
 
-```git clone https://github.com/wpscanteam/wpscan.git```
+# Usage
 
-```cd wpscan```
+```wpscan --url blog.tld``` This will scan the blog using default options with a good compromise between speed and accuracy. For example, the plugins will be checked passively but their version with a mixed detection mode (passively + aggressively). Potential config backup files will also be checked, along with other interesting findings. If a more stealthy approach is required, then ```wpscan --stealthy --url blog.tld``` can be used.
+As a result, when using the ```--enumerate``` option, don't forget to set the ```--plugins-detection``` accordingly, as its default is 'passive'.
 
-```sudo gem install bundler && bundle install --without test development```
+For more options, open a terminal and type ```wpscan --help``` (if you built wpscan from the source, you should type the command outside of the git repo)
 
-```gem install typhoeus```
+The DB is located at ~/.wpscan/db
 
-```gem install nokogiri```
+WPScan can load all options (including the --url) from configuration files, the following locations are checked (order: first to last):
 
-*Installing on Mac OSX:*
+- ~/.wpscan/cli_options.json
+- ~/.wpscan/cli_options.yml
+- pwd/.wpscan/cli_options.json
+- pwd/.wpscan/cli_options.yml
 
-```git clone https://github.com/wpscanteam/wpscan.git```
+If those files exist, options from them will be loaded and overridden if found twice.
 
-```cd wpscan```
+e.g:
 
-```sudo gem install bundler && bundle install --without test development```
+~/.wpscan/cli_options.yml:
 
-#### KNOWN ISSUES
+```yml
+proxy: 'http://127.0.0.1:8080'
+verbose: true
+```
 
-  - Typhoeus segmentation fault
+pwd/.wpscan/cli_options.yml:
 
-      Update cURL to version => 7.21 (may have to install from source)
-      See http://code.google.com/p/wpscan/issues/detail?id=81
+```yml
+proxy: 'socks5://127.0.0.1:9090'
+url: 'http://target.tld'
+```
 
-  - Proxy not working
+Running ```wpscan``` in the current directory (pwd), is the same as ```wpscan -v --proxy socks5://127.0.0.1:9090 --url http://target.tld```
 
-      Update cURL to version => 7.21.7 (may have to install from source).
+Enumerating usernames
 
-      Installation from sources :
-      ```
-        Grab the sources from http://curl.haxx.se/download.html
-        Decompress the archive
-        Open the folder with the extracted files
-        Run ./configure
-        Run make
-        Run sudo make install
-        Run sudo ldconfig
-      ```
+```shell
+wpscan --url https://target.tld/ --enumerate u
+```
 
-  - cannot load such file -- readline:
+Enumerating a range of usernames
 
-      ```sudo aptitude install libreadline5-dev libncurses5-dev```
+```shell
+wpscan --url https://target.tld/ --enumerate u1-100
+```
 
-      Then, open the directory of the readline gem (you have to locate it)
-      ```
-        cd ~/.rvm/src/ruby-1.9.2-p180/ext/readline
-        ruby extconf.rb
-        make
-        make install
-      ```
+** replace u1-100 with a range of your choice.
 
-      See http://vvv.tobiassjosten.net/ruby-on-rails/fixing-readline-for-the-ruby-on-rails-console/ for more details
+# LICENSE
 
-#### WPSCAN ARGUMENTS
+## WPScan Public Source License
 
-    --update  Update to the latest revision
+The WPScan software (henceforth referred to simply as "WPScan") is dual-licensed - Copyright 2011-2019 WPScan Team.
 
-    --url   | -u <target url>  The WordPress URL/domain to scan.
+Cases that include commercialization of WPScan require a commercial, non-free license. Otherwise, WPScan can be used without charge under the terms set out below.
 
-    --force | -f Forces WPScan to not check if the remote site is running WordPress.
+### 1. Definitions
 
-    --enumerate | -e [option(s)]  Enumeration.
-      option :
-        u        usernames from id 1 to 10
-        u[10-20] usernames from id 10 to 20 (you must write [] chars)
-        p        plugins
-        vp       only vulnerable plugins
-        ap       all plugins (can take a long time)
-        tt       timthumbs
-        t        themes
-        vt       only vulnerable themes
-        at       all themes (can take a long time)
-    Multiple values are allowed : '-e tt,p' will enumerate timthumbs and plugins
-    If no option is supplied, the default is 'vt,tt,u,vp'
+1.1 "License" means this document.
 
-    --exclude-content-based '<regexp or string>'  Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied
-                                                  You do not need to provide the regexp delimiters, but you must write the quotes (simple or double)
+1.2 "Contributor" means each individual or legal entity that creates, contributes to the creation of, or owns WPScan.
 
-    --config-file | -c <config file> Use the specified config file
+1.3 "WPScan Team" means WPScan’s core developers.
 
-    --follow-redirection  If the target url has a redirection, it will be followed without asking if you wanted to do so or not
+### 2. Commercialization
 
-    --wp-content-dir <wp content dir>  WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. Subdirectories are allowed
+A commercial use is one intended for commercial advantage or monetary compensation.
 
-    --wp-plugins-dir <wp plugins dir>  Same thing than --wp-content-dir but for the plugins directory. If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed
+Example cases of commercialization are:
 
-    --proxy <[protocol://]host:port>  Supply a proxy (will override the one from conf/browser.conf.json).
-                                      HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported. If no protocol is given (format host:port), HTTP will be used
+- Using WPScan to provide commercial managed/Software-as-a-Service services.
+- Distributing WPScan as a commercial product or as part of one.
+- Using WPScan as a value added service/product.
 
-    --proxy-auth <username:password>  Supply the proxy login credentials (will override the one from conf/browser.conf.json).
+Example cases which do not require a commercial license, and thus fall under the terms set out below, include (but are not limited to):
 
-    --basic-auth <username:password>  Set the HTTP Basic authentication
+- Penetration testers (or penetration testing organizations) using WPScan as part of their assessment toolkit.
+- Penetration Testing Linux Distributions including but not limited to Kali Linux, SamuraiWTF, BackBox Linux.
+- Using WPScan to test your own systems.
+- Any non-commercial use of WPScan.
 
-    --wordlist | -w <wordlist>  Supply a wordlist for the password bruter and do the brute.
+If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - team@wpscan.org.
 
-    --threads  | -t <number of threads>  The number of threads to use when multi-threading requests. (will override the value from conf/browser.conf.json)
+Free-use Terms and Conditions;
 
-    --username | -U <username>  Only brute force the supplied username.
+### 3. Redistribution
 
-    --help     | -h This help screen.
+Redistribution is permitted under the following conditions:
 
-    --verbose  | -v Verbose output.
+- Unmodified License is provided with WPScan.
+- Unmodified Copyright notices are provided with WPScan.
+- Does not conflict with the commercialization clause.
 
-#### WPSCAN EXAMPLES
+### 4. Copying
 
-Do 'non-intrusive' checks...
+Copying is permitted so long as it does not conflict with the Redistribution clause.
 
-```ruby wpscan.rb --url www.example.com```
+### 5. Modification
 
-Do wordlist password brute force on enumerated users using 50 threads...
+Modification is permitted so long as it does not conflict with the Redistribution clause.
 
-```ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50```
+### 6. Contributions
 
-Do wordlist password brute force on the 'admin' username only...
+Any Contributions assume the Contributor grants the WPScan Team the unlimited, non-exclusive right to reuse, modify and relicense the Contributor's content.
 
-```ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin```
+### 7. Support
 
-Enumerate installed plugins...
+WPScan is provided under an AS-IS basis and without any support, updates or maintenance. Support, updates and maintenance may be given according to the sole discretion of the WPScan Team.
 
-```ruby wpscan.rb --url www.example.com --enumerate p```
+### 8. Disclaimer of Warranty
 
-Run all enumeration tools...
+WPScan is provided under this License on an “as is” basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the WPScan is free of defects, merchantable, fit for a particular purpose or non-infringing.
 
-```ruby wpscan.rb --url www.example.com --enumerate```
+### 9. Limitation of Liability
 
-Use custom content directory...
+To the extent permitted under Law, WPScan is provided under an AS-IS basis. The WPScan Team shall never, and without any limit, be liable for any damage, cost, expense or any other payment incurred as a result of WPScan's actions, failure, bugs and/or any other interaction between WPScan and end-equipment, computers, other software or any 3rd party, end-equipment, computer or services.
 
-```ruby wpscan.rb -u www.example.com --wp-content-dir custom-content```
+### 10. Disclaimer
 
-Update WPScan...
+Running WPScan against websites without prior mutual consent may be illegal in your country. The WPScan Team accept no liability and are not responsible for any misuse or damage caused by WPScan.
 
-```ruby wpscan.rb --update```
+### 11. Trademark
 
-#### WPSTOOLS ARGUMENTS
-
-    --help    | -h   This help screen.
-    --Verbose | -v   Verbose output.
-    --update  | -u   Update to the latest revision.
-    --generate_plugin_list [number of pages]  Generate a new data/plugins.txt file. (supply number of *pages* to parse, default : 150)
-    --gpl  Alias for --generate_plugin_list
-    --check-local-vulnerable-files | --clvf <local directory>  Perform a recursive scan in the <local directory> to find vulnerable files or shells
-
-#### WPSTOOLS EXAMPLES
-
-Generate a new 'most popular' plugin list, up to 150 pages...
-
-```ruby wpstools.rb --generate_plugin_list 150```
-
-Locally scan a wordpress installation for vulnerable files or shells :
-```ruby wpstools.rb --check-local-vulnerable-files /var/www/wordpress/```
-
-
-#### PROJECT HOME
-
-www.wpscan.org
-
-#### GIT REPOSITORY
-
-https://github.com/wpscanteam/wpscan
-
-#### ISSUES
-
-https://github.com/wpscanteam/wpscan/issues
-
-#### SPONSOR
-
-WPScan is sponsored by the [RandomStorm](http://www.randomstorm.com) Open Source Initiative.
+The "wpscan" term is a registered trademark. This License does not grant the use of the "wpscan" trademark or the use of the WPScan logo.

Rakefile

@@ -0,0 +1,24 @@
+# rubocop:disable all
+
+require 'bundler/gem_tasks'
+
+exec = []
+
+begin
+  require 'rubocop/rake_task'
+  RuboCop::RakeTask.new
+  exec << :rubocop
+rescue LoadError
+end
+
+begin
+  require 'rspec/core/rake_task'
+  RSpec::Core::RakeTask.new(:spec)
+  exec << :spec
+rescue LoadError
+end
+
+# Run rubocop & rspec before the build (only if installed)
+task build: exec
+
+# rubocop:enable all

app/app.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+require_relative 'models'
+require_relative 'finders'
+require_relative 'controllers'

app/controllers.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require_relative 'controllers/core'
+require_relative 'controllers/custom_directories'
+require_relative 'controllers/wp_version'
+require_relative 'controllers/main_theme'
+require_relative 'controllers/enumeration'
+require_relative 'controllers/password_attack'
+require_relative 'controllers/aliases'

app/controllers/aliases.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Controller
+    # Controller to add the aliases in the CLI
+    class Aliases < CMSScanner::Controller::Base
+      def cli_options
+        [
+          OptAlias.new(['--stealthy'],
+                       alias_for: '--random-user-agent --detection-mode passive --plugins-version-detection passive')
+        ]
+      end
+    end
+  end
+end

app/controllers/core.rb

@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Controller
+    # Specific Core controller to include WordPress checks
+    class Core < CMSScanner::Controller::Core
+      # @return [ Array<OptParseValidator::Opt> ]
+      def cli_options
+        [OptURL.new(['--url URL', 'The URL of the blog to scan'],
+                    required_unless: %i[update help hh version], default_protocol: 'http')] +
+          super.drop(1) + # delete the --url from CMSScanner
+          [
+            OptChoice.new(['--server SERVER', 'Force the supplied server module to be loaded'],
+                          choices: %w[apache iis nginx],
+                          normalize: %i[downcase to_sym],
+                          advanced: true),
+            OptBoolean.new(['--force', 'Do not check if the target is running WordPress']),
+            OptBoolean.new(['--[no-]update', 'Whether or not to update the Database'])
+          ]
+      end
+
+      # @return [ DB::Updater ]
+      def local_db
+        @local_db ||= DB::Updater.new(DB_DIR)
+      end
+
+      # @return [ Boolean ]
+      def update_db_required?
+        if local_db.missing_files?
+          raise Error::MissingDatabaseFile if parsed_options[:update] == false
+
+          return true
+        end
+
+        return parsed_options[:update] unless parsed_options[:update].nil?
+
+        return false unless user_interaction? && local_db.outdated?
+
+        output('@notice', msg: 'It seems like you have not updated the database for some time.')
+        print '[?] Do you want to update now? [Y]es [N]o, default: [N]'
+
+        Readline.readline =~ /^y/i ? true : false
+      end
+
+      def update_db
+        output('db_update_started')
+        output('db_update_finished', updated: local_db.update, verbose: parsed_options[:verbose])
+
+        exit(0) unless parsed_options[:url]
+      end
+
+      def before_scan
+        @last_update = local_db.last_update
+
+        maybe_output_banner_help_and_version # From CMS Scanner
+
+        update_db if update_db_required?
+        setup_cache
+        check_target_availability
+        load_server_module
+        check_wordpress_state
+      end
+
+      # Raises errors if the target is hosted on wordpress.com or is not running WordPress
+      # Also check if the homepage_url is still the install url
+      def check_wordpress_state
+        raise Error::WordPressHosted if target.wordpress_hosted?
+
+        if Addressable::URI.parse(target.homepage_url).path =~ %r{/wp-admin/install.php$}i
+
+          output('not_fully_configured', url: target.homepage_url)
+
+          exit(WPScan::ExitCode::VULNERABLE)
+        end
+
+        raise Error::NotWordPress unless target.wordpress?(parsed_options[:detection_mode]) || parsed_options[:force]
+      end
+
+      # Loads the related server module in the target
+      # and includes it in the WpItem class which will be needed
+      # to check if directory listing is enabled etc
+      #
+      # @return [ Symbol ] The server module loaded
+      def load_server_module
+        server = target.server || :Apache # Tries to auto detect the server
+
+        # Force a specific server module to be loaded if supplied
+        case parsed_options[:server]
+        when :apache
+          server = :Apache
+        when :iis
+          server = :IIS
+        when :nginx
+          server = :Nginx
+        end
+
+        mod = CMSScanner::Target::Server.const_get(server)
+
+        target.extend mod
+        Model::WpItem.include mod
+
+        server
+      end
+    end
+  end
+end

app/controllers/custom_directories.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Controller
+    # Controller to ensure that the wp-content and wp-plugins
+    # directories are found
+    class CustomDirectories < CMSScanner::Controller::Base
+      def cli_options
+        [
+          OptString.new(['--wp-content-dir DIR']),
+          OptString.new(['--wp-plugins-dir DIR'])
+        ]
+      end
+
+      def before_scan
+        target.content_dir = parsed_options[:wp_content_dir] if parsed_options[:wp_content_dir]
+        target.plugins_dir = parsed_options[:wp_plugins_dir] if parsed_options[:wp_plugins_dir]
+
+        return if target.content_dir
+
+        raise Error::WpContentDirNotDetected
+      end
+    end
+  end
+end

app/controllers/enumeration.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require_relative 'enumeration/cli_options'
+require_relative 'enumeration/enum_methods'
+
+module WPScan
+  module Controller
+    # Enumeration Controller
+    class Enumeration < CMSScanner::Controller::Base
+      def before_scan
+        DB::DynamicFinders::Plugin.create_versions_finders
+        DB::DynamicFinders::Theme.create_versions_finders
+
+        # Force the Garbage Collector to run due to the above method being
+        # quite heavy in objects allocation
+        GC.start
+      end
+
+      def run
+        enum = parsed_options[:enumerate] || {}
+
+        enum_plugins if enum_plugins?(enum)
+        enum_themes  if enum_themes?(enum)
+
+        %i[timthumbs config_backups db_exports medias].each do |key|
+          send("enum_#{key}".to_sym) if enum.key?(key)
+        end
+
+        enum_users if enum_users?(enum)
+      end
+    end
+  end
+end

app/controllers/enumeration/cli_options.rb

@@ -0,0 +1,171 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Controller
+    # Enumeration CLI Options
+    class Enumeration < CMSScanner::Controller::Base
+      def cli_options
+        cli_enum_choices + cli_plugins_opts + cli_themes_opts +
+          cli_timthumbs_opts + cli_config_backups_opts + cli_db_exports_opts +
+          cli_medias_opts + cli_users_opts
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      # rubocop:disable Metrics/MethodLength
+      def cli_enum_choices
+        [
+          OptMultiChoices.new(
+            ['-e', '--enumerate [OPTS]', 'Enumeration Process'],
+            choices: {
+              vp: OptBoolean.new(['--vulnerable-plugins']),
+              ap: OptBoolean.new(['--all-plugins']),
+              p: OptBoolean.new(['--plugins']),
+              vt: OptBoolean.new(['--vulnerable-themes']),
+              at: OptBoolean.new(['--all-themes']),
+              t: OptBoolean.new(['--themes']),
+              tt: OptBoolean.new(['--timthumbs']),
+              cb: OptBoolean.new(['--config-backups']),
+              dbe: OptBoolean.new(['--db-exports']),
+              u: OptIntegerRange.new(['--users', 'User IDs range. e.g: u1-5'], value_if_empty: '1-10'),
+              m: OptIntegerRange.new(['--medias',
+                                      'Media IDs range. e.g m1-15',
+                                      'Note: Permalink setting must be set to "Plain" for those to be detected'],
+                                     value_if_empty: '1-100')
+            },
+            value_if_empty: 'vp,vt,tt,cb,dbe,u,m',
+            incompatible: [%i[vp ap p], %i[vt at t]],
+            default: { all_plugins: true, config_backups: true }
+          ),
+          OptRegexp.new(
+            [
+              '--exclude-content-based REGEXP_OR_STRING',
+              'Exclude all responses matching the Regexp (case insensitive) during parts of the enumeration.',
+              'Both the headers and body are checked. Regexp delimiters are not required.'
+            ], options: Regexp::IGNORECASE
+          )
+        ]
+      end
+      # rubocop:enable Metrics/MethodLength
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_plugins_opts
+        [
+          OptSmartList.new(['--plugins-list LIST', 'List of plugins to enumerate'], advanced: true),
+          OptChoice.new(
+            ['--plugins-detection MODE',
+             'Use the supplied mode to enumerate Plugins, instead of the global (--detection-mode) mode.'],
+            choices: %w[mixed passive aggressive], normalize: :to_sym, default: :passive
+          ),
+          OptBoolean.new(
+            ['--plugins-version-all',
+             'Check all the plugins version locations according to the choosen mode (--detection-mode, ' \
+             '--plugins-detection and --plugins-version-detection)'],
+            advanced: true
+          ),
+          OptChoice.new(
+            ['--plugins-version-detection MODE',
+             'Use the supplied mode to check plugins versions instead of the --detection-mode ' \
+             'or --plugins-detection modes.'],
+            choices: %w[mixed passive aggressive], normalize: :to_sym, default: :mixed
+          )
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_themes_opts
+        [
+          OptSmartList.new(['--themes-list LIST', 'List of themes to enumerate'], advanced: true),
+          OptChoice.new(
+            ['--themes-detection MODE',
+             'Use the supplied mode to enumerate Themes, instead of the global (--detection-mode) mode.'],
+            choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true
+          ),
+          OptBoolean.new(
+            ['--themes-version-all',
+             'Check all the themes version locations according to the choosen mode (--detection-mode, ' \
+             '--themes-detection and --themes-version-detection)'],
+            advanced: true
+          ),
+          OptChoice.new(
+            ['--themes-version-detection MODE',
+             'Use the supplied mode to check themes versions instead of the --detection-mode ' \
+             'or --themes-detection modes.'],
+            choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true
+          )
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_timthumbs_opts
+        [
+          OptFilePath.new(
+            ['--timthumbs-list FILE-PATH', 'List of timthumbs\' location to use'],
+            exists: true, default: DB_DIR.join('timthumbs-v3.txt').to_s, advanced: true
+          ),
+          OptChoice.new(
+            ['--timthumbs-detection MODE',
+             'Use the supplied mode to enumerate Timthumbs, instead of the global (--detection-mode) mode.'],
+            choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true
+          )
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_config_backups_opts
+        [
+          OptFilePath.new(
+            ['--config-backups-list FILE-PATH', 'List of config backups\' filenames to use'],
+            exists: true, default: DB_DIR.join('config_backups.txt').to_s, advanced: true
+          ),
+          OptChoice.new(
+            ['--config-backups-detection MODE',
+             'Use the supplied mode to enumerate Config Backups, instead of the global (--detection-mode) mode.'],
+            choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true
+          )
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_db_exports_opts
+        [
+          OptFilePath.new(
+            ['--db-exports-list FILE-PATH', 'List of DB exports\' paths to use'],
+            exists: true, default: DB_DIR.join('db_exports.txt').to_s, advanced: true
+          ),
+          OptChoice.new(
+            ['--db-exports-detection MODE',
+             'Use the supplied mode to enumerate DB Exports, instead of the global (--detection-mode) mode.'],
+            choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true
+          )
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_medias_opts
+        [
+          OptChoice.new(
+            ['--medias-detection MODE',
+             'Use the supplied mode to enumerate Medias, instead of the global (--detection-mode) mode.'],
+            choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true
+          )
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_users_opts
+        [
+          OptSmartList.new(
+            ['--users-list LIST',
+             'List of users to check during the users enumeration from the Login Error Messages'],
+            advanced: true
+          ),
+          OptChoice.new(
+            ['--users-detection MODE',
+             'Use the supplied mode to enumerate Users, instead of the global (--detection-mode) mode.'],
+            choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true
+          )
+        ]
+      end
+    end
+  end
+end

app/controllers/enumeration/enum_methods.rb

@@ -0,0 +1,205 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Controller
+    # Enumeration Methods
+    class Enumeration < CMSScanner::Controller::Base
+      # @param [ String ] type (plugins or themes)
+      # @param [ Symbol ] detection_mode
+      #
+      # @return [ String ] The related enumration message depending on the parsed_options and type supplied
+      def enum_message(type, detection_mode)
+        return unless %w[plugins themes].include?(type)
+
+        details = if parsed_options[:enumerate][:"vulnerable_#{type}"]
+                    'Vulnerable'
+                  elsif parsed_options[:enumerate][:"all_#{type}"]
+                    'All'
+                  else
+                    'Most Popular'
+                  end
+
+        "Enumerating #{details} #{type.capitalize} #{enum_detection_message(detection_mode)}"
+      end
+
+      # @param [ Symbol ] detection_mode
+      #
+      # @return [ String ]
+      def enum_detection_message(detection_mode)
+        detection_method = if detection_mode == :mixed
+                             'Passive and Aggressive'
+                           else
+                             detection_mode.to_s.capitalize
+                           end
+
+        "(via #{detection_method} Methods)"
+      end
+
+      # @param [ String ] type (plugins, themes etc)
+      #
+      # @return [ Hash ]
+      def default_opts(type)
+        mode = parsed_options[:"#{type}_detection"] || parsed_options[:detection_mode]
+
+        {
+          mode: mode,
+          exclude_content: parsed_options[:exclude_content_based],
+          show_progression: user_interaction?,
+          version_detection: {
+            mode: parsed_options[:"#{type}_version_detection"] || mode,
+            confidence_threshold: parsed_options[:"#{type}_version_all"] ? 0 : 100
+          }
+        }
+      end
+
+      # @param [ Hash ] opts
+      #
+      # @return [ Boolean ] Wether or not to enumerate the plugins
+      def enum_plugins?(opts)
+        opts[:plugins] || opts[:all_plugins] || opts[:vulnerable_plugins]
+      end
+
+      def enum_plugins
+        opts = default_opts('plugins').merge(
+          list: plugins_list_from_opts(parsed_options),
+          sort: true
+        )
+
+        output('@info', msg: enum_message('plugins', opts[:mode])) if user_interaction?
+        # Enumerate the plugins & find their versions to avoid doing that when #version
+        # is called in the view
+        plugins = target.plugins(opts)
+
+        if user_interaction? && !plugins.empty?
+          output('@info',
+                 msg: "Checking Plugin Versions #{enum_detection_message(opts[:version_detection][:mode])}")
+        end
+
+        plugins.each(&:version)
+
+        plugins.select!(&:vulnerable?) if parsed_options[:enumerate][:vulnerable_plugins]
+
+        output('plugins', plugins: plugins)
+      end
+
+      # @param [ Hash ] opts
+      #
+      # @return [ Array<String> ] The plugins list associated to the cli options
+      def plugins_list_from_opts(opts)
+        # List file provided by the user via the cli
+        return opts[:plugins_list] if opts[:plugins_list]
+
+        if opts[:enumerate][:all_plugins]
+          DB::Plugins.all_slugs
+        elsif opts[:enumerate][:plugins]
+          DB::Plugins.popular_slugs
+        else
+          DB::Plugins.vulnerable_slugs
+        end
+      end
+
+      # @param [ Hash ] opts
+      #
+      # @return [ Boolean ] Wether or not to enumerate the themes
+      def enum_themes?(opts)
+        opts[:themes] || opts[:all_themes] || opts[:vulnerable_themes]
+      end
+
+      def enum_themes
+        opts = default_opts('themes').merge(
+          list: themes_list_from_opts(parsed_options),
+          sort: true
+        )
+
+        output('@info', msg: enum_message('themes', opts[:mode])) if user_interaction?
+        # Enumerate the themes & find their versions to avoid doing that when #version
+        # is called in the view
+        themes = target.themes(opts)
+
+        if user_interaction? && !themes.empty?
+          output('@info',
+                 msg: "Checking Theme Versions #{enum_detection_message(opts[:version_detection][:mode])}")
+        end
+
+        themes.each(&:version)
+
+        themes.select!(&:vulnerable?) if parsed_options[:enumerate][:vulnerable_themes]
+
+        output('themes', themes: themes)
+      end
+
+      # @param [ Hash ] opts
+      #
+      # @return [ Array<String> ] The themes list associated to the cli options
+      def themes_list_from_opts(opts)
+        # List file provided by the user via the cli
+        return opts[:themes_list] if opts[:themes_list]
+
+        if opts[:enumerate][:all_themes]
+          DB::Themes.all_slugs
+        elsif opts[:enumerate][:themes]
+          DB::Themes.popular_slugs
+        else
+          DB::Themes.vulnerable_slugs
+        end
+      end
+
+      def enum_timthumbs
+        opts = default_opts('timthumbs').merge(list: parsed_options[:timthumbs_list])
+
+        output('@info', msg: "Enumerating Timthumbs #{enum_detection_message(opts[:mode])}") if user_interaction?
+        output('timthumbs', timthumbs: target.timthumbs(opts))
+      end
+
+      def enum_config_backups
+        opts = default_opts('config_backups').merge(list: parsed_options[:config_backups_list])
+
+        output('@info', msg: "Enumerating Config Backups #{enum_detection_message(opts[:mode])}") if user_interaction?
+        output('config_backups', config_backups: target.config_backups(opts))
+      end
+
+      def enum_db_exports
+        opts = default_opts('db_exports').merge(list: parsed_options[:db_exports_list])
+
+        output('@info', msg: "Enumerating DB Exports #{enum_detection_message(opts[:mode])}") if user_interaction?
+        output('db_exports', db_exports: target.db_exports(opts))
+      end
+
+      def enum_medias
+        opts = default_opts('medias').merge(range: parsed_options[:enumerate][:medias])
+
+        if user_interaction?
+          output('@info',
+                 msg: "Enumerating Medias #{enum_detection_message(opts[:mode])} "\
+                      '(Permalink setting must be set to "Plain" for those to be detected)')
+        end
+
+        output('medias', medias: target.medias(opts))
+      end
+
+      # @param [ Hash ] opts
+      #
+      # @return [ Boolean ] Wether or not to enumerate the users
+      def enum_users?(opts)
+        opts[:users] || (parsed_options[:passwords] && !parsed_options[:username] && !parsed_options[:usernames])
+      end
+
+      def enum_users
+        opts = default_opts('users').merge(
+          range: enum_users_range,
+          list: parsed_options[:users_list]
+        )
+
+        output('@info', msg: "Enumerating Users #{enum_detection_message(opts[:mode])}") if user_interaction?
+        output('users', users: target.users(opts))
+      end
+
+      # @return [ Range ] The user ids range to enumerate
+      # If the --enumerate is used, the default value is handled by the Option
+      # However, when using --passwords alone, the default has to be set by the code below
+      def enum_users_range
+        parsed_options[:enumerate][:users] || cli_enum_choices[0].choices[:u].validate(nil)
+      end
+    end
+  end
+end

app/controllers/main_theme.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Controller
+    # Main Theme Controller
+    class MainTheme < CMSScanner::Controller::Base
+      def cli_options
+        [
+          OptChoice.new(
+            ['--main-theme-detection MODE',
+             'Use the supplied mode for the Main theme detection, instead of the global (--detection-mode) mode.'],
+            choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true
+          )
+        ]
+      end
+
+      def run
+        output(
+          'theme',
+          theme: target.main_theme(
+            mode: parsed_options[:main_theme_detection] || parsed_options[:detection_mode]
+          ),
+          verbose: parsed_options[:verbose]
+        )
+      end
+    end
+  end
+end

app/controllers/password_attack.rb

@@ -0,0 +1,114 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Controller
+    # Password Attack Controller
+    class PasswordAttack < CMSScanner::Controller::Base
+      def cli_options
+        [
+          OptFilePath.new(
+            ['--passwords FILE-PATH', '-P',
+             'List of passwords to use during the password attack.',
+             'If no --username/s option supplied, user enumeration will be run.'],
+            exists: true
+          ),
+          OptSmartList.new(['--usernames LIST', '-U', 'List of usernames to use during the password attack.']),
+          OptInteger.new(['--multicall-max-passwords MAX_PWD',
+                          'Maximum number of passwords to send by request with XMLRPC multicall'],
+                         default: 500),
+          OptChoice.new(['--password-attack ATTACK',
+                         'Force the supplied attack to be used rather than automatically determining one.'],
+                        choices: %w[wp-login xmlrpc xmlrpc-multicall],
+                        normalize: %i[downcase underscore to_sym])
+        ]
+      end
+
+      def run
+        return unless parsed_options[:passwords]
+
+        if user_interaction?
+          output('@info',
+                 msg: "Performing password attack on #{attacker.titleize} against #{users.size} user/s")
+        end
+
+        attack_opts = {
+          show_progression: user_interaction?,
+          multicall_max_passwords: parsed_options[:multicall_max_passwords]
+        }
+
+        begin
+          found = []
+
+          attacker.attack(users, passwords(parsed_options[:passwords]), attack_opts) do |user|
+            found << user
+
+            attacker.progress_bar.log("[SUCCESS] - #{user.username} / #{user.password}")
+          end
+        ensure
+          output('users', users: found)
+        end
+      end
+
+      # @return [ CMSScanner::Finders::Finder ] The finder used to perform the attack
+      def attacker
+        @attacker ||= attacker_from_cli_options || attacker_from_automatic_detection
+      end
+
+      # @return [ Model::XMLRPC ]
+      def xmlrpc
+        @xmlrpc ||= target.xmlrpc
+      end
+
+      # @return [ CMSScanner::Finders::Finder ]
+      def attacker_from_cli_options
+        return unless parsed_options[:password_attack]
+
+        case parsed_options[:password_attack]
+        when :wp_login
+          WPScan::Finders::Passwords::WpLogin.new(target)
+        when :xmlrpc
+          raise Error::XMLRPCNotDetected unless xmlrpc
+
+          WPScan::Finders::Passwords::XMLRPC.new(xmlrpc)
+        when :xmlrpc_multicall
+          raise Error::XMLRPCNotDetected unless xmlrpc
+
+          WPScan::Finders::Passwords::XMLRPCMulticall.new(xmlrpc)
+        end
+      end
+
+      # @return [ CMSScanner::Finders::Finder ]
+      def attacker_from_automatic_detection
+        if xmlrpc&.enabled? && xmlrpc.available_methods.include?('wp.getUsersBlogs')
+          wp_version = target.wp_version
+
+          if wp_version && wp_version < '4.4'
+            WPScan::Finders::Passwords::XMLRPCMulticall.new(xmlrpc)
+          else
+            WPScan::Finders::Passwords::XMLRPC.new(xmlrpc)
+          end
+        else
+          WPScan::Finders::Passwords::WpLogin.new(target)
+        end
+      end
+
+      # @return [ Array<Users> ] The users to brute force
+      def users
+        return target.users unless parsed_options[:usernames]
+
+        parsed_options[:usernames].reduce([]) do |acc, elem|
+          acc << Model::User.new(elem.chomp)
+        end
+      end
+
+      # @param [ String ] wordlist_path
+      #
+      # @return [ Array<String> ]
+      def passwords(wordlist_path)
+        @passwords ||= File.open(wordlist_path).reduce([]) do |acc, elem|
+          acc << elem.chomp
+        end
+      end
+    end
+  end
+end

app/controllers/wp_version.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Controller
+    # Wp Version Controller
+    class WpVersion < CMSScanner::Controller::Base
+      def cli_options
+        [
+          OptBoolean.new(['--wp-version-all', 'Check all the version locations'], advanced: true),
+          OptChoice.new(
+            ['--wp-version-detection MODE',
+             'Use the supplied mode for the WordPress version detection, ' \
+             'instead of the global (--detection-mode) mode.'],
+            choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true
+          )
+        ]
+      end
+
+      def before_scan
+        WPScan::DB::DynamicFinders::Wordpress.create_versions_finders
+      end
+
+      def run
+        output(
+          'version',
+          version: target.wp_version(
+            mode: parsed_options[:wp_version_detection] || parsed_options[:detection_mode],
+            confidence_threshold: parsed_options[:wp_version_all] ? 0 : 100,
+            show_progression: user_interaction?
+          )
+        )
+      end
+    end
+  end
+end

app/finders.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require_relative 'finders/interesting_findings'
+require_relative 'finders/wp_items'
+require_relative 'finders/wp_version'
+require_relative 'finders/main_theme'
+require_relative 'finders/timthumb_version'
+require_relative 'finders/timthumbs'
+require_relative 'finders/config_backups'
+require_relative 'finders/db_exports'
+require_relative 'finders/medias'
+require_relative 'finders/users'
+require_relative 'finders/plugins'
+require_relative 'finders/plugin_version'
+require_relative 'finders/theme_version'
+require_relative 'finders/themes'
+require_relative 'finders/passwords'

app/finders/config_backups.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require_relative 'config_backups/known_filenames'
+
+module WPScan
+  module Finders
+    module ConfigBackups
+      # Config Backup Finder
+      class Base
+        include CMSScanner::Finders::SameTypeFinder
+
+        # @param [ WPScan::Target ] target
+        def initialize(target)
+          finders << ConfigBackups::KnownFilenames.new(target)
+        end
+      end
+    end
+  end
+end

app/finders/config_backups/known_filenames.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module ConfigBackups
+      # Config Backup finder
+      class KnownFilenames < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::Enumerator
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list
+        # @option opts [ Boolean ] :show_progression
+        #
+        # @return [ Array<ConfigBackup> ]
+        def aggressive(opts = {})
+          found = []
+
+          enumerate(potential_urls(opts), opts.merge(check_full_response: 200)) do |res|
+            next unless res.body =~ /define/i && res.body !~ /<\s?html/i
+
+            found << Model::ConfigBackup.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100)
+          end
+
+          found
+        end
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list Mandatory
+        #
+        # @return [ Hash ]
+        def potential_urls(opts = {})
+          urls = {}
+
+          File.open(opts[:list]).each_with_index do |file, index|
+            urls[target.url(file.chomp)] = index
+          end
+
+          urls
+        end
+
+        def create_progress_bar(opts = {})
+          super(opts.merge(title: ' Checking Config Backups -'))
+        end
+      end
+    end
+  end
+end

app/finders/db_exports.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require_relative 'db_exports/known_locations'
+
+module WPScan
+  module Finders
+    module DbExports
+      # DB Exports Finder
+      class Base
+        include CMSScanner::Finders::SameTypeFinder
+
+        # @param [ WPScan::Target ] target
+        def initialize(target)
+          finders << DbExports::KnownLocations.new(target)
+        end
+      end
+    end
+  end
+end

app/finders/db_exports/known_locations.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module DbExports
+      # DB Exports finder
+      # See https://github.com/wpscanteam/wpscan-v3/issues/62
+      class KnownLocations < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::Enumerator
+
+        SQL_PATTERN = /(?:DROP|(?:UN)?LOCK|CREATE) TABLE|INSERT INTO/.freeze
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list
+        # @option opts [ Boolean ] :show_progression
+        #
+        # @return [ Array<DBExport> ]
+        def aggressive(opts = {})
+          found = []
+
+          enumerate(potential_urls(opts), opts.merge(check_full_response: 200)) do |res|
+            if res.effective_url.end_with?('.zip')
+              next unless res.headers['Content-Type'] =~ %r{\Aapplication/zip}i
+            else
+              next unless res.body =~ SQL_PATTERN
+            end
+
+            found << Model::DbExport.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100)
+          end
+
+          found
+        end
+
+        def full_request_params
+          @full_request_params ||= { headers: { 'Range' => 'bytes=0-3000' } }
+        end
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list Mandatory
+        #
+        # @return [ Hash ]
+        def potential_urls(opts = {})
+          urls        = {}
+          domain_name = target.uri.host[/(^[\w|-]+)/, 1]
+
+          File.open(opts[:list]).each_with_index do |path, index|
+            path.gsub!('{domain_name}', domain_name)
+
+            urls[target.url(path.chomp)] = index
+          end
+
+          urls
+        end
+
+        def create_progress_bar(opts = {})
+          super(opts.merge(title: ' Checking DB Exports -'))
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require_relative 'interesting_findings/readme'
+require_relative 'interesting_findings/wp_cron'
+require_relative 'interesting_findings/multisite'
+require_relative 'interesting_findings/debug_log'
+require_relative 'interesting_findings/backup_db'
+require_relative 'interesting_findings/mu_plugins'
+require_relative 'interesting_findings/registration'
+require_relative 'interesting_findings/tmm_db_migrate'
+require_relative 'interesting_findings/upload_sql_dump'
+require_relative 'interesting_findings/full_path_disclosure'
+require_relative 'interesting_findings/duplicator_installer_log'
+require_relative 'interesting_findings/upload_directory_listing'
+require_relative 'interesting_findings/emergency_pwd_reset_script'
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # Interesting Files Finder
+      class Base < CMSScanner::Finders::InterestingFindings::Base
+        # @param [ WPScan::Target ] target
+        def initialize(target)
+          super(target)
+
+          %w[
+            Readme DebugLog FullPathDisclosure BackupDB DuplicatorInstallerLog
+            Multisite MuPlugins Registration UploadDirectoryListing TmmDbMigrate
+            UploadSQLDump EmergencyPwdResetScript WPCron
+          ].each do |f|
+            finders << InterestingFindings.const_get(f).new(target)
+          end
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/backup_db.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # BackupDB finder
+      class BackupDB < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'wp-content/backup-db/'
+          res  = target.head_and_get(path, [200, 403])
+
+          return unless [200, 403].include?(res.code) && !target.homepage_or_404?(res)
+
+          Model::BackupDB.new(
+            target.url(path),
+            confidence: 70,
+            found_by: DIRECT_ACCESS,
+            interesting_entries: target.directory_listing_entries(path),
+            references: { url: 'https://github.com/wpscanteam/wpscan/issues/422' }
+          )
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/debug_log.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # debug.log finder
+      class DebugLog < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'wp-content/debug.log'
+
+          return unless target.debug_log?(path)
+
+          Model::DebugLog.new(
+            target.url(path),
+            confidence: 100, found_by: DIRECT_ACCESS,
+            references: { url: 'https://codex.wordpress.org/Debugging_in_WordPress' }
+          )
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/duplicator_installer_log.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # DuplicatorInstallerLog finder
+      class DuplicatorInstallerLog < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'installer-log.txt'
+
+          return unless target.head_and_get(path).body =~ /DUPLICATOR INSTALL-LOG/
+
+          Model::DuplicatorInstallerLog.new(
+            target.url(path),
+            confidence: 100,
+            found_by: DIRECT_ACCESS,
+            references: { url: 'https://www.exploit-db.com/ghdb/3981/' }
+          )
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/emergency_pwd_reset_script.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # Emergency Password Reset Script finder
+      class EmergencyPwdResetScript < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'emergency.php'
+          res  = target.head_and_get(path)
+
+          return unless res.code == 200 && !target.homepage_or_404?(res)
+
+          Model::EmergencyPwdResetScript.new(
+            target.url(path),
+            confidence: res.body =~ /password/i ? 100 : 40,
+            found_by: DIRECT_ACCESS,
+            references: {
+              url: 'https://codex.wordpress.org/Resetting_Your_Password#Using_the_Emergency_Password_Reset_Script'
+            }
+          )
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/full_path_disclosure.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # Full Path Disclosure finder
+      class FullPathDisclosure < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path        = 'wp-includes/rss-functions.php'
+          fpd_entries = target.full_path_disclosure_entries(path)
+
+          return if fpd_entries.empty?
+
+          Model::FullPathDisclosure.new(
+            target.url(path),
+            confidence: 100,
+            found_by: DIRECT_ACCESS,
+            interesting_entries: fpd_entries,
+            references: { url: 'https://www.owasp.org/index.php/Full_Path_Disclosure' }
+          )
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/mu_plugins.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # Must Use Plugins Directory checker
+      class MuPlugins < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def passive(_opts = {})
+          pattern = %r{#{target.content_dir}/mu\-plugins/}i
+
+          target.in_scope_urls(target.homepage_res) do |url|
+            next unless Addressable::URI.parse(url).path =~ pattern
+
+            url = target.url('wp-content/mu-plugins/')
+
+            return Model::MuPlugins.new(
+              url,
+              confidence: 70,
+              found_by: 'URLs In Homepage (Passive Detection)',
+              to_s: "This site has 'Must Use Plugins': #{url}",
+              references: { url: 'http://codex.wordpress.org/Must_Use_Plugins' }
+            )
+          end
+          nil
+        end
+
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          url = target.url('wp-content/mu-plugins/')
+          res = Browser.get_and_follow_location(url)
+
+          return unless [200, 401, 403].include?(res.code)
+          return if target.homepage_or_404?(res)
+
+          # TODO: add the check for --exclude-content once implemented ?
+
+          target.mu_plugins = true
+
+          Model::MuPlugins.new(
+            url,
+            confidence: 80,
+            found_by: DIRECT_ACCESS,
+            to_s: "This site has 'Must Use Plugins': #{url}",
+            references: { url: 'http://codex.wordpress.org/Must_Use_Plugins' }
+          )
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/multisite.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # Multisite checker
+      class Multisite < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          url      = target.url('wp-signup.php')
+          res      = Browser.get(url)
+          location = res.headers_hash['location']
+
+          return unless [200, 302].include?(res.code)
+          return if res.code == 302 && location =~ /wp-login\.php\?action=register/
+          return unless res.code == 200 || res.code == 302 && location =~ /wp-signup\.php/
+
+          target.multisite = true
+
+          Model::Multisite.new(
+            url,
+            confidence: 100,
+            found_by: DIRECT_ACCESS,
+            to_s: 'This site seems to be a multisite',
+            references: { url: 'http://codex.wordpress.org/Glossary#Multisite' }
+          )
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/readme.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # Readme.html finder
+      class Readme < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          potential_files.each do |path|
+            res = target.head_and_get(path)
+
+            next unless res.code == 200 && res.body =~ /wordpress/i
+
+            return Model::Readme.new(target.url(path), confidence: 100, found_by: DIRECT_ACCESS)
+          end
+
+          nil
+        end
+
+        # @retun [ Array<String> ] The list of potential readme files
+        def potential_files
+          %w[readme.html olvasdel.html lisenssi.html liesmich.html]
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/registration.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # Registration Enabled checker
+      class Registration < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def passive(_opts = {})
+          # Maybe check in the homepage if there is the registration url ?
+        end
+
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          res = Browser.get_and_follow_location(target.registration_url)
+
+          return unless res.code == 200
+          return if res.html.css('form#setupform').empty? &&
+                    res.html.css('form#registerform').empty?
+
+          target.registration_enabled = true
+
+          Model::Registration.new(
+            res.effective_url,
+            confidence: 100,
+            found_by: DIRECT_ACCESS,
+            to_s: "Registration is enabled: #{res.effective_url}"
+          )
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/tmm_db_migrate.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # Tmm DB Migrate finder
+      class TmmDbMigrate < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'wp-content/uploads/tmm_db_migrate/tmm_db_migrate.zip'
+          url  = target.url(path)
+          res  = browser.forge_request(url, target.head_or_get_request_params).run
+
+          return unless res.code == 200 && res.headers['Content-Type'] =~ %r{\Aapplication/zip}i
+
+          Model::TmmDbMigrate.new(
+            url,
+            confidence: 100,
+            found_by: DIRECT_ACCESS,
+            references: { packetstorm: 131_957 }
+          )
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/upload_directory_listing.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # UploadDirectoryListing finder
+      class UploadDirectoryListing < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'wp-content/uploads/'
+
+          return unless target.directory_listing?(path)
+
+          url = target.url(path)
+
+          Model::UploadDirectoryListing.new(
+            url,
+            confidence: 100,
+            found_by: DIRECT_ACCESS,
+            to_s: "Upload directory has listing enabled: #{url}"
+          )
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/upload_sql_dump.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # UploadSQLDump finder
+      class UploadSQLDump < CMSScanner::Finders::Finder
+        SQL_PATTERN = /(?:DROP|CREATE|(?:UN)?LOCK) TABLE|INSERT INTO/.freeze
+
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'wp-content/uploads/dump.sql'
+          res  = target.head_and_get(path, [200], get: { headers: { 'Range' => 'bytes=0-3000' } })
+
+          return unless res.body =~ SQL_PATTERN
+
+          Model::UploadSQLDump.new(
+            target.url(path),
+            confidence: 100,
+            found_by: DIRECT_ACCESS
+          )
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/wp_cron.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # wp-cron.php finder
+      class WPCron < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          res = Browser.get(wp_cron_url)
+
+          return unless res.code == 200
+
+          Model::WPCron.new(
+            wp_cron_url,
+            confidence: 60,
+            found_by: DIRECT_ACCESS,
+            references: {
+              url: [
+                'https://www.iplocation.net/defend-wordpress-from-ddos',
+                'https://github.com/wpscanteam/wpscan/issues/1299'
+              ]
+            }
+          )
+        end
+
+        def wp_cron_url
+          @wp_cron_url ||= target.url('wp-cron.php')
+        end
+      end
+    end
+  end
+end

app/finders/main_theme.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require_relative 'main_theme/css_style'
+require_relative 'main_theme/woo_framework_meta_generator'
+require_relative 'main_theme/urls_in_homepage'
+
+module WPScan
+  module Finders
+    module MainTheme
+      # Main Theme Finder
+      class Base
+        include CMSScanner::Finders::UniqueFinder
+
+        # @param [ WPScan::Target ] target
+        def initialize(target)
+          finders <<
+            MainTheme::CssStyle.new(target) <<
+            MainTheme::WooFrameworkMetaGenerator.new(target) <<
+            MainTheme::UrlsInHomepage.new(target)
+        end
+      end
+    end
+  end
+end

app/finders/main_theme/css_style.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module MainTheme
+      # From the css style
+      class CssStyle < CMSScanner::Finders::Finder
+        include Finders::WpItems::URLsInHomepage
+
+        def create_theme(slug, style_url, opts)
+          Model::Theme.new(
+            slug,
+            target,
+            opts.merge(found_by: found_by, confidence: 70, style_url: style_url)
+          )
+        end
+
+        def passive(opts = {})
+          passive_from_css_href(target.homepage_res, opts) || passive_from_style_code(target.homepage_res, opts)
+        end
+
+        def passive_from_css_href(res, opts)
+          target.in_scope_urls(res, '//style/@src|//link/@href') do |url|
+            next unless Addressable::URI.parse(url).path =~ %r{/themes/([^\/]+)/style.css\z}i
+
+            return create_theme(Regexp.last_match[1], url, opts)
+          end
+          nil
+        end
+
+        def passive_from_style_code(res, opts)
+          res.html.css('style').each do |tag|
+            code = tag.text.to_s
+            next if code.empty?
+
+            next unless code =~ %r{#{item_code_pattern('themes')}\\?/style\.css[^"'\( ]*}i
+
+            return create_theme(Regexp.last_match[1], Regexp.last_match[0].strip, opts)
+          end
+          nil
+        end
+      end
+    end
+  end
+end

app/finders/main_theme/urls_in_homepage.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module MainTheme
+      # URLs In Homepage Finder
+      class UrlsInHomepage < CMSScanner::Finders::Finder
+        include WpItems::URLsInHomepage
+
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<Theme> ]
+        def passive(opts = {})
+          found = []
+
+          slugs = items_from_links('themes', false) + items_from_codes('themes', false)
+
+          slugs.each_with_object(Hash.new(0)) { |slug, counts| counts[slug] += 1 }.each do |slug, occurences|
+            found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 2 * occurences))
+          end
+
+          found
+        end
+      end
+    end
+  end
+end

app/finders/main_theme/woo_framework_meta_generator.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module MainTheme
+      # From the WooFramework meta generators
+      class WooFrameworkMetaGenerator < CMSScanner::Finders::Finder
+        THEME_PATTERN     = %r{<meta name="generator" content="([^\s"]+)\s?([^"]+)?"\s+/?>}.freeze
+        FRAMEWORK_PATTERN = %r{<meta name="generator" content="WooFramework\s?([^"]+)?"\s+/?>}.freeze
+        PATTERN           = /#{THEME_PATTERN}\s+#{FRAMEWORK_PATTERN}/i.freeze
+
+        def passive(opts = {})
+          return unless target.homepage_res.body =~ PATTERN
+
+          Model::Theme.new(
+            Regexp.last_match[1],
+            target,
+            opts.merge(found_by: found_by, confidence: 80)
+          )
+        end
+      end
+    end
+  end
+end

app/finders/medias.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require_relative 'medias/attachment_brute_forcing'
+
+module WPScan
+  module Finders
+    module Medias
+      # Medias Finder
+      class Base
+        include CMSScanner::Finders::SameTypeFinder
+
+        # @param [ WPScan::Target ] target
+        def initialize(target)
+          finders << Medias::AttachmentBruteForcing.new(target)
+        end
+      end
+    end
+  end
+end

app/finders/medias/attachment_brute_forcing.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Medias
+      # Medias Finder, see https://github.com/wpscanteam/wpscan/issues/172
+      class AttachmentBruteForcing < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::Enumerator
+
+        # @param [ Hash ] opts
+        # @option opts [ Range ] :range Mandatory
+        #
+        # @return [ Array<Media> ]
+        def aggressive(opts = {})
+          found = []
+
+          enumerate(target_urls(opts), opts) do |res|
+            next unless res.code == 200
+
+            found << Model::Media.new(res.effective_url, opts.merge(found_by: found_by, confidence: 100))
+          end
+
+          found
+        end
+
+        # @param [ Hash ] opts
+        # @option opts [ Range ] :range Mandatory
+        #
+        # @return [ Hash ]
+        def target_urls(opts = {})
+          urls = {}
+
+          opts[:range].each do |id|
+            urls[target.uri.join("?attachment_id=#{id}").to_s] = id
+          end
+
+          urls
+        end
+
+        def create_progress_bar(opts = {})
+          super(opts.merge(title: ' Brute Forcing Attachment IDs -'))
+        end
+      end
+    end
+  end
+end

app/finders/passwords.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+require_relative 'passwords/wp_login'
+require_relative 'passwords/xml_rpc'
+require_relative 'passwords/xml_rpc_multicall'

app/finders/passwords/wp_login.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Passwords
+      # Password attack against the wp-login.php
+      class WpLogin < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::BreadthFirstDictionaryAttack
+
+        def login_request(username, password)
+          target.login_request(username, password)
+        end
+
+        def valid_credentials?(response)
+          response.code == 302 &&
+            response.headers['Set-Cookie']&.any? { |cookie| cookie =~ /wordpress_logged_in_/i }
+        end
+
+        def errored_response?(response)
+          response.code != 200 && response.body !~ /login_error/i
+        end
+      end
+    end
+  end
+end

app/finders/passwords/xml_rpc.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Passwords
+      # Password attack against the XMLRPC interface
+      class XMLRPC < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::BreadthFirstDictionaryAttack
+
+        def login_request(username, password)
+          target.method_call('wp.getUsersBlogs', [username, password])
+        end
+
+        def valid_credentials?(response)
+          response.code == 200 && response.body =~ /blogName/
+        end
+
+        def errored_response?(response)
+          response.code != 200 && response.body !~ /login_error/i
+        end
+      end
+    end
+  end
+end

app/finders/passwords/xml_rpc_multicall.rb

@@ -0,0 +1,104 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Passwords
+      # Password attack against the XMLRPC interface with the multicall method
+      # WP < 4.4 is vulnerable to such attack
+      class XMLRPCMulticall < CMSScanner::Finders::Finder
+        # @param [ Array<User> ] users
+        # @param [ Array<String> ] passwords
+        #
+        # @return [ Typhoeus::Response ]
+        def do_multi_call(users, passwords)
+          methods = []
+
+          users.each do |user|
+            passwords.each do |password|
+              methods << ['wp.getUsersBlogs', user.username, password]
+            end
+          end
+
+          target.multi_call(methods).run
+        end
+
+        # @param [ Array<Model::User> ] users
+        # @param [ Array<String> ] passwords
+        # @param [ Hash ] opts
+        # @option opts [ Boolean ] :show_progression
+        # @option opts [ Integer ] :multicall_max_passwords
+        #
+        # @yield [ Model::User ] When a valid combination is found
+        #
+        # TODO: Make rubocop happy about metrics etc
+        #
+        # rubocop:disable all
+        def attack(users, passwords, opts = {})
+          wordlist_index         = 0
+          max_passwords          = opts[:multicall_max_passwords]
+          current_passwords_size = passwords_size(max_passwords, users.size)
+
+          create_progress_bar(total: (passwords.size / current_passwords_size.round(1)).ceil,
+                              show_progression: opts[:show_progression])
+
+          loop do
+            current_users     = users.select { |user| user.password.nil? }
+            current_passwords = passwords[wordlist_index, current_passwords_size]
+            wordlist_index   += current_passwords_size
+
+            break if current_users.empty? || current_passwords.nil? || current_passwords.empty?
+
+            res = do_multi_call(current_users, current_passwords)
+
+            progress_bar.increment
+
+            check_and_output_errors(res)
+
+            # Avoid to parse the response and iterate over all the structs in the document
+            # if there isn't any tag matching a valid combination
+            next unless res.body =~ /isAdmin/ # maybe a better one ?
+
+            Nokogiri::XML(res.body).xpath('//struct').each_with_index do |struct, index|
+              next if struct.text =~ /faultCode/
+
+              user = current_users[index / current_passwords.size]
+              user.password = current_passwords[index % current_passwords.size]
+
+              yield user
+
+              # Updates the current_passwords_size and progress_bar#total
+              # given that less requests will be done due to a valid combination found.
+              current_passwords_size = passwords_size(max_passwords, current_users.size - 1)
+
+              if current_passwords_size == 0
+                progress_bar.log('All Found') # remove ?
+                progress_bar.stop
+                break
+              end
+
+              progress_bar.total = progress_bar.progress + ((passwords.size - wordlist_index) / current_passwords_size.round(1)).ceil
+            end
+          end
+          # Maybe a progress_bar.stop ?
+        end
+        # rubocop:disable all
+
+        def passwords_size(max_passwords, users_size)
+          return 1 if max_passwords < users_size
+          return 0 if users_size == 0
+
+          max_passwords / users_size
+        end
+
+        # @param [ Typhoeus::Response ] res
+        def check_and_output_errors(res)
+          progress_bar.log("Incorrect response: #{res.code} / #{res.return_message}") unless res.code == 200
+
+          progress_bar.log('Parsing error, might be caused by a too high --max-passwords value (such as >= 2k)') if res.body =~ /parse error. not well formed/i
+
+          progress_bar.log('The requested method is not supported') if res.body =~ /requested method [^ ]+ does not exist/i
+        end
+      end
+    end
+  end
+end

app/finders/plugin_version.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require_relative 'plugin_version/readme'
+
+module WPScan
+  module Finders
+    module PluginVersion
+      # Plugin Version Finder
+      class Base
+        include CMSScanner::Finders::UniqueFinder
+
+        # @param [ Model::Plugin ] plugin
+        def initialize(plugin)
+          finders << PluginVersion::Readme.new(plugin)
+
+          load_specific_finders(plugin)
+        end
+
+        # Load the finders associated with the plugin
+        #
+        # @param [ Model::Plugin ] plugin
+        def load_specific_finders(plugin)
+          module_name = plugin.classify
+
+          return unless Finders::PluginVersion.constants.include?(module_name)
+
+          mod = Finders::PluginVersion.const_get(module_name)
+
+          mod.constants.each do |constant|
+            c = mod.const_get(constant)
+
+            next unless c.is_a?(Class)
+
+            finders << c.new(plugin)
+          end
+        end
+      end
+    end
+  end
+end

app/finders/plugin_version/readme.rb

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module PluginVersion
+      # Plugin Version Finder from the readme.txt file
+      class Readme < CMSScanner::Finders::Finder
+        # @return [ Version ]
+        def aggressive(_opts = {})
+          found_by_msg = 'Readme - %s (Aggressive Detection)'
+
+          # The target(plugin)#readme_url can't be used directly here
+          # as if the --detection-mode is passive, it will always return nil
+          Model::WpItem::READMES.each do |file|
+            res = target.head_and_get(file)
+
+            next unless res.code == 200 && !(numbers = version_numbers(res.body)).empty?
+
+            return numbers.reduce([]) do |a, e|
+              a << Model::Version.new(
+                e[0],
+                found_by: format(found_by_msg, e[1]),
+                confidence: e[2],
+                interesting_entries: [res.effective_url]
+              )
+            end
+          end
+
+          nil
+        end
+
+        # @return [ Array<String, String, Integer> ] number, found_by, confidence
+        def version_numbers(body)
+          numbers = []
+
+          if (number = from_stable_tag(body))
+            numbers << [number, 'Stable Tag', 80]
+          end
+
+          if (number = from_changelog_section(body))
+            numbers << [number, 'ChangeLog Section', 50]
+          end
+
+          numbers
+        end
+
+        # @param [ String ] body
+        #
+        # @return [ String, nil ] The version number detected from the stable tag
+        def from_stable_tag(body)
+          return unless body =~ /\b(?:stable tag|version):\s*(?!trunk)([0-9a-z\.-]+)/i
+
+          number = Regexp.last_match[1]
+
+          number if number =~ /[0-9]+/
+        end
+
+        # @param [ String ] body
+        #
+        # @return [ String, nil ] The best version number detected from the changelog section
+        def from_changelog_section(body)
+          extracted_versions = body.scan(%r{[=]+\s+(?:v(?:ersion)?\s*)?([0-9\.-]+)[ \ta-z0-9\(\)\.\-\/]*[=]+}i)
+
+          return if extracted_versions.nil? || extracted_versions.empty?
+
+          extracted_versions.flatten!
+          # must contain at least one number
+          extracted_versions = extracted_versions.select { |x| x =~ /[0-9]+/ }
+
+          sorted = extracted_versions.sort do |x, y|
+            begin
+              Gem::Version.new(x) <=> Gem::Version.new(y)
+            rescue StandardError
+              0
+            end
+          end
+
+          sorted.last
+        end
+      end
+    end
+  end
+end

app/finders/plugins.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require_relative 'plugins/urls_in_homepage'
+require_relative 'plugins/known_locations'
+# From the DynamicFinders
+require_relative 'plugins/comment'
+require_relative 'plugins/xpath'
+require_relative 'plugins/header_pattern'
+require_relative 'plugins/body_pattern'
+require_relative 'plugins/javascript_var'
+require_relative 'plugins/query_parameter'
+require_relative 'plugins/config_parser' # Not loaded below as not implemented
+
+module WPScan
+  module Finders
+    module Plugins
+      # Plugins Finder
+      class Base
+        include CMSScanner::Finders::SameTypeFinder
+
+        # @param [ WPScan::Target ] target
+        def initialize(target)
+          finders <<
+            Plugins::UrlsInHomepage.new(target) <<
+            Plugins::HeaderPattern.new(target) <<
+            Plugins::Comment.new(target) <<
+            Plugins::Xpath.new(target) <<
+            Plugins::BodyPattern.new(target) <<
+            Plugins::JavascriptVar.new(target) <<
+            Plugins::KnownLocations.new(target)
+        end
+      end
+    end
+  end
+end

app/finders/plugins/body_pattern.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Plugins
+      # Plugins finder from Dynamic Finder 'BodyPattern'
+      class BodyPattern < WPScan::Finders::DynamicFinder::WpItems::Finder
+        DEFAULT_CONFIDENCE = 30
+
+        # @param [ Hash ] opts The options from the #passive, #aggressive methods
+        # @param [ Typhoeus::Response ] response
+        # @param [ String ] slug
+        # @param [ String ] klass
+        # @param [ Hash ] config The related dynamic finder config hash
+        #
+        # @return [ Plugin ] The detected plugin in the response, related to the config
+        def process_response(opts, response, slug, klass, config)
+          return unless response.body =~ config['pattern']
+
+          Model::Plugin.new(
+            slug,
+            target,
+            opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)
+          )
+        end
+      end
+    end
+  end
+end

app/finders/plugins/comment.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Plugins
+      # Plugins finder from the Dynamic Finder 'Comment'
+      class Comment < WPScan::Finders::DynamicFinder::WpItems::Finder
+        DEFAULT_CONFIDENCE = 30
+
+        # @param [ Hash ] opts The options from the #passive, #aggressive methods
+        # @param [ Typhoeus::Response ] response
+        # @param [ String ] slug
+        # @param [ String ] klass
+        # @param [ Hash ] config The related dynamic finder config hash
+        #
+        # @return [ Plugin ] The detected plugin in the response, related to the config
+        def process_response(opts, response, slug, klass, config)
+          response.html.xpath(config['xpath'] || '//comment()').each do |node|
+            comment = node.text.to_s.strip
+
+            next unless comment =~ config['pattern']
+
+            return Model::Plugin.new(
+              slug,
+              target,
+              opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)
+            )
+          end
+        end
+      end
+    end
+  end
+end

app/finders/plugins/config_parser.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Plugins
+      # Plugins finder from Dynamic Finder 'ConfigParser'
+      class ConfigParser < WPScan::Finders::DynamicFinder::WpItems::Finder
+        DEFAULT_CONFIDENCE = 40
+
+        # @param [ Hash ] opts The options from the #passive, #aggressive methods
+        # @param [ Typhoeus::Response ] response
+        # @param [ String ] slug
+        # @param [ String ] klass
+        # @param [ Hash ] config The related dynamic finder config hash
+        #
+        # @return [ Plugin ] The detected plugin in the response, related to the config
+        def _process_response(_opts, _response, slug, klass, config)
+          #
+          # TODO. Currently not implemented, and not even loaded by the Finders, as this
+          # finder only has an aggressive method, which has been disabled (globally)
+          # when checking for plugins
+          #
+
+          Model::Plugin.new(
+            slug,
+            target,
+            opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)
+          )
+        end
+      end
+    end
+  end
+end

app/finders/plugins/header_pattern.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Plugins
+      # Plugins finder from Dynamic Finder 'HeaderPattern'
+      class HeaderPattern < WPScan::Finders::DynamicFinder::WpItems::Finder
+        DEFAULT_CONFIDENCE = 30
+
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<Plugin> ]
+        def passive(opts = {})
+          found = []
+          headers = target.homepage_res.headers
+
+          return found if headers.empty?
+
+          DB::DynamicFinders::Plugin.passive_header_pattern_finder_configs.each do |slug, configs|
+            configs.each do |klass, config|
+              next unless headers[config['header']] && headers[config['header']].to_s =~ config['pattern']
+
+              found << Model::Plugin.new(
+                slug,
+                target,
+                opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)
+              )
+            end
+          end
+
+          found
+        end
+
+        # @param [ Hash ] opts
+        #
+        # @return [ nil ]
+        def aggressive(_opts = {})
+          # None
+        end
+      end
+    end
+  end
+end

app/finders/plugins/javascript_var.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Plugins
+      # Plugins finder from the Dynamic Finder 'JavascriptVar'
+      class JavascriptVar < WPScan::Finders::DynamicFinder::WpItems::Finder
+        DEFAULT_CONFIDENCE = 60
+
+        # @param [ Hash ] opts The options from the #passive, #aggressive methods
+        # @param [ Typhoeus::Response ] response
+        # @param [ String ] slug
+        # @param [ String ] klass
+        # @param [ Hash ] config The related dynamic finder config hash
+        #
+        # @return [ Plugin ] The detected plugin in the response, related to the config
+        def process_response(opts, response, slug, klass, config)
+          response.html.xpath(config['xpath'] || '//script[not(@src)]').each do |node|
+            next if config['pattern'] && !node.text.match(config['pattern'])
+
+            return Model::Plugin.new(
+              slug,
+              target,
+              opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)
+            )
+          end
+        end
+      end
+    end
+  end
+end

app/finders/plugins/known_locations.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Plugins
+      # Known Locations Plugins Finder
+      class KnownLocations < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::Enumerator
+
+        # @return [ Array<Integer> ]
+        def valid_response_codes
+          @valid_response_codes ||= [200, 401, 403, 301, 500].freeze
+        end
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list
+        #
+        # @return [ Array<Plugin> ]
+        def aggressive(opts = {})
+          found = []
+
+          enumerate(target_urls(opts), opts.merge(check_full_response: [200, 401, 403, 500])) do |_res, slug|
+            found << Model::Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
+          end
+
+          found
+        end
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list
+        #
+        # @return [ Hash ]
+        def target_urls(opts = {})
+          slugs       = opts[:list] || DB::Plugins.vulnerable_slugs
+          urls        = {}
+
+          slugs.each do |slug|
+            urls[target.plugin_url(slug)] = slug
+          end
+
+          urls
+        end
+
+        def create_progress_bar(opts = {})
+          super(opts.merge(title: ' Checking Known Locations -'))
+        end
+      end
+    end
+  end
+end

app/finders/plugins/query_parameter.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Plugins
+      # Plugins finder from Dynamic Finder 'QueryParameter'
+      class QueryParameter < WPScan::Finders::DynamicFinder::WpItems::Finder
+        DEFAULT_CONFIDENCE = 10
+
+        def passive(_opts = {})
+          # Handled by UrlsInHomePage, so no need to check this twice
+        end
+
+        # @param [ Hash ] opts The options from the #passive, #aggressive methods
+        # @param [ Typhoeus::Response ] response
+        # @param [ String ] slug
+        # @param [ String ] klass
+        # @param [ Hash ] config The related dynamic finder config hash
+        #
+        # @return [ Plugin ] The detected plugin in the response, related to the config
+        def process_response(opts, response, slug, klass, config)
+          # TODO: when a real case will be found
+        end
+      end
+    end
+  end
+end

app/finders/plugins/urls_in_homepage.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Plugins
+      # URLs In Homepage Finder
+      # Typically, the items detected from URLs like
+      # /wp-content/plugins/<slug>/
+      class UrlsInHomepage < CMSScanner::Finders::Finder
+        include WpItems::URLsInHomepage
+
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<Plugin> ]
+        def passive(opts = {})
+          found = []
+
+          (items_from_links('plugins') + items_from_codes('plugins')).uniq.sort.each do |slug|
+            found << Model::Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
+          end
+
+          found
+        end
+      end
+    end
+  end
+end

app/finders/plugins/xpath.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Plugins
+      # Plugins finder from the Dynamic Finder 'Xpath'
+      class Xpath < WPScan::Finders::DynamicFinder::WpItems::Finder
+        DEFAULT_CONFIDENCE = 40
+
+        # @param [ Hash ] opts The options from the #passive, #aggressive methods
+        # @param [ Typhoeus::Response ] response
+        # @param [ String ] slug
+        # @param [ String ] klass
+        # @param [ Hash ] config The related dynamic finder config hash
+        #
+        # @return [ Plugin ] The detected plugin in the response, related to the config
+        def process_response(opts, response, slug, klass, config)
+          response.html.xpath(config['xpath']).each do |node|
+            next if config['pattern'] && !node.text.match(config['pattern'])
+
+            return Model::Plugin.new(
+              slug,
+              target,
+              opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)
+            )
+          end
+        end
+      end
+    end
+  end
+end

app/finders/theme_version.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require_relative 'theme_version/style'
+require_relative 'theme_version/woo_framework_meta_generator'
+
+module WPScan
+  module Finders
+    module ThemeVersion
+      # Theme Version Finder
+      class Base
+        include CMSScanner::Finders::UniqueFinder
+
+        # @param [ Model::Theme ] theme
+        def initialize(theme)
+          finders <<
+            ThemeVersion::Style.new(theme) <<
+            ThemeVersion::WooFrameworkMetaGenerator.new(theme)
+
+          load_specific_finders(theme)
+        end
+
+        # Load the finders associated with the theme
+        #
+        # @param [ Model::Theme ] theme
+        def load_specific_finders(theme)
+          module_name = theme.classify
+
+          return unless Finders::ThemeVersion.constants.include?(module_name)
+
+          mod = Finders::ThemeVersion.const_get(module_name)
+
+          mod.constants.each do |constant|
+            c = mod.const_get(constant)
+
+            next unless c.is_a?(Class)
+
+            finders << c.new(theme)
+          end
+        end
+      end
+    end
+  end
+end

app/finders/theme_version/style.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module ThemeVersion
+      # Theme Version Finder from the style.css file
+      class Style < CMSScanner::Finders::Finder
+        # @param [ Hash ] opts
+        #
+        # @return [ Version ]
+        def passive(_opts = {})
+          return unless cached_style?
+
+          style_version
+        end
+
+        # @param [ Hash ] opts
+        #
+        # @return [ Version ]
+        def aggressive(_opts = {})
+          return if cached_style?
+
+          style_version
+        end
+
+        # @return [ Boolean ]
+        def cached_style?
+          Typhoeus::Config.cache.get(browser.forge_request(target.style_url)) ? true : false
+        end
+
+        # @return [ Version ]
+        def style_version
+          return unless Browser.get(target.style_url).body =~ /Version:[\t ]*(?!trunk)([0-9a-z\.-]+)/i
+
+          Model::Version.new(
+            Regexp.last_match[1],
+            found_by: found_by,
+            confidence: 80,
+            interesting_entries: ["#{target.style_url}, Match: '#{Regexp.last_match}'"]
+          )
+        end
+      end
+    end
+  end
+end

app/finders/theme_version/woo_framework_meta_generator.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module ThemeVersion
+      # Theme Version Finder from the WooFramework generators
+      class WooFrameworkMetaGenerator < CMSScanner::Finders::Finder
+        # @param [ Hash ] opts
+        #
+        # @return [ Version ]
+        def passive(_opts = {})
+          return unless target.blog.homepage_res.body =~ Finders::MainTheme::WooFrameworkMetaGenerator::PATTERN
+
+          return unless Regexp.last_match[1] == target.slug
+
+          Model::Version.new(Regexp.last_match[2], found_by: found_by, confidence: 80)
+        end
+      end
+    end
+  end
+end

app/finders/themes.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require_relative 'themes/urls_in_homepage'
+require_relative 'themes/known_locations'
+
+module WPScan
+  module Finders
+    module Themes
+      # themes Finder
+      class Base
+        include CMSScanner::Finders::SameTypeFinder
+
+        # @param [ WPScan::Target ] target
+        def initialize(target)
+          finders <<
+            Themes::UrlsInHomepage.new(target) <<
+            Themes::KnownLocations.new(target)
+        end
+      end
+    end
+  end
+end

app/finders/themes/known_locations.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Themes
+      # Known Locations Themes Finder
+      class KnownLocations < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::Enumerator
+
+        # @return [ Array<Integer> ]
+        def valid_response_codes
+          @valid_response_codes ||= [200, 401, 403, 301, 500].freeze
+        end
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list
+        #
+        # @return [ Array<Theme> ]
+        def aggressive(opts = {})
+          found = []
+
+          enumerate(target_urls(opts), opts.merge(check_full_response: [200, 401, 403, 500])) do |_res, slug|
+            found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
+          end
+
+          found
+        end
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list
+        #
+        # @return [ Hash ]
+        def target_urls(opts = {})
+          slugs = opts[:list] || DB::Themes.vulnerable_slugs
+          urls  = {}
+
+          slugs.each do |slug|
+            urls[target.theme_url(slug)] = slug
+          end
+
+          urls
+        end
+
+        def create_progress_bar(opts = {})
+          super(opts.merge(title: ' Checking Known Locations -'))
+        end
+      end
+    end
+  end
+end

app/finders/themes/urls_in_homepage.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Themes
+      # URLs In Homepage Finder
+      class UrlsInHomepage < CMSScanner::Finders::Finder
+        include WpItems::URLsInHomepage
+
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<Theme> ]
+        def passive(opts = {})
+          found = []
+
+          (items_from_links('themes') + items_from_codes('themes')).uniq.sort.each do |slug|
+            found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
+          end
+
+          found
+        end
+      end
+    end
+  end
+end

app/finders/timthumb_version.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require_relative 'timthumb_version/bad_request'
+
+module WPScan
+  module Finders
+    module TimthumbVersion
+      # Timthumb Version Finder
+      class Base
+        include CMSScanner::Finders::UniqueFinder
+
+        # @param [ Model::Timthumb ] target
+        def initialize(target)
+          finders << TimthumbVersion::BadRequest.new(target)
+        end
+      end
+    end
+  end
+end

app/finders/timthumb_version/bad_request.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module TimthumbVersion
+      # Timthumb Version Finder from the body of a bad request
+      # See https://code.google.com/p/timthumb/source/browse/trunk/timthumb.php#435
+      class BadRequest < CMSScanner::Finders::Finder
+        # @return [ Version ]
+        def aggressive(_opts = {})
+          return unless Browser.get(target.url).body =~ /(TimThumb version\s*: ([^<]+))/
+
+          Model::Version.new(
+            Regexp.last_match[2],
+            found_by: 'Bad Request (Aggressive Detection)',
+            confidence: 90,
+            interesting_entries: ["#{target.url}, Match: '#{Regexp.last_match[1]}'"]
+          )
+        end
+      end
+    end
+  end
+end

app/finders/timthumbs.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require_relative 'timthumbs/known_locations'
+
+module WPScan
+  module Finders
+    module Timthumbs
+      # Timthumbs Finder
+      class Base
+        include CMSScanner::Finders::SameTypeFinder
+
+        # @param [ WPScan::Target ] target
+        def initialize(target)
+          finders << Timthumbs::KnownLocations.new(target)
+        end
+      end
+    end
+  end
+end

app/finders/timthumbs/known_locations.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Timthumbs
+      # Known Locations Timthumbs Finder
+      # Note: A vulnerable version, 2.8.13 can be found here:
+      # https://github.com/GabrielGil/TimThumb/blob/980c3d6a823477761570475e8b83d3e9fcd2d7ae/timthumb.php
+      class KnownLocations < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::Enumerator
+
+        # @return [ Array<Integer> ]
+        def valid_response_codes
+          @valid_response_codes ||= [400]
+        end
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list Mandatory
+        #
+        # @return [ Array<Timthumb> ]
+        def aggressive(opts = {})
+          found = []
+
+          enumerate(target_urls(opts), opts.merge(check_full_response: 400)) do |res|
+            next unless res.body =~ /no image specified/i
+
+            found << Model::Timthumb.new(res.request.url, opts.merge(found_by: found_by, confidence: 100))
+          end
+
+          found
+        end
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list Mandatory
+        #
+        # @return [ Hash ]
+        def target_urls(opts = {})
+          urls = {}
+
+          File.open(opts[:list]).each_with_index do |path, index|
+            urls[target.url(path.chomp)] = index
+          end
+
+          # Add potential timthumbs located in the main theme
+          if target.main_theme
+            main_theme_timthumbs_paths.each do |path|
+              urls[target.main_theme.url(path)] = 1 # index not important there
+            end
+          end
+
+          urls
+        end
+
+        def main_theme_timthumbs_paths
+          %w[timthumb.php lib/timthumb.php inc/timthumb.php includes/timthumb.php
+             scripts/timthumb.php tools/timthumb.php functions/timthumb.php]
+        end
+
+        def create_progress_bar(opts = {})
+          super(opts.merge(title: ' Checking Known Locations -'))
+        end
+      end
+    end
+  end
+end

app/finders/users.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require_relative 'users/author_posts'
+require_relative 'users/wp_json_api'
+require_relative 'users/oembed_api'
+require_relative 'users/rss_generator'
+require_relative 'users/author_id_brute_forcing'
+require_relative 'users/login_error_messages'
+require_relative 'users/yoast_seo_author_sitemap.rb'
+
+module WPScan
+  module Finders
+    module Users
+      # Users Finder
+      class Base
+        include CMSScanner::Finders::SameTypeFinder
+
+        # @param [ WPScan::Target ] target
+        def initialize(target)
+          finders <<
+            Users::AuthorPosts.new(target) <<
+            Users::WpJsonApi.new(target) <<
+            Users::OembedApi.new(target) <<
+            Users::RSSGenerator.new(target) <<
+            Users::YoastSeoAuthorSitemap.new(target) <<
+            Users::AuthorIdBruteForcing.new(target) <<
+            Users::LoginErrorMessages.new(target)
+        end
+      end
+    end
+  end
+end

app/finders/users/author_id_brute_forcing.rb

@@ -0,0 +1,113 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Users
+      # Author Id Brute Forcing
+      class AuthorIdBruteForcing < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::Enumerator
+
+        # @param [ Hash ] opts
+        # @option opts [ Range ] :range Mandatory
+        #
+        # @return [ Array<User> ]
+        def aggressive(opts = {})
+          found = []
+          found_by_msg = 'Author Id Brute Forcing - %s (Aggressive Detection)'
+
+          enumerate(target_urls(opts), opts) do |res, id|
+            username, found_by, confidence = potential_username(res)
+
+            next unless username
+
+            found << Model::User.new(
+              username,
+              id: id,
+              found_by: format(found_by_msg, found_by),
+              confidence: confidence
+            )
+          end
+
+          found
+        end
+
+        # @param [ Hash ] opts
+        # @option opts [ Range ] :range
+        #
+        # @return [ Hash ]
+        def target_urls(opts = {})
+          urls = {}
+
+          opts[:range].each do |id|
+            urls[target.uri.join("?author=#{id}").to_s] = id
+          end
+
+          urls
+        end
+
+        def create_progress_bar(opts = {})
+          super(opts.merge(title: ' Brute Forcing Author IDs -'))
+        end
+
+        def request_params
+          { followlocation: true }
+        end
+
+        # @param [ Typhoeus::Response ] res
+        #
+        # @return [ Array<String, String, Integer>, nil ] username, found_by, confidence
+        def potential_username(res)
+          username = username_from_author_url(res.effective_url) || username_from_response(res)
+
+          return username, 'Author Pattern', 100 if username
+
+          username = display_name_from_body(res.body)
+
+          return username, 'Display Name', 50 if username
+        end
+
+        # @param [ String ] url
+        #
+        # @return [ String, nil ]
+        def username_from_author_url(url)
+          url[%r{/author/([^/\b]+)/?}i, 1]
+        end
+
+        # @param [ Typhoeus::Response ] res
+        #
+        # @return [ String, nil ] The username found
+        def username_from_response(res)
+          # Permalink enabled
+          target.in_scope_urls(res, '//link/@href|//a/@href') do |url|
+            username = username_from_author_url(url)
+            return username if username
+          end
+
+          # No permalink
+          res.body[/<body class="archive author author-([^\s]+)[ "]/i, 1]
+        end
+
+        # @param [ String ] body
+        #
+        # @return [ String, nil ]
+        def display_name_from_body(body)
+          page = Nokogiri::HTML.parse(body)
+          # WP >= 3.0
+          page.css('h1.page-title span').each do |node|
+            return node.text.to_s
+          end
+
+          # WP < 3.0
+          page.xpath('//link[@rel="alternate" and @type="application/rss+xml"]').each do |node|
+            title = node['title']
+
+            next unless title =~ /Posts by (.*) Feed\z/i
+
+            return Regexp.last_match[1] unless Regexp.last_match[1].empty?
+          end
+          nil
+        end
+      end
+    end
+  end
+end

app/finders/users/author_posts.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Users
+      # Author Posts
+      class AuthorPosts < CMSScanner::Finders::Finder
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<User> ]
+        def passive(opts = {})
+          found_by_msg = 'Author Posts - %s (Passive Detection)'
+
+          usernames(opts).reduce([]) do |a, e|
+            a << Model::User.new(
+              e[0],
+              found_by: format(found_by_msg, e[1]),
+              confidence: e[2]
+            )
+          end
+        end
+
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<Array>> ]
+        def usernames(_opts = {})
+          found = potential_usernames(target.homepage_res)
+
+          return found unless found.empty?
+
+          target.homepage_res.html.css('header.entry-header a').each do |post_url_node|
+            url = post_url_node['href']
+
+            next if url.nil? || url.empty?
+
+            found += potential_usernames(Browser.get(url))
+          end
+
+          found.compact.uniq
+        end
+
+        # @param [ Typhoeus::Response ] res
+        #
+        # @return [ Array<Array> ]
+        def potential_usernames(res)
+          usernames = []
+
+          target.in_scope_urls(res, '//a/@href') do |url, node|
+            uri = Addressable::URI.parse(url)
+
+            if uri.path =~ %r{/author/([^/\b]+)/?\z}i
+              usernames << [Regexp.last_match[1], 'Author Pattern', 100]
+            elsif uri.query =~ /author=[0-9]+/
+              usernames << [node.text.to_s.strip, 'Display Name', 30]
+            end
+          end
+
+          usernames.uniq
+        end
+      end
+    end
+  end
+end

app/finders/users/login_error_messages.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Users
+      # Login Error Messages
+      #
+      # Existing username:
+      #   WP < 3.1 - Incorrect password.
+      #   WP >= 3.1 - The password you entered for the username admin is incorrect.
+      # Non existent username: Invalid username.
+      #
+      class LoginErrorMessages < CMSScanner::Finders::Finder
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list
+        #
+        # @return [ Array<User> ]
+        def aggressive(opts = {})
+          found = []
+
+          usernames(opts).each do |username|
+            res   = target.do_login(username, SecureRandom.hex[0, 8])
+            error = res.html.css('div#login_error').text.strip
+
+            return found if error.empty? # Protection plugin / error disabled
+
+            next unless error =~ /The password you entered for the username|Incorrect Password/i
+
+            found << Model::User.new(username, found_by: found_by, confidence: 100)
+          end
+
+          found
+        end
+
+        # @return [ Array<String> ] List of usernames to check
+        def usernames(opts = {})
+          # usernames from the potential Users found
+          unames = opts[:found].map(&:username)
+
+          [*opts[:list]].each { |uname| unames << uname.chomp }
+
+          unames.uniq
+        end
+      end
+    end
+  end
+end

app/finders/users/oembed_api.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Users
+      # Since WP 4.4, the oembed API can disclose a user
+      # https://github.com/wpscanteam/wpscan/issues/1049
+      class OembedApi < CMSScanner::Finders::Finder
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<User> ]
+        def passive(_opts = {})
+          # TODO: get the api_url from the Homepage and query it if present,
+          # then discard the aggressive check if same/similar URL
+        end
+
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<User> ]
+        def aggressive(_opts = {})
+          oembed_data = JSON.parse(Browser.get(api_url).body)
+          details     = user_details_from_oembed_data(oembed_data)
+
+          return [] unless details
+
+          [Model::User.new(details[0],
+                           found_by: format(found_by_msg, details[1]),
+                           confidence: details[2],
+                           interesting_entries: [api_url])]
+        rescue JSON::ParserError
+          []
+        end
+
+        def user_details_from_oembed_data(oembed_data)
+          return unless oembed_data
+
+          if oembed_data['author_url'] =~ %r{/author/([^/]+)/?\z}
+            details = [Regexp.last_match[1], 'Author URL', 90]
+          elsif oembed_data['author_name'] && !oembed_data['author_name'].empty?
+            details = [oembed_data['author_name'], 'Author Name', 70]
+          end
+
+          details
+        end
+
+        def found_by_msg
+          'Oembed API - %s (Aggressive Detection)'
+        end
+
+        # @return [ String ] The URL of the API listing the Users
+        def api_url
+          @api_url ||= target.url("wp-json/oembed/1.0/embed?url=#{target.url}&format=json")
+        end
+      end
+    end
+  end
+end

app/finders/users/rss_generator.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Users
+      # Users disclosed from the dc:creator field in the RSS
+      # The names disclosed are display names, however depending on the configuration of the blog,
+      # they can be the same than usernames
+      class RSSGenerator < WPScan::Finders::WpVersion::RSSGenerator
+        def process_urls(urls, _opts = {})
+          found = []
+
+          urls.each do |url|
+            res = Browser.get_and_follow_location(url)
+
+            next unless res.code == 200 && res.body =~ /<dc\:creator>/i
+
+            potential_usernames = []
+
+            begin
+              res.xml.xpath('//item/dc:creator').each do |node|
+                username = node.text.to_s
+
+                # Ignoring potential username longer than 60 characters and containing accents
+                # as they are considered invalid. See https://github.com/wpscanteam/wpscan/issues/1215
+                next if username.strip.empty? || username.length > 60 || username =~ /[^\x00-\x7F]/
+
+                potential_usernames << username
+              end
+            rescue Nokogiri::XML::XPath::SyntaxError
+              next
+            end
+
+            potential_usernames.uniq.each do |username|
+              found << Model::User.new(username, found_by: found_by, confidence: 50)
+            end
+
+            break
+          end
+
+          found
+        end
+      end
+    end
+  end
+end

app/finders/users/wp_json_api.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Users
+      # WP JSON API
+      #
+      # Since 4.7 - Need more investigation as it seems WP 4.7.1 reduces the exposure, see https://github.com/wpscanteam/wpscan/issues/1038)
+      # For the pagination, see https://github.com/wpscanteam/wpscan/issues/1285
+      #
+      class WpJsonApi < CMSScanner::Finders::Finder
+        MAX_PER_PAGE = 100 # See https://developer.wordpress.org/rest-api/using-the-rest-api/pagination/
+
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<User> ]
+        def aggressive(_opts = {})
+          found        = []
+          current_page = 0
+
+          loop do
+            current_page += 1
+
+            res = Typhoeus.get(api_url, params: { per_page: MAX_PER_PAGE, page: current_page })
+
+            total_pages ||= res.headers['X-WP-TotalPages'].to_i
+
+            users_in_page = users_from_response(res)
+            found        += users_in_page
+
+            break if current_page >= total_pages || users_in_page.empty?
+          end
+
+          found
+        rescue JSON::ParserError, TypeError
+          found
+        end
+
+        # @param [ Typhoeus::Response ] response
+        #
+        # @return [ Array<User> ] The users from the response
+        def users_from_response(response)
+          found = []
+
+          JSON.parse(response.body)&.each do |user|
+            found << Model::User.new(user['slug'],
+                                     id: user['id'],
+                                     found_by: found_by,
+                                     confidence: 100,
+                                     interesting_entries: [response.effective_url])
+          end
+
+          found
+        end
+
+        # @return [ String ] The URL of the API listing the Users
+        def api_url
+          return @api_url if @api_url
+
+          target.in_scope_urls(target.homepage_res, "//link[@rel='https://api.w.org/']/@href").each do |url, _tag|
+            uri = Addressable::URI.parse(url.strip)
+
+            return @api_url = uri.join('wp/v2/users/').to_s if uri.path.include?('wp-json')
+          end
+
+          @api_url = target.url('wp-json/wp/v2/users/')
+        end
+      end
+    end
+  end
+end

app/finders/users/yoast_seo_author_sitemap.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Users
+      # The YOAST SEO plugin has an author-sitemap.xml which can leak usernames
+      # See https://github.com/wpscanteam/wpscan/issues/1228
+      class YoastSeoAuthorSitemap < CMSScanner::Finders::Finder
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<User> ]
+        def aggressive(_opts = {})
+          found = []
+
+          Browser.get(sitemap_url).html.xpath('//url/loc').each do |user_tag|
+            username = user_tag.text.to_s[%r{/author/([^\/]+)/}, 1]
+
+            next unless username && !username.strip.empty?
+
+            found << Model::User.new(username,
+                                     found_by: found_by,
+                                     confidence: 100,
+                                     interesting_entries: [sitemap_url])
+          end
+
+          found
+        end
+
+        # @return [ String ] The URL of the author-sitemap
+        def sitemap_url
+          @sitemap_url ||= target.url('author-sitemap.xml')
+        end
+      end
+    end
+  end
+end

app/finders/wp_items.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require_relative 'wp_items/urls_in_homepage'

app/finders/wp_items/urls_in_homepage.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module WpItems
+      # URLs In Homepage Module to use in plugins & themes finders
+      module URLsInHomepage
+        # @param [ String ] type plugins / themes
+        # @param [ Boolean ] uniq Wether or not to apply the #uniq on the results
+        #
+        # @return [Array<String> ] The plugins/themes detected in the href, src attributes of the homepage
+        def items_from_links(type, uniq = true)
+          found = []
+
+          target.in_scope_urls(target.homepage_res) do |url|
+            next unless url =~ item_attribute_pattern(type)
+
+            found << Regexp.last_match[1]
+          end
+
+          uniq ? found.uniq.sort : found.sort
+        end
+
+        # @param [ String ] type plugins / themes
+        # @param [ Boolean ] uniq Wether or not to apply the #uniq on the results
+        #
+        # @return [Array<String> ] The plugins/themes detected in the javascript/style of the homepage
+        def items_from_codes(type, uniq = true)
+          found = []
+
+          target.homepage_res.html.css('script,style').each do |tag|
+            code = tag.text.to_s
+            next if code.empty?
+
+            code.scan(item_code_pattern(type)).flatten.uniq.each { |slug| found << slug }
+          end
+
+          uniq ? found.uniq.sort : found.sort
+        end
+
+        # @param [ String ] type
+        #
+        # @return [ Regexp ]
+        def item_attribute_pattern(type)
+          @item_attribute_pattern ||= %r{\A#{item_url_pattern(type)}([^/]+)/}i
+        end
+
+        # @param [ String ] type
+        #
+        # @return [ Regexp ]
+        def item_code_pattern(type)
+          @item_code_pattern ||= %r{["'\( ]#{item_url_pattern(type)}([^\\\/\)"']+)}i
+        end
+
+        # @param [ String ] type
+        #
+        # @return [ Regexp ]
+        def item_url_pattern(type)
+          item_dir = type == 'plugins' ? target.plugins_dir : target.content_dir
+          item_url = type == 'plugins' ? target.plugins_url : target.content_url
+
+          url = /#{item_url.gsub(/\A(?:http|https)/i, 'https?').gsub('/', '\\\\\?\/')}/i
+          item_dir = %r{(?:#{url}|\\?\/#{item_dir.gsub('/', '\\\\\?\/')}\\?/)}i
+
+          type == 'plugins' ? item_dir : %r{#{item_dir}#{type}\\?\/}i
+        end
+      end
+    end
+  end
+end

app/finders/wp_version.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require_relative 'wp_version/rss_generator'
+require_relative 'wp_version/atom_generator'
+require_relative 'wp_version/rdf_generator'
+require_relative 'wp_version/readme'
+require_relative 'wp_version/unique_fingerprinting'
+
+module WPScan
+  module Finders
+    # Specific Finders container to filter the version detected
+    # and remove the one with low confidence to avoid false
+    # positive when there is not enought information to accurately
+    # determine it.
+    class WpVersionFinders < UniqueFinders
+      def filter_findings
+        best_finding = super
+
+        best_finding && best_finding.confidence >= 40 ? best_finding : false
+      end
+    end
+
+    module WpVersion
+      # Wp Version Finder
+      class Base
+        include CMSScanner::Finders::UniqueFinder
+
+        # @param [ WPScan::Target ] target
+        def initialize(target)
+          (%w[RSSGenerator AtomGenerator RDFGenerator] +
+           WPScan::DB::DynamicFinders::Wordpress.versions_finders_configs.keys +
+           %w[Readme UniqueFingerprinting]
+          ).each do |finder_name|
+            finders << WpVersion.const_get(finder_name.to_sym).new(target)
+          end
+        end
+
+        def finders
+          @finders ||= Finders::WpVersionFinders.new
+        end
+      end
+    end
+  end
+end

app/finders/wp_version/atom_generator.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module WpVersion
+      # Atom Generator Version Finder
+      class AtomGenerator < CMSScanner::Finders::Finder
+        include Finder::WpVersion::SmartURLChecker
+
+        def process_urls(urls, _opts = {})
+          found = Findings.new
+
+          urls.each do |url|
+            res = Browser.get_and_follow_location(url)
+
+            res.html.css('generator').each do |node|
+              next unless node.text.to_s.strip.casecmp('wordpress').zero?
+
+              found << create_version(
+                node['version'],
+                found_by: found_by,
+                entries: ["#{res.effective_url}, #{node.to_s.strip}"]
+              )
+            end
+          end
+
+          found
+        end
+
+        def passive_urls_xpath
+          '//link[@rel="alternate" and @type="application/atom+xml"]/@href'
+        end
+
+        def aggressive_urls(_opts = {})
+          %w[feed/atom/ ?feed=atom].reduce([]) do |a, uri|
+            a << target.url(uri)
+          end
+        end
+      end
+    end
+  end
+end

app/finders/wp_version/rdf_generator.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module WpVersion
+      # RDF Generator Version Finder
+      class RDFGenerator < CMSScanner::Finders::Finder
+        include Finder::WpVersion::SmartURLChecker
+
+        def process_urls(urls, _opts = {})
+          found = Findings.new
+
+          urls.each do |url|
+            res = Browser.get_and_follow_location(url)
+
+            res.html.xpath('//generatoragent').each do |node|
+              next unless node['rdf:resource'] =~ %r{\Ahttps?://wordpress\.(?:[a-z.]+)/\?v=(.*)\z}i
+
+              found << create_version(
+                Regexp.last_match[1],
+                found_by: found_by,
+                entries: ["#{res.effective_url}, #{node.to_s.strip}"]
+              )
+            end
+          end
+
+          found
+        end
+
+        def passive_urls_xpath
+          '//a[contains(@href, "rdf")]/@href'
+        end
+
+        def aggressive_urls(_opts = {})
+          [target.url('feed/rdf/')]
+        end
+      end
+    end
+  end
+end

app/finders/wp_version/readme.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module WpVersion
+      # Readme Version Finder
+      class Readme < CMSScanner::Finders::Finder
+        # @return [ WpVersion ]
+        def aggressive(_opts = {})
+          readme_url = target.url('readme.html') # Maybe move this into the Target ?
+
+          node = Browser.get(readme_url).html.css('h1#logo').last
+
+          return unless node&.text.to_s.strip =~ /\AVersion (.*)\z/i
+
+          number = Regexp.last_match(1)
+
+          return unless Model::WpVersion.valid?(number)
+
+          Model::WpVersion.new(
+            number,
+            found_by: 'Readme (Aggressive Detection)',
+            # Since WP 4.7, the Readme only contains the major version (ie 4.7, 4.8 etc)
+            confidence: number >= '4.7' ? 10 : 90,
+            interesting_entries: ["#{readme_url}, Match: '#{node.text.to_s.strip}'"]
+          )
+        end
+      end
+    end
+  end
+end

app/finders/wp_version/rss_generator.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module WpVersion
+      # RSS Generator Version Finder
+      class RSSGenerator < CMSScanner::Finders::Finder
+        include Finder::WpVersion::SmartURLChecker
+
+        def process_urls(urls, _opts = {})
+          found = Findings.new
+
+          urls.each do |url|
+            res = Browser.get_and_follow_location(url)
+
+            res.html.xpath('//comment()[contains(., "wordpress")] | //generator').each do |node|
+              node_text = node.text.to_s.strip
+
+              next unless node_text =~ %r{\Ahttps?://wordpress\.(?:[a-z]+)/\?v=(.*)\z}i ||
+                          node_text =~ %r{\Agenerator="wordpress/([^"]+)"\z}i
+
+              found << create_version(
+                Regexp.last_match[1],
+                found_by: found_by,
+                entries: ["#{res.effective_url}, #{node.to_s.strip}"]
+              )
+            end
+          end
+
+          found
+        end
+
+        def passive_urls_xpath
+          '//link[@rel="alternate" and @type="application/rss+xml"]/@href'
+        end
+
+        def aggressive_urls(_opts = {})
+          %w[feed/ comments/feed/ feed/rss/ feed/rss2/].reduce([]) do |a, uri|
+            a << target.url(uri)
+          end
+        end
+      end
+    end
+  end
+end

app/finders/wp_version/unique_fingerprinting.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module WpVersion
+      # Unique Fingerprinting Version Finder
+      class UniqueFingerprinting < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::Fingerprinter
+
+        # @return [ WpVersion ]
+        def aggressive(opts = {})
+          fingerprint(DB::Fingerprints.wp_unique_fingerprints, opts) do |version_number, url, md5sum|
+            hydra.abort
+            progress_bar.finish
+
+            return Model::WpVersion.new(
+              version_number,
+              found_by: 'Unique Fingerprinting (Aggressive Detection)',
+              confidence: 100,
+              interesting_entries: ["#{url} md5sum is #{md5sum}"]
+            )
+          end
+          nil
+        end
+
+        def create_progress_bar(opts = {})
+          super(opts.merge(title: 'Fingerprinting the version -'))
+        end
+      end
+    end
+  end
+end

app/models.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Model
+    include CMSScanner::Model
+  end
+end
+
+require_relative 'models/interesting_finding'
+require_relative 'models/wp_version'
+require_relative 'models/xml_rpc'
+require_relative 'models/wp_item'
+require_relative 'models/timthumb'
+require_relative 'models/media'
+require_relative 'models/plugin'
+require_relative 'models/theme'
+require_relative 'models/config_backup'
+require_relative 'models/db_export'

app/models/config_backup.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Model
+    # Config Backup
+    class ConfigBackup < InterestingFinding
+    end
+  end
+end

app/models/db_export.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Model
+    # DB Export
+    class DbExport < InterestingFinding
+    end
+  end
+end

app/models/interesting_finding.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Model
+    # Custom class to include the WPScan::References module
+    class InterestingFinding < CMSScanner::Model::InterestingFinding
+      include References
+    end
+
+    #
+    # Empty classes for the #type to be correctly displayed (as taken from the self.class from the parent)
+    #
+    class BackupDB < InterestingFinding
+    end
+
+    class DebugLog < InterestingFinding
+    end
+
+    class DuplicatorInstallerLog < InterestingFinding
+    end
+
+    class EmergencyPwdResetScript < InterestingFinding
+    end
+
+    class FullPathDisclosure < InterestingFinding
+    end
+
+    class MuPlugins < InterestingFinding
+    end
+
+    class Multisite < InterestingFinding
+    end
+
+    class Readme < InterestingFinding
+    end
+
+    class Registration < InterestingFinding
+    end
+
+    class TmmDbMigrate < InterestingFinding
+    end
+
+    class UploadDirectoryListing < InterestingFinding
+    end
+
+    class UploadSQLDump < InterestingFinding
+    end
+
+    class WPCron < InterestingFinding
+    end
+  end
+end