Bumps the version

Remove obsolete code

.gitignore

@@ -12,3 +12,4 @@ log.txt
 debug.log
 wordlist.txt
 rspec_results.html
+data/

.ruby-gemset

@@ -0,0 +1 @@
+wpscan

.ruby-version

@@ -0,0 +1 @@
+2.1.5

.travis.yml

@@ -5,7 +5,14 @@ rvm:
   - 2.0.0
   - 2.1.0
   - 2.1.1
+  - 2.1.2
+  - 2.1.3
+  - 2.1.4
+  - 2.1.5
 script: bundle exec rspec
 notifications:
   email:
     - wpscanteam@gmail.com
+matrix:
+  allow_failures:
+    - rvm: 1.9.2

CHANGELOG.md

@@ -1,6 +1,135 @@
 # Changelog
 ## Master
-[Work in progress](https://github.com/wpscanteam/wpscan/compare/2.4...master)
+[Work in progress](https://github.com/wpscanteam/wpscan/compare/2.6...master)
+
+## Version 2.6
+Released: 2014-12-19
+
+New
+* Updates the readmes to reflect the new --usernames option
+* Improves plugin/theme version detection by looking at the "Version:"
+* Solution to avoid mandatory blank newline at the end of the wordlist
+* Add check for valid credentials
+* Add Sucuri sponsor to banner
+* Add protocol to sucuri url in banner
+* Add response code to proxy error output
+* Add a statement about mendatory newlines at the end of list
+* Give warning if default username 'admin' is still used
+* License amendment to make it more clear about value added usage
+
+Removed
+* remove malwares
+* remove malware folder
+* Removes the theme version check from the readme, unrealistic scenario
+
+General core
+* Update to Ruby 2.1.5 and travis
+* Prevent parent theme infinite loop
+* Fixes the progressbar being overriden by next brute forcing attempts
+
+Fixed issues
+* Fix UTF-8 encode on security db file download
+* Fix #703 - Disable logging by default. Implement log option.
+* Fix #705 - Installation instructions for Ubuntu < 14.04 apparently incomplete
+* Fix #717 - Expand on readme.html finding output
+* Fix #716 - Adds the --version in the help
+* Fix #715 - Add new updating info to docs
+* Fix #727 - WpItems detection: Perform the passive check and filter only vulnerable results at the end if required
+* Fix #737 - Adds some readme files to check for plugin versions
+* Fix #739 - Adds the --usernames option
+
+WPScan Database Statistics:
+* Total vulnerable versions: 88
+* Total vulnerable plugins: 901
+* Total vulnerable themes: 313
+* Total version vulnerabilities: 1050
+* Total plugin vulnerabilities: 1355
+* Total theme vulnerabilities: 349
+
+## Version 2.5.1
+Released: 2014-09-29
+
+Fixes reference URL to WPVDB
+
+## Version 2.5
+Released: 2014-09-26 (@ BruCON 2014)
+
+New
+* Exit program after --update
+* Detect directory listing in upload folder
+* Be more verbose when no version can be detected
+* Added detection for Yoast Wordpress SEO plugin
+* Also ensure to not process empty Location headers
+* Ensures a nil location is not processed when enumerating usernames
+* Fix #626 - Detect 'Must_Use_Plugins'
+* better username extraction
+* Add a --cookie option. Ref #485
+* Add a --no-color option
+* Output: Give 'Fixed in' an informational tag
+* Added ArchAssault distro - WPScan comes pre-installed with this distro
+* Layout changes with new colors
+
+Removed
+* Removes the source code updaters
+* Removes the ListGenerator plugin from WPStools
+* Removes all files from data/
+
+General core
+* Update docs to reflect new updating logic
+* Little output change and coloring
+* Adds a missing verbose output
+* Re-build redirection url if begin with slash '/'
+* Fixes the remove_conditional_comments function
+* Ensures to give a string to Typhoeus
+* Fix wpstools check-vuln-ref-urls
+* Fix rspecs for new json
+* Only output if different from style_url
+* Add exception so 'ruby wpscan.rb http://domain.com' is detected
+* Added make to Debian installation, which is needed in minimal installation.
+* Add build-essentials requirement to Ubuntu > 14.04
+* Updated installation instr. for GNU/Linux Debian.
+* Changes VersionCompare#is_newer_or_same? by lesser_or_equal?
+* Fixes the location of the robots.txt check
+* Updates the recommended ruby version
+* Rspec 3.0 support
+* Adds ruby 2.1.2 to Travis
+* Updated ruby-progressbar to 1.5.0
+
+WordPress Fingerprints
+* Adds WP 4.0 fingerprints
+* Adds WP 3.9.2, 3.8.4 & 3.7.4 fingerprints - Ref #652
+* Adds 3.9.1 fingerprints
+
+Fixed issues
+* Fix #689 - Adds config file to check
+* Fix #694 - Output Arrays
+* Fix #693 - Adds pathname require statement
+* Fix #657 - generate method
+* Fix #685 - Potenial fix for 'marshal data too short' error
+* Fix #686 - Adds specs for relative URI in Location headers
+* Fix #435 - Update license
+* Fix #674 - Improves the Plugins & Themes passive detection
+* Fix #673 - Problem with the output
+* Fix #661 - Don't hash directories named like a file
+* Fix #653 - Fix for infinite loop in wpstools
+* Fix #625 - Only parse styles when needed
+* Fix #481 - Fix for Jetpack plugin false positive
+* Fix #480 - Properly removes the colour sequence from log
+* Fix #472 - WPScan stops after redirection if not WordPress website
+* Fix #464 - Readmes updated to reflect recent changes about the config file & batch mode
+
+Vulnerabilities
+* geoplaces4 also uses name GeoPlaces4beta
+* Added metasploit module's
+* Added some timthumb detections
+
+WPScan Database Statistics:
+* Total vulnerable versions: 87
+* Total vulnerable plugins: 854
+* Total vulnerable themes: 303
+* Total version vulnerabilities: 752
+* Total plugin vulnerabilities: 1351
+* Total theme vulnerabilities: 345
 
 ## Version 2.4
 Released: 2014-04-17
@@ -12,7 +141,6 @@ New
 * Switch over to nist - Fix #301
 * New choice added when a redirection is detected - Fix #438
 
-
 Removed
 * Removed 'Total WordPress Sites in the World' counter from stats
 * Old wpscan repo links removed - Fix #440

CREDITS

@@ -11,10 +11,11 @@ Ryan Dewhurst - @ethicalhack3r (Project Lead)
 
 *Other Contributors*
 
+Henri Salo AKA fgeek - Reported lots of vulnerabilities
 Alip AKA Undead - alip.aswalid at gmail.com
-michee08 - Reported and gave potential solutions to bugs.
+michee08 - Reported and gave potential solutions to bugs
 Callum Pember - Implemented proxy support - callumpember at gmail.com
-g0tmi1k - Additional timthumb checks + bug reports.
+g0tmi1k - Additional timthumb checks + bug reports
 Melvin Lammerts - Reported a couple of fake vulnerabilities - melvin at 12k.nl
 Paolo Perego - @thesp0nge - Basic authentication
 Gianluca Brindisi - @gbrindisi - Project Developer

DISCLAIMER.txt

@@ -0,0 +1,2 @@
+WPScan is not responsible for misuse or for any damage that you may cause!
+You agree that you use this software at your own risk.

Gemfile

@@ -1,13 +1,14 @@
-source "https://rubygems.org"
+source 'https://rubygems.org'
 
-gem "typhoeus", "~>0.6.8"
-gem "nokogiri"
-gem "json"
-gem "terminal-table"
-gem "ruby-progressbar", "~>1.4.2"
+gem 'typhoeus', '~>0.6.8'
+gem 'nokogiri'
+gem 'json'
+gem 'terminal-table'
+gem 'ruby-progressbar', '>=1.6.0'
 
 group :test do
-  gem "webmock", ">=1.17.2"
-  gem "simplecov"
-  gem "rspec", :require => "spec"
+  gem 'webmock', '>=1.17.2'
+  gem 'simplecov'
+  gem 'rspec', '>=3.0'
+  gem 'rspec-its'
 end

LICENSE

@@ -1,15 +1,21 @@
-WPScan - WordPress Security Scanner
-Copyright (C) 2012-2013
+The WPScan software and its data (henceforth both referred to simply as "WPScan") is dual-licensed - copyright 2011-2014 The WPScan Team.
 
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation, either version 3 of the License, or
-(at your option) any later version.
+Cases that include commercialization of WPScan require a commercial, non-free license. Otherwise, the system can be used under the terms of the GNU General Public License.
 
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU General Public License for more details.
+Cases of commercialization are:
 
-You should have received a copy of the GNU General Public License
-along with this program.  If not, see <http://www.gnu.org/licenses/>.
+- Using WPScan to provide commercial managed/Software-as-a-Service services.
+- Distributing WPScan as a commercial product or as part of one.
+- Using WPScan as a value added service/product.
+
+Cases which do not require a commercial license, and thus fall under the terms of GNU General Public License, include (but are not limited to):
+
+- Penetration testers (or penetration testing organizations) using WPScan as part of their assessment toolkit. So long as that does not conflict with the commercialization clause.
+- Using WPScan to test your own systems.
+- Any non-commercial use of WPScan.
+
+If you need to acquire a commercial license or are unsure about whether you need to acquire a commercial license, please get in touch, we will be happy to clarify things for you and work with you to accommodate your requirements.
+
+wpscanteam at gmail.com
+
+You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>.

README

@@ -9,23 +9,27 @@ __________________________________________________
 
 ==LICENSE==
 
-WPScan - WordPress Security Scanner
-Copyright (C) 2011-2013 The WPScan Team
+The WPScan software and its data (henceforth both referred to simply as "WPScan") is dual-licensed - copyright 2011-2014 The WPScan Team.
 
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation, either version 3 of the License, or
-(at your option) any later version.
+Cases that include commercialization of WPScan require a commercial, non-free license. Otherwise, the system can be used under the terms of the GNU General Public License.
 
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU General Public License for more details.
+Cases of commercialization are:
 
-You should have received a copy of the GNU General Public License
-along with this program.  If not, see <http://www.gnu.org/licenses/>.
+- Using WPScan to provide commercial managed/Software-as-a-Service services.
+- Distributing WPScan as a commercial product or as part of one.
+- Using WPScan as a value added service/product.
 
-ryandewhurst at gmail
+Cases which do not require a commercial license, and thus fall under the terms of GNU General Public License, include (but are not limited to):
+
+- Penetration testers (or penetration testing organizations) using WPScan as part of their assessment toolkit. So long as that does not conflict with the commercialization clause.
+- Using WPScan to test your own systems.
+- Any non-commercial use of WPScan.
+
+If you need to acquire a commercial license or are unsure about whether you need to acquire a commercial license, please get in touch, we will be happy to clarify things for you and work with you to accommodate your requirements.
+
+wpscanteam at gmail.com
+
+You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>.
 
 ==INSTALL==
 
@@ -40,18 +44,39 @@ ryandewhurst at gmail
   Prerequisites:
 
    * Windows not supported
-   * Ruby >= 1.9.2 - Recommended: 1.9.3
+   * Ruby >= 1.9.2 - Recommended: 2.1.4
    * Curl >= 7.21  - Recommended: latest - FYI the 7.29 has a segfault
    * RubyGems      - Recommended: latest
    * Git
 
-  -> Installing on Debian/Ubuntu:
+   Windows is not supported.
+
+   If installed from Github update the code base with git pull. The databases are updated with wpscan.rb --update.
+
+  -> Installing on Ubuntu:
+
+    Before Ubuntu 14.04:
 
         sudo apt-get install libcurl4-gnutls-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev
         git clone https://github.com/wpscanteam/wpscan.git
         cd wpscan
         sudo gem install bundler && bundle install --without test
 
+    From Ubuntu 14.04:
+
+        sudo apt-get install libcurl4-gnutls-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential
+        git clone https://github.com/wpscanteam/wpscan.git
+        cd wpscan
+        sudo gem install bundler && bundle install --without test
+
+  -> Installing on Debian:
+
+    sudo apt-get install git ruby ruby-dev libcurl4-gnutls-dev make
+    git clone https://github.com/wpscanteam/wpscan.git
+    cd wpscan
+    sudo gem install bundler
+    bundle install --without test --path vendor/bundle
+
   -> Installing on Fedora:
 
     sudo yum install gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel
@@ -79,6 +104,20 @@ ryandewhurst at gmail
     cd wpscan
     sudo gem install bundler && sudo bundle install --without test
 
+  -> Installing with RVM:
+
+    cd ~
+    curl -sSL https://get.rvm.io | bash -s stable
+    source ~/.rvm/scripts/rvm
+    echo "source ~/.rvm/scripts/rvm" >> ~/.bashrc
+    rvm install 2.1.4
+    rvm use 2.1.4 --default
+    echo "gem: --no-ri --no-rdoc" > ~/.gemrc
+    gem install bundler
+    git clone https://github.com/wpscanteam/wpscan.git
+    cd wpscan
+    bundle install --without test
+
 ==KNOWN ISSUES==
 
   - Typhoeus segmentation fault:
@@ -117,7 +156,7 @@ ryandewhurst at gmail
 
 ==WPSCAN ARGUMENTS==
 
---update   Update to the latest revision
+--update   Update the databases.
 
 --url   | -u <target url>  The WordPress URL/domain to scan.
 
@@ -159,12 +198,14 @@ ryandewhurst at gmail
 
 --basic-auth <username:password>  Set the HTTP Basic authentication.
 
---wordlist | -w <wordlist>  Supply a wordlist for the password bruter and do the brute.
+--wordlist | -w <wordlist>  Supply a wordlist for the password brute forcer.
 
 --threads  | -t <number of threads>  The number of threads to use when multi-threading requests.
 
 --username | -U <username>  Only brute force the supplied username.
 
+--usernames  <path-to-file>  Only brute force the usernames from the file.
+
 --cache-ttl <cache-ttl>  Typhoeus cache TTL.
 
 --request-timeout <request-timeout>  Request Timeout.
@@ -181,6 +222,8 @@ ryandewhurst at gmail
 
 --no-color Do not use colors in the output.
 
+--log Save STDOUT to log.txt
+
 ==WPSCAN EXAMPLES==
 
 Do 'non-intrusive' checks...
@@ -207,7 +250,7 @@ Use custom content directory...
 
   ruby wpscan.rb -u www.example.com --wp-content-dir custom-content
 
-Update WPScan...
+Update WPScan's databases...
 
   ruby wpscan.rb --update
 
@@ -220,20 +263,12 @@ Debug output...
 -v, --verbose                                                Verbose output
 --check-vuln-ref-urls, --cvru                            Check all the vulnerabilities reference urls for 404
 --check-local-vulnerable-files, --clvf LOCAL_DIRECTORY   Perform a recursive scan in the LOCAL_DIRECTORY to find vulnerable files or shells
-    --generate-plugin-list, --gpl [NUMBER_OF_PAGES]          Generate a new data/plugins.txt file. (supply number of *pages* to parse, default : 150)
-    --generate-full-plugin-list, --gfpl                      Generate a new full data/plugins.txt file
-    --generate-theme-list, --gtl [NUMBER_OF_PAGES]           Generate a new data/themes.txt file. (supply number of *pages* to parse, default : 20)
-    --generate-full-theme-list, --gftl                       Generate a new full data/themes.txt file
-    --generate-all, --ga                                     Generate a new full plugins, full themes, popular plugins and popular themes list
--s, --stats                                                  Show WpScan Database statistics
+s, --stats                                                  Show WpScan Database statistics.
 --spellcheck, --sc                                       Check all files for common spelling mistakes.
 
 ==WPSTOOLS EXAMPLES==
 
-- Generate a new 'most popular' plugin list, up to 150 pages ...
-ruby wpstools.rb --generate-plugin-list 150
-
-- Locally scan a wordpress installation for vulnerable files or shells :
+Locally scan a wordpress installation for vulnerable files or shells:
 ruby wpstools.rb --check-local-vulnerable-files /var/www/wordpress/
 
 ===PROJECT HOME===
@@ -252,8 +287,6 @@ https://github.com/wpscanteam/wpscan/issues
 
 http://rdoc.info/github/wpscanteam/wpscan/frames
 
-===SPONSOR===
+===SPECIAL THANKS===
 
-WPScan is sponsored by the RandomStorm Open Source Initiative.
-
-Visit RandomStorm at http://www.randomstorm.com
+RandomStorm - https://www.randomstorm.com

README.md

@@ -1,26 +1,33 @@
-![alt text](http://dvwa.co.uk/images/wpscan_logo_407x80.png "WPScan - WordPress Security Scanner")
+![alt text](https://raw.githubusercontent.com/wpscanteam/wpscan/gh-pages/wpscan_logo_407x80.png "WPScan - WordPress Security Scanner")
 
-[![Build Status](https://travis-ci.org/wpscanteam/wpscan.png?branch=master)](https://travis-ci.org/wpscanteam/wpscan)
+
+[![Build Status](https://travis-ci.org/wpscanteam/CMSScanner.svg?branch=master)](https://travis-ci.org/wpscanteam/CMSScanner)
+[![Code Climate](https://img.shields.io/codeclimate/github/wpscanteam/wpscan.svg)](https://codeclimate.com/github/wpscanteam/wpscan)
+[![Dependency Status](https://img.shields.io/gemnasium/wpscanteam/wpscan.svg)](https://gemnasium.com/wpscanteam/wpscan)
 
 #### LICENSE
 
-WPScan - WordPress Security Scanner
-Copyright (C), 2011-2013 The WPScan Team
+The WPScan software and its data (henceforth both referred to simply as "WPScan") is dual-licensed - copyright 2011-2014 The WPScan Team.
 
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation, either version 3 of the License, or
-(at your option) any later version.
+Cases that include commercialization of WPScan require a commercial, non-free license. Otherwise, the system can be used under the terms of the GNU General Public License.
 
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU General Public License for more details.
+Cases of commercialization are:
 
-You should have received a copy of the GNU General Public License
-along with this program.  If not, see <http://www.gnu.org/licenses/>.
+- Using WPScan to provide commercial managed/Software-as-a-Service services.
+- Distributing WPScan as a commercial product or as part of one.
+- Using WPScan as a value added service/product.
 
-ryandewhurst at gmail
+Cases which do not require a commercial license, and thus fall under the terms of GNU General Public License, include (but are not limited to):
+
+- Penetration testers (or penetration testing organizations) using WPScan as part of their assessment toolkit. So long as that does not conflict with the commercialization clause.
+- Using WPScan to test your own systems.
+- Any non-commercial use of WPScan.
+
+If you need to acquire a commercial license or are unsure about whether you need to acquire a commercial license, please get in touch, we will be happy to clarify things for you and work with you to accommodate your requirements.
+
+wpscanteam at gmail.com
+
+You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>.
 
 #### INSTALL
 
@@ -34,57 +41,76 @@ WPScan comes pre-installed on the following Linux distributions:
 
 Prerequisites:
 
-- Windows not supported
-- Ruby >= 1.9.2 - Recommended: 1.9.3
+- Ruby >= 1.9.2 - Recommended: 2.1.4
 - Curl >= 7.21  - Recommended: latest - FYI the 7.29 has a segfault
 - RubyGems      - Recommended: latest
 - Git
 
-*Installing on Debian/Ubuntu:*
+Windows is not supported.
+If installed from Github update the code base with ```git pull```. The databases are updated with ```wpscan.rb --update```.
 
-```sudo apt-get install libcurl4-gnutls-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev```
+####Installing on Ubuntu:
 
-```git clone https://github.com/wpscanteam/wpscan.git```
+Before Ubuntu 14.04:
 
-```cd wpscan```
+    sudo apt-get install libcurl4-gnutls-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev
+    git clone https://github.com/wpscanteam/wpscan.git
+    cd wpscan
+    sudo gem install bundler && bundle install --without test
 
-```sudo gem install bundler && bundle install --without test```
+From Ubuntu 14.04:
 
-*Installing on Fedora:*
+    sudo apt-get install libcurl4-gnutls-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential
+    git clone https://github.com/wpscanteam/wpscan.git
+    cd wpscan
+    sudo gem install bundler && bundle install --without test
 
-```sudo yum install gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel```
+####Installing on Debian:
 
-```git clone https://github.com/wpscanteam/wpscan.git```
+    sudo apt-get install git ruby ruby-dev libcurl4-gnutls-dev make
+    git clone https://github.com/wpscanteam/wpscan.git
+    cd wpscan
+    sudo gem install bundler
+    bundle install --without test --path vendor/bundle
 
-```cd wpscan```
+####Installing on Fedora:
 
-```sudo gem install bundler && bundle install --without test```
+    sudo yum install gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel
+    git clone https://github.com/wpscanteam/wpscan.git
+    cd wpscan
+    sudo gem install bundler && bundle install --without test
 
-*Installing on Archlinux:*
+####Installing on Archlinux:
 
-```pacman -Syu ruby```
+    pacman -Syu ruby
+    pacman -Syu libyaml
+    git clone https://github.com/wpscanteam/wpscan.git
+    cd wpscan
+    sudo gem install bundler && bundle install --without test
+    gem install typhoeus
+    gem install nokogiri
 
-```pacman -Syu libyaml```
+####Installing on Mac OSX:
 
-```git clone https://github.com/wpscanteam/wpscan.git```
+Apple Xcode, Command Line Tools and the libffi are needed (to be able to install the FFI gem), See [http://stackoverflow.com/questions/17775115/cant-setup-ruby-environment-installing-fii-gem-error](http://stackoverflow.com/questions/17775115/cant-setup-ruby-environment-installing-fii-gem-error)
 
-```cd wpscan```
+    git clone https://github.com/wpscanteam/wpscan.git
+    cd wpscan
+    sudo gem install bundler && sudo bundle install --without test
 
-```sudo gem install bundler && bundle install --without test```
+####Installing with RVM:
 
-```gem install typhoeus```
-
-```gem install nokogiri```
-
-*Installing on Mac OSX:*
-
-Apple Xcode, Command Line Tools and the libffi are needed (to be able to install the FFI gem), See http://stackoverflow.com/questions/17775115/cant-setup-ruby-environment-installing-fii-gem-error
-
-```git clone https://github.com/wpscanteam/wpscan.git```
-
-```cd wpscan```
-
-```sudo gem install bundler && sudo bundle install --without test```
+    cd ~
+    curl -sSL https://get.rvm.io | bash -s stable
+    source ~/.rvm/scripts/rvm
+    echo "source ~/.rvm/scripts/rvm" >> ~/.bashrc
+    rvm install 2.1.4
+    rvm use 2.1.4 --default
+    echo "gem: --no-ri --no-rdoc" > ~/.gemrc
+    gem install bundler
+    git clone https://github.com/wpscanteam/wpscan.git
+    cd wpscan
+    bundle install --without test
 
 #### KNOWN ISSUES
 
@@ -97,7 +123,7 @@ Apple Xcode, Command Line Tools and the libffi are needed (to be able to install
       Update cURL to version => 7.21.7 (may have to install from source).
 
       Installation from sources :
-      ```
+
         Grab the sources from http://curl.haxx.se/download.html
         Decompress the archive
         Open the folder with the extracted files
@@ -105,21 +131,21 @@ Apple Xcode, Command Line Tools and the libffi are needed (to be able to install
         Run make
         Run sudo make install
         Run sudo ldconfig
-      ```
+
 
   - cannot load such file -- readline:
 
-      ```sudo aptitude install libreadline5-dev libncurses5-dev```
+        sudo aptitude install libreadline5-dev libncurses5-dev
 
       Then, open the directory of the readline gem (you have to locate it)
-      ```
+
         cd ~/.rvm/src/ruby-1.9.2-p180/ext/readline
         ruby extconf.rb
         make
         make install
-      ```
 
-      See http://vvv.tobiassjosten.net/ruby-on-rails/fixing-readline-for-the-ruby-on-rails-console/ for more details
+
+      See [http://vvv.tobiassjosten.net/ruby-on-rails/fixing-readline-for-the-ruby-on-rails-console/](http://vvv.tobiassjosten.net/ruby-on-rails/fixing-readline-for-the-ruby-on-rails-console/) for more details
 
   - no such file to load -- rubygems
 
@@ -127,11 +153,11 @@ Apple Xcode, Command Line Tools and the libffi are needed (to be able to install
 
       And select your ruby version
 
-      See https://github.com/wpscanteam/wpscan/issues/148
+      See [https://github.com/wpscanteam/wpscan/issues/148](https://github.com/wpscanteam/wpscan/issues/148)
 
 #### WPSCAN ARGUMENTS
 
-    --update   Update to the latest revision
+    --update   Update the databases.
 
     --url   | -u <target url>  The WordPress URL/domain to scan.
 
@@ -173,12 +199,14 @@ Apple Xcode, Command Line Tools and the libffi are needed (to be able to install
 
     --basic-auth <username:password>  Set the HTTP Basic authentication.
 
-    --wordlist | -w <wordlist>  Supply a wordlist for the password bruter and do the brute.
+    --wordlist | -w <wordlist>  Supply a wordlist for the password brute forcer.
 
     --threads  | -t <number of threads>  The number of threads to use when multi-threading requests.
 
     --username | -U <username>  Only brute force the supplied username.
 
+    --usernames  <path-to-file>  Only brute force the usernames from the file.
+
     --cache-ttl <cache-ttl>  Typhoeus cache TTL.
 
     --request-timeout <request-timeout>  Request Timeout.
@@ -195,6 +223,8 @@ Apple Xcode, Command Line Tools and the libffi are needed (to be able to install
 
     --no-color Do not use colors in the output.
 
+    --log Save STDOUT to log.txt
+
 #### WPSCAN EXAMPLES
 
 Do 'non-intrusive' checks...
@@ -221,7 +251,7 @@ Use custom content directory...
 
 ```ruby wpscan.rb -u www.example.com --wp-content-dir custom-content```
 
-Update WPScan...
+Update WPScan's databases...
 
 ```ruby wpscan.rb --update```
 
@@ -234,41 +264,36 @@ Debug output...
     -v, --verbose                                                Verbose output
         --check-vuln-ref-urls, --cvru                            Check all the vulnerabilities reference urls for 404
         --check-local-vulnerable-files, --clvf LOCAL_DIRECTORY   Perform a recursive scan in the LOCAL_DIRECTORY to find vulnerable files or shells
-        --generate-plugin-list, --gpl [NUMBER_OF_PAGES]          Generate a new data/plugins.txt file. (supply number of *pages* to parse, default : 150)
-        --generate-full-plugin-list, --gfpl                      Generate a new full data/plugins.txt file
-        --generate-theme-list, --gtl [NUMBER_OF_PAGES]           Generate a new data/themes.txt file. (supply number of *pages* to parse, default : 20)
-        --generate-full-theme-list, --gftl                       Generate a new full data/themes.txt file
-        --generate-all, --ga                                     Generate a new full plugins, full themes, popular plugins and popular themes list
     -s, --stats                                                  Show WpScan Database statistics.
         --spellcheck, --sc                                       Check all files for common spelling mistakes.
 
 
 #### WPSTOOLS EXAMPLES
 
-Generate a new 'most popular' plugin list, up to 150 pages...
-
-```ruby wpstools.rb --generate-plugin-list 150```
-
 Locally scan a wordpress installation for vulnerable files or shells:
-```ruby wpstools.rb --check-local-vulnerable-files /var/www/wordpress/```
 
+```ruby wpstools.rb --check-local-vulnerable-files /var/www/wordpress/```
 
 #### PROJECT HOME
 
-www.wpscan.org
+[http://www.wpscan.org](http://www.wpscan.org)
+
+#### VULNERABILITY DATABASE
+
+[https://www.wpvulndb.com](https://www.wpvulndb.com)
 
 #### GIT REPOSITORY
 
-https://github.com/wpscanteam/wpscan
+[https://github.com/wpscanteam/wpscan](https://github.com/wpscanteam/wpscan)
 
 #### ISSUES
 
-https://github.com/wpscanteam/wpscan/issues
+[https://github.com/wpscanteam/wpscan/issues](https://github.com/wpscanteam/wpscan/issues)
 
 #### DEVELOPER DOCUMENTATION
 
-http://rdoc.info/github/wpscanteam/wpscan/frames
+[http://rdoc.info/github/wpscanteam/wpscan/frames](http://rdoc.info/github/wpscanteam/wpscan/frames)
 
-#### SPONSOR
+#### SPECIAL THANKS
 
-WPScan is sponsored by the [RandomStorm](http://www.randomstorm.com) Open Source Initiative.
+[RandomStorm](https://www.randomstorm.com)

data/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

data/local_vulnerable_files.xml

@@ -1,48 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<!--
-  Only he following extensions are scanned : js, php, swf, html, htm
-  If you want to add one, modify the variable file_extension_to_scan, line 191 in wpstools.rb
--->
-
-<hashes xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xsi:noNamespaceSchemaLocation="local_vulnerable_files.xsd">
-
-  <hash sha1="17c372678aafb3bc1a7b37320b5cc1d8af433527">
-    <title>XSS in swfupload.swf</title>
-    <file>swfupload.swf</file>
-    <reference>http://brindi.si/g/blog/vulnerable-swf-bundled-in-wordpress-plugins.html</reference>
-  </hash>
-
-  <hash sha1="775dc1089829ef07838406def28a4d8bfef69d66">
-    <title>Arbitrary File Upload Vulnerability</title>
-    <file>php.php</file>
-    <reference>http://packetstormsecurity.com/files/119241/wpvalums-shell.txt</reference>
-  </hash>
-
-  <!-- This one a is the same as above, but the postSize verification has been removed -->
-  <hash sha1="5e8f0d5a917d2937318a9bafd0529135bd473e70">
-    <title>Arbitrary File Upload Vulnerability</title>
-    <file>php.php</file>
-    <reference>http://packetstormsecurity.com/files/119218/wpreflexgallery-shell.txt</reference>
-  </hash>
-
-  <hash sha1="3f9ad05b05b65ee2b6efa1373f708293dd2005c7">
-    <title>Arbitrary File Upload Vulnerability</title>
-    <file>uploadify.php</file>
-    <reference>http://packetstormsecurity.com/files/119219/wpuploader104-shell.txt</reference>
-  </hash>
-
-  <hash sha1="ac638cc38f011b74a8d9a4e7d3d60358e472166c">
-    <title>Inline phpinfo()</title>
-    <file>phpinfo.php</file>
-    <reference>http://php.net/manual/en/function.phpinfo.php</reference>
-  </hash>
-
-  <hash sha1="012ee25cceff745e681fbb3697a06f3712f55554">
-    <title>phpinfo()</title>
-    <file>phpinfo.php</file>
-    <reference>http://php.net/manual/en/function.phpinfo.php</reference>
-  </hash>
-
-</hashes>

data/local_vulnerable_files.xsd

@@ -1,42 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
-
-  <xs:simpleType name="stringtype">
-    <xs:restriction base="xs:string">
-      <xs:whiteSpace value="preserve" />
-      <xs:minLength value="1" />
-      <xs:pattern value="[^\s].+[^\s]|[^\s]"/>
-    </xs:restriction>
-  </xs:simpleType>
-
-  <xs:simpleType name="uritype">
-    <xs:restriction base="xs:anyURI">
-      <xs:minLength value="1" />
-    </xs:restriction>
-  </xs:simpleType>
-
-  <xs:simpleType name="sha1type">
-    <xs:restriction base="stringtype">
-      <xs:pattern value="[0-9a-f]{40}"/>
-    </xs:restriction>
-  </xs:simpleType>
-
-  <xs:complexType name="hashtype">
-    <xs:sequence minOccurs="1" maxOccurs="1">
-      <xs:element name="title" type="stringtype"/>
-      <xs:element name="file" type="stringtype"/>
-      <xs:element name="reference" type="uritype"/>
-    </xs:sequence>
-    <xs:attribute type="sha1type" name="sha1" use="required"/>
-  </xs:complexType>
-
-  <xs:element name="hashes">
-    <xs:complexType>
-      <xs:sequence>
-        <xs:element name="hash" type="hashtype" maxOccurs="unbounded" minOccurs="1"/>
-      </xs:sequence>
-    </xs:complexType>
-  </xs:element>
-
-</xs:schema>

data/malwares.txt

@@ -1,3 +0,0 @@
-http://.*\.rr\.nu
-http://www\.thesea\.org/media\.php
-

data/themes.txt

@@ -1,299 +0,0 @@
-aadya
-abaris
-academica
-adamos
-adelle
-adventure
-advertica-lite
-aldehyde
-alexandria
-analytical-lite
-apprise
-arcade-basic
-asteria-lite
-atahualpa
-attitude
-base-wp
-beach
-bearded
-bizark
-bizflare
-bizkit
-biznez-lite
-bizstudio-lite
-blackbird
-blankslate
-blox
-boldr-lite
-boot-store
-bootstrap-ultimate
-bouquet
-bresponzive
-brightnews
-briks
-business-lite
-business-pro
-busiprof
-butterbelly
-buzz
-capture
-careta
-catch-box
-catch-everest
-catch-evolution
-catch-kathmandu
-celestial-lite
-chaostheory
-church
-circumference-lite
-cirrus
-clean-retina
-coller
-colorway
-contango
-coraline
-corpo
-count-down
-crangasi
-custom-community
-customizr
-cyberchimps
-dark-tt
-dazzling
-decode
-designfolio
-desk-mess-mirrored
-destro
-discover
-dms
-duena
-dusk-to-dawn
-duster
-dw-minion
-dw-timeline
-dw-wallpress
-eclipse
-engrave-lite
-enough
-esell
-esplanade
-esquire
-evolve
-expert
-expound
-family
-faq
-fashionistas
-fifteen
-fine
-firmasite
-flat
-flounder
-focus
-forever
-formation
-fresh-lite
-frisco-for-buddypress
-frontier
-fruitful
-gamepress
-govpress
-graphene
-graphy
-gridster-lite
-hatch
-hazen
-health-center-lite
-hemingway
-hiero
-highwind
-hueman
-i-transform
-iconic-one
-ifeature
-ignite
-imprint
-independent-publisher
-infinite
-infoway
-inkness
-inkzine
-interface
-intuition
-invert-lite
-iribbon
-isis
-italian-restaurant
-itek
-jbst
-jbst-masonary
-journal-lite
-justwrite
-kavya
-klasik
-landscape
-leatherdiary
-lingonberry
-looki-lite
-lupercalia
-madeini
-magazine-basic
-magazine-style
-magazino
-mantra
-market
-marketer
-match
-matheson
-max-magazine
-meadowhill
-mesocolumn
-mh-magazine-lite
-midnightcity
-minima-lite
-minimatica
-minimize
-mn-flow
-modern-business
-monaco
-montezuma
-naturefox
-neighborly
-neuro
-newgamer
-news-flash
-newspress-lite
-next-saturday
-nictitate
-omega
-one-page
-onetone
-openstrap
-opulus-sombre
-origami
-origin
-oxygen
-p2
-padhang
-pagelines
-papercuts
-parabola
-parallax
-parament
-phonix
-pilcrow
-pilot-fish
-pinbin
-pinboard
-pink-touch-2
-pisces
-platform
-point
-portfolio-press
-pr-news
-preference-lite
-presentation-lite
-preus
-primo-lite
-promax
-quark
-radiant
-radiate
-raindrops
-rambo
-raptor
-raven
-ready-review
-resolution
-responsive
-restaurante
-restaurateur
-restimpo
-reviewgine-affiliate
-rewind
-ridizain
-road-fighter
-sampression-lite
-seismic-manhattan
-sensitive
-sequel
-shamatha
-shopping
-siempel
-silver-quantum
-simple-catch
-simply-vision
-singl
-sixteen
-skt-full-width
-sliding-door
-smpl-skeleton
-snaps
-snapshot
-sneak-lite
-sorbet
-spacious
-sparkling
-spartan
-spasalon
-sporty
-spun
-squirrel
-stairway
-stargazer
-start-point
-steira
-storefront-paper
-story
-suevafree
-suffusion
-sugar-and-spice
-sundance
-sunrain
-sunspot
-superhero
-supernova
-surfarama
-swift-basic
-taraza
-tatva-lite
-teal
-tempera
-temptation
-terrifico
-the-newswire
-thematic
-theron-lite
-tiny-forge
-tonal
-tonic
-travelify
-twentyeleven
-twentyfourteen
-twentyten
-twentythirteen
-twentytwelve
-typal-makewp005
-unite
-untitled
-vantage
-venom
-viper
-virtue
-vision
-visual
-vryn-restaurant
-ward
-weaver-ii
-wilson
-wp-creativix
-wp-opulus
-wp-simple
-wpchimp-countdown
-wpstart
-writr
-x2
-xin-magazine
-yoko
-zeedynamic
-zeeflow

data/user-agents.txt

@@ -1,36 +0,0 @@
-# Windows
-Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.0 Safari/532.5
-Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14
-Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.27 (KHTML, like Gecko) Chrome/12.0.712.0 Safari/534.27
-Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.24 Safari/535.1
-Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 ( .NET CLR 3.5.30729; .NET4.0E)
-Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
-Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
-Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
-Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6
-Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.1) Gecko/20100101 Firefox/10.0.1
-Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20120403211507 Firefox/12.0
-Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120427 Firefox/15.0a1
-Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
-Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
-Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0)
-Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00
-Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5
-
-# MAC
-Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.15 Safari/534.13
-Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
-Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
-Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.8 (KHTML, like Gecko) Safari/419.3
-Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_0) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3
-Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1
-Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10
-
-# Linux
-Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.20 Safari/535.1
-Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.24 (KHTML, like Gecko) Ubuntu/10.10 Chromium/12.0.703.0 Chrome/12.0.703.0 Safari/534.24
-Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.9) Gecko/20100915 Gentoo Firefox/3.6.9
-Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20120421 Gecko Firefox/11.0
-Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
-Opera/9.80 (X11; Linux x86_64; U; pl) Presto/2.7.62 Version/11.00
-Mozilla/5.0 (X11; U; Linux x86_64; us; rv:1.9.1.19) Gecko/20110430 shadowfox/7.0 (like Firefox/7.0

data/vuln.xsd

@@ -1,109 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
-
-  <xs:simpleType name="stringtype">
-    <xs:restriction base="xs:string">
-      <xs:whiteSpace value="preserve" />
-      <xs:minLength value="1" />
-      <xs:pattern value="[^\s].+[^\s]|[^\s]"/>
-    </xs:restriction>
-  </xs:simpleType>
-
-  <xs:simpleType name="inttype">
-    <xs:restriction base="xs:positiveInteger" />
-  </xs:simpleType>
-
-  <xs:simpleType name="uritype">
-    <xs:restriction base="xs:anyURI">
-      <xs:minLength value="1" />
-    </xs:restriction>
-  </xs:simpleType>
-
-  <xs:simpleType name="cvetype">
-    <xs:restriction base="xs:token">
-      <xs:pattern value="[0-9]{4}-[0-9]{4,}"/>
-    </xs:restriction>
-  </xs:simpleType>
-
-  <xs:simpleType name="typetype">
-    <xs:restriction base="stringtype">
-      <xs:enumeration value="SQLI"/>
-      <xs:enumeration value="MULTI"/>
-      <xs:enumeration value="REDIRECT"/>
-      <xs:enumeration value="RCE"/>
-      <xs:enumeration value="RFI"/>
-      <xs:enumeration value="LFI"/>
-      <xs:enumeration value="UPLOAD"/>
-      <xs:enumeration value="UNKNOWN"/>
-      <xs:enumeration value="XSS"/>
-      <xs:enumeration value="CSRF"/>
-      <xs:enumeration value="SSRF"/>
-      <xs:enumeration value="AUTHBYPASS"/>
-      <xs:enumeration value="BYPASS"/>
-      <xs:enumeration value="FPD"/>
-      <xs:enumeration value="XXE"/>
-    </xs:restriction>
-  </xs:simpleType>
-
-  <xs:complexType name="itemtype">
-    <xs:sequence minOccurs="1" maxOccurs="unbounded">
-      <xs:element name="vulnerability" type="vulntype" />
-    </xs:sequence>
-    <xs:attribute type="stringtype" name="name" use="required"/>
-  </xs:complexType>
-
-  <xs:complexType name="wordpresstype">
-    <xs:sequence minOccurs="1" maxOccurs="unbounded">
-      <xs:element name="vulnerability" type="vulntype"/>
-    </xs:sequence>
-    <xs:attribute type="stringtype" name="version" use="required"/>
-  </xs:complexType>
-
-  <xs:complexType name="vulntype">
-    <xs:sequence minOccurs="1" maxOccurs="unbounded">
-      <xs:choice>
-        <xs:element name="title" type="stringtype"/>
-        <xs:element name="type" type="typetype"/>
-        <xs:element name="fixed_in" type="stringtype"/>
-        <xs:element name="references" type="referencetype"/>
-      </xs:choice>
-    </xs:sequence>
-  </xs:complexType>
-
-  <xs:complexType name="referencetype">
-    <xs:sequence minOccurs="1" maxOccurs="unbounded">
-      <xs:choice>
-        <xs:element name="url" type="uritype" minOccurs="0" maxOccurs="unbounded"/>
-        <xs:element name="cve" type="cvetype" minOccurs="0" maxOccurs="unbounded"/>
-        <xs:element name="secunia" type="inttype" minOccurs="0" maxOccurs="unbounded"/>
-        <xs:element name="osvdb" type="inttype" minOccurs="0" maxOccurs="unbounded"/>
-        <xs:element name="metasploit" type="stringtype" minOccurs="0" maxOccurs="unbounded"/>
-        <xs:element name="exploitdb" type="inttype" minOccurs="0" maxOccurs="unbounded"/>
-      </xs:choice>
-    </xs:sequence>
-  </xs:complexType>
-
-  <xs:element name="vulnerabilities">
-    <xs:complexType>
-      <xs:choice>
-        <xs:element name="plugin" type="itemtype" maxOccurs="unbounded" minOccurs="0"/>
-        <xs:element name="theme" type="itemtype" maxOccurs="unbounded" minOccurs="0"/>
-        <xs:element name="wordpress" type="wordpresstype" maxOccurs="unbounded" minOccurs="0"/>
-      </xs:choice>
-    </xs:complexType>
-    <xs:unique name="uniquePlugin">
-      <xs:selector xpath="plugin"/>
-      <xs:field xpath="@name"/>
-    </xs:unique>
-    <xs:unique name="uniqueTheme">
-      <xs:selector xpath="theme"/>
-      <xs:field xpath="@name"/>
-    </xs:unique>
-    <xs:unique name="uniqueWordpress">
-      <xs:selector xpath="wordpress"/>
-      <xs:field xpath="@version"/>
-    </xs:unique>
-  </xs:element>
-
-</xs:schema>

data/wp_versions.xml

@@ -1,224 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<!--
-  This file contains identification data to identify WordPress versions.
-  http://wordpress.org/download/release-archive/
-
-  Position is important, DO NOT change anything unless you know what you are doing :p
--->
-
-<wp-versions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-             xsi:noNamespaceSchemaLocation="wp_versions.xsd">
-
-  <file src="readme.html">
-    <hash md5="cdbf9b18e3729b3553437fc4e9b6baad">
-      <version>3.9.1</version>
-    </hash>
-    <hash md5="84b54c54aa48ae72e633685c17e67457">
-      <version>3.9</version>
-    </hash>
-    <hash md5="c6de8fc70a18be7e5c36198cd0f99a64">
-      <version>3.8.3</version>
-    </hash>
-    <hash md5="e01a2663475f6a7a8363a7c75a73fe23">
-      <version>3.8.2</version>
-    </hash>
-    <hash md5="0d0eb101038124a108f608d419387b92">
-      <version>3.8.1</version>
-    </hash>
-    <hash md5="38ee273095b8f25b9ffd5ce5018fc4f0">
-      <version>3.8</version>
-    </hash>
-    <hash md5="813e06052daa0692036e60d76d7141d3">
-      <version>3.7.3</version>
-    </hash>
-    <hash md5="b3a05c7a344c2f53cb6b680fd65a91e8">
-      <version>3.7.2</version>
-    </hash>
-    <hash md5="e82f4fe7d3c1166afb4c00856b875f16">
-      <version>3.6.1</version>
-    </hash>
-    <hash md5="477f1e652f31dae76a38e3559c91deb9">
-      <version>3.6</version>
-    </hash>
-    <hash md5="caf7946275c3e885419b1d36b22cb5f3">
-      <version>3.5.2</version>
-    </hash>
-    <hash md5="05d50a04ef19bd4b0a280362469bf22f">
-      <version>3.5.1</version>
-    </hash>
-    <hash md5="066cfc0f9b29ae6d491aa342ebfb1b71">
-      <version>3.5</version>
-    </hash>
-    <hash md5="36b2b72a0f22138a921a38db890d18c1">
-      <version>3.3.3</version>
-    </hash>
-    <hash md5="628419c327ca5ed8685ae3af6f753eb8">
-      <version>3.3.2</version>
-    </hash>
-    <hash md5="c1ed266e26a829b772362d5135966bc3">
-      <version>3.3.1</version>
-    </hash>
-    <hash md5="9ea06ab0184049bf4ea2410bf51ce402">
-      <version>3.0</version>
-    </hash>
-  </file>
-
-  <file src="wp-includes/css/buttons-rtl.css">
-    <hash md5="71c13ab1693b45fb3d7712e540c4dfe0">
-      <version>3.8</version>
-    </hash>
-  </file>
-
-  <file src="wp-includes/js/tinymce/wp-tinymce.js.gz">
-    <hash md5="de42820ca28cfc889f428dbef29621c3">
-      <version>3.9.1</version>
-    </hash>
-    <hash md5="1d52314b1767c557b7232ae192c80318">
-      <version>3.9</version>
-    </hash>
-    <!-- Note: 3.7.1 has no unique file (the hash below is the same than the 3.7.2) -->
-    <hash md5="44d281b0d84cc494e2b095a6d2202f4d">
-      <version>3.7.1</version>
-    </hash>
-    <hash md5="b0bcf8091516db358ee9c833afd73175">
-      <version>3.7</version>
-    </hash>
-    <hash md5="cf4bbd562430a9bcbe735062be851be1">
-      <version>3.6.1</version>
-    </hash>
-    <hash md5="42ce18e88f1c21d4e991fcd431bcb606">
-      <version>3.6</version>
-    </hash>
-    <hash md5="a58dd12608659503cf087e879e720354">
-      <version>3.5.2</version>
-    </hash>
-    <hash md5="55c80a4794624ce9b94aa3631ad46c0b">
-      <version>3.5.1</version>
-    </hash>
-    <hash md5="8e529a971610d7ebe7851339c5cb3d67">
-      <version>3.5</version>
-    </hash>
-    <hash md5="ff19e44be975f89b647274d85b70f821">
-      <version>3.4.2</version>
-    </hash>
-  </file>
-
-  <file src="wp-admin/js/customize-controls.js">
-    <hash md5="aa0d38bd6f590ad8c3126074145b1bf1">
-      <version>3.4.1</version>
-    </hash>
-  </file>
-
-  <file src="wp-includes/js/customize-preview.js">
-    <hash md5="da36bc2dfcb13350c799b62de68dfa4b">
-      <version>3.4</version>
-    </hash>
-  </file>
-
-  <file src="wp-includes/js/plupload/plupload.js">
-    <hash md5="85199c05db63fcb5880de4af8be7b571">
-      <version>3.3.2</version>
-    </hash>
-  </file>
-
-  <file src="wp-admin/js/common.js">
-    <hash md5="4516252d47a73630280869994d510180">
-      <version>3.3</version>
-    </hash>
-  </file>
-
-  <file src="wp-admin/js/wp-fullscreen.js">
-    <hash md5="5675f7793f171b6424bf72f9d7bf4d9a">
-      <version>3.2.1</version>
-    </hash>
-    <hash md5="7b423e0b7c9221092737ad5271d09863">
-      <version>3.2</version>
-    </hash>
-  </file>
-
-  <file src="wp-includes/css/admin-bar.css">
-    <hash md5="181250fab3a7e2549a7e7fa21c2e6079">
-      <version>3.1</version>
-    </hash>
-  </file>
-
-  <file src="$wp-content$/themes/twentyten/style.css">
-    <hash md5="6211e2ac1463bf99e98f28ab63e47c54">
-      <version>3.0</version>
-    </hash>
-  </file>
-
-  <file src="$wp-plugins$/akismet/readme.txt">
-    <hash md5="4d5e52da417aa0101054bd41e6243389">
-      <version>2.8.6</version>
-    </hash>
-    <hash md5="58e086dea9d24ed074fe84ba87386c69">
-      <version>2.8.5</version>
-    </hash>
-    <hash md5="48c52025b5f28731e9a0c864c189c2e7">
-      <version>2.8.2</version>
-    </hash>
-  </file>
-
-  <file src="wp-includes/js/wp-ajax-response.js">
-    <hash md5="0289d1c13821599764774d55516ab81a">
-      <version>2.7.1</version>
-    </hash>
-  </file>
-
-  <file src="wp-includes/js/thickbox/thickbox.css">
-    <hash md5="9c2bd2be0893adbe02a0f864526734c2">
-      <version>2.7</version>
-    </hash>
-  </file>
-
-  <file src="wp-includes/js/tinymce/plugins/wpeditimage/editor_plugin.js">
-    <hash md5="5b140ddf0f08034402ae78b31d8a1a28">
-      <version>2.6</version>
-    </hash>
-  </file>
-
-  <file src="wp-includes/js/tinymce/themes/advanced/js/image.js">
-    <hash md5="088245408531c58bb52cc092294cc384">
-      <version>2.5.1</version>
-    </hash>
-  </file>
-
-  <file src="wp-includes/js/tinymce/themes/advanced/js/link.js">
-    <hash md5="19c6f3118728c38eb7779aab4847d2d9">
-      <version>2.5</version>
-    </hash>
-  </file>
-
-  <file src="wp-includes/js/wp-ajax.js">
-    <hash md5="c5dbce0c3232c477033e0ce486c62755">
-      <version>2.2</version>
-    </hash>
-  </file>
-
-  <file src="$wp-content$/themes/default/style.css">
-    <hash md5="e44545f529a54de88209ce588676231c">
-      <version>2.0.1</version>
-    </hash>
-    <hash md5="f786f66d3a40846aa22dcdfeb44fa562">
-      <version>2.0</version>
-    </hash>
-  </file>
-
-  <file src="wp-layout.css">
-    <hash md5="7140e06c00ed03d2bb3dad7672557510">
-      <version>1.2.1</version>
-    </hash>
-    <hash md5="1bcc9253506c067eb130c9fc4f211a2f">
-      <version>1.2-delta</version>
-    </hash>
-  </file>
-
-  <file src="layout2b.css">
-    <hash md5="baec6b6ccbf71d8dced9f1bf67c751e1">
-      <version>0.71-gold</version>
-    </hash>
-  </file>
-
-</wp-versions>

data/wp_versions.xsd

@@ -1,41 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
-
-  <xs:simpleType name="stringtype">
-    <xs:restriction base="xs:string">
-      <xs:whiteSpace value="preserve" />
-      <xs:minLength value="1" />
-      <xs:pattern value="[^\s].+[^\s]|[^\s]"/>
-    </xs:restriction>
-  </xs:simpleType>
-
-  <xs:complexType name="filetype">
-    <xs:sequence>
-      <xs:element name="hash" type="hashtype" maxOccurs="unbounded" minOccurs="1"/>
-    </xs:sequence>
-    <xs:attribute type="stringtype" name="src" use="required"/>
-  </xs:complexType>
-
-  <xs:simpleType name="md5type">
-    <xs:restriction base="stringtype">
-      <xs:pattern value="[0-9a-f]{32}"/>
-    </xs:restriction>
-  </xs:simpleType>
-
-  <xs:complexType name="hashtype">
-    <xs:sequence minOccurs="1" maxOccurs="1">
-      <xs:element name="version" type="stringtype"/>
-    </xs:sequence>
-    <xs:attribute type="md5type" name="md5" use="required"/>
-  </xs:complexType>
-
-  <xs:element name="wp-versions">
-    <xs:complexType>
-      <xs:sequence>
-        <xs:element name="file" type="filetype" maxOccurs="unbounded" minOccurs="0"/>
-      </xs:sequence>
-    </xs:complexType>
-  </xs:element>
-
-</xs:schema>

dev/pre-commit-hook.rb

@@ -1,6 +1,7 @@
 #!/usr/bin/env ruby
 
-# ln -sf /Users/xxx/wpscan/dev/pre-commit-hook.rb /Users/xxx/wpscan/.git/hooks/pre-commit
+# from the top level dir:
+# ln -sf ../../dev/pre-commit-hook.rb .git/hooks/pre-commit
 
 require 'pty'
 html_path = 'rspec_results.html'

lib/common/browser.rb

@@ -16,14 +16,15 @@ class Browser
     :proxy,
     :proxy_auth,
     :request_timeout,
-    :connect_timeout
+    :connect_timeout,
+    :cookie
   ]
 
   @@instance = nil
 
   attr_reader :hydra, :cache_dir
 
-  attr_accessor :referer
+  attr_accessor :referer, :cookie
 
   # @param [ Hash ] options
   #
@@ -153,6 +154,7 @@ class Browser
 
     params.merge!(cookiejar: @cache_dir + '/cookie-jar')
     params.merge!(cookiefile: @cache_dir + '/cookie-jar')
+    params.merge!(cookie: @cookie) if @cookie
 
     params
   end

lib/common/cache_file_store.rb

@@ -9,16 +9,18 @@
 #
 
 require 'yaml'
+require 'fileutils'
 
 class CacheFileStore
-  attr_reader :storage_path, :serializer
+  attr_reader :storage_path, :cache_dir, :serializer
 
   # The serializer must have the 2 methods .load and .dump
   #   (Marshal and YAML have them)
   # YAML is Human Readable, contrary to Marshal which store in a binary format
   # Marshal does not need any "require"
   def initialize(storage_path, serializer = Marshal)
-    @storage_path = File.expand_path(storage_path + '/' + storage_dir)
+    @cache_dir    = File.expand_path(storage_path)
+    @storage_path = File.expand_path(File.join(storage_path, storage_dir))
     @serializer   = serializer
 
     # File.directory? for ruby <= 1.9 otherwise,
@@ -29,16 +31,22 @@ class CacheFileStore
   end
 
   def clean
-    Dir[File.join(@storage_path, '*')].each do |f|
+    # clean old directories
+    Dir[File.join(@cache_dir, '*')].each do |f|
+      if File.directory?(f)
+        # delete directory if create time is older than 4 hours
+        FileUtils.rm_rf(f) if File.mtime(f) < (Time.now - (60*240))
+      else
         File.delete(f) unless File.symlink?(f)
       end
     end
+  end
 
   def read_entry(key)
-    entry_file_path = get_entry_file_path(key)
-
-    if File.exists?(entry_file_path)
-      return @serializer.load(File.read(entry_file_path))
+    begin
+      @serializer.load(File.read(get_entry_file_path(key)))
+    rescue
+      nil
     end
   end
 

lib/common/collections/wp_items.rb

@@ -14,7 +14,7 @@ class WpItems < Array
     self.wp_target = wp_target
   end
 
-  # @param [String,] argv
+  # @param [String] argv
   #
   # @return [ void ]
   def add(*args)

lib/common/collections/wp_items/detectable.rb

@@ -23,10 +23,7 @@ class WpItems < Array
         homepage_hash:   wp_target.homepage_hash,
         exclude_content: options[:exclude_content] ? %r{#{options[:exclude_content]}} : nil
       }
-
-      # If we only want the vulnerable ones, the passive detection is ignored
-      # Otherwise, a passive detection is performed, and results will be merged
-      results = options[:only_vulnerable] ? new : passive_detection(wp_target, options)
+      results          = passive_detection(wp_target, options)
 
       targets.each do |target_item|
         request = browser.forge_request(target_item.url, request_params)
@@ -55,8 +52,11 @@ class WpItems < Array
 
       # run the remaining requests
       hydra.run
+
+      results.select!(&:vulnerable?) if options[:only_vulnerable]
       results.sort!
-      results # can't just return results.sort because the #sort returns an array, and we want a WpItems
+
+      results  # can't just return results.sort as it would return an array, and we want a WpItems
     end
 
     # @param [ Integer ] targets_size
@@ -81,12 +81,30 @@ class WpItems < Array
     # @return [ WpItems ]
     def passive_detection(wp_target, options = {})
       results = new(wp_target)
-      body     = Browser.get(wp_target.url).body
       # improves speed
-      body     = remove_base64_images_from_html(body)
-      names    = body.scan(passive_detection_pattern(wp_target))
+      body    = remove_base64_images_from_html(Browser.get(wp_target.url).body)
+      page    = Nokogiri::HTML(body)
+      names   = []
 
-      names.flatten.uniq.each { |name| results.add(name) }
+      page.css('link,script,style').each do |tag|
+        %w(href src).each do |attribute|
+          attr_value = tag.attribute(attribute).to_s
+          next unless attr_value
+
+          names << Regexp.last_match[1] if attr_value.match(attribute_pattern(wp_target))
+        end
+
+        next unless tag.name == 'script' || tag.name == 'style'
+
+        code = tag.text.to_s
+        next if code.empty?
+
+        code.scan(code_pattern(wp_target)).flatten.uniq.each do |item_name|
+          names << item_name
+        end
+      end
+
+      names.uniq.each { |name| results.add(name) }
 
       results.sort!
       results
@@ -97,13 +115,29 @@ class WpItems < Array
     # @param [ WpTarget ] wp_target
     #
     # @return [ Regex ]
-    def passive_detection_pattern(wp_target)
-      type   = self.to_s.gsub(/Wp/, '').downcase
-      regex1 = %r{(?:[^=:\(]+)\s?(?:=|:|\()\s?(?:"|')[^"']+\\?/}
-      regex2 = %r{\\?/}
-      regex3 = %r{\\?/([^/\\"']+)\\?(?:/|"|')}
+    def item_pattern(wp_target)
+      type = to_s.gsub(/Wp/, '').downcase
+      wp_content_dir = wp_target.wp_content_dir
+      wp_content_url = wp_target.uri.merge(wp_content_dir).to_s
 
-      /#{regex1}#{Regexp.escape(wp_target.wp_content_dir)}#{regex2}#{Regexp.escape(type)}#{regex3}/i
+      url = /#{wp_content_url.gsub(%r{\A(?:http|https)}, 'https?').gsub('/', '\\\\\?\/')}/i
+      content_dir = %r{(?:#{url}|\\?\/\\?\/?#{wp_content_dir})}i
+
+      %r{#{content_dir}\\?/#{type}\\?/}
+    end
+
+    # @param [ WpTarget ] wp_target
+    #
+    # @return [ Regex ]
+    def attribute_pattern(wp_target)
+      /\A#{item_pattern(wp_target)}([^\/]+)/i
+    end
+
+    # @param [ WpTarget ] wp_target
+    #
+    # @return [ Regex ]
+    def code_pattern(wp_target)
+      /["'\(]#{item_pattern(wp_target)}([^\\\/\)"']+)/i
     end
 
     # The default request parameters
@@ -142,16 +176,17 @@ class WpItems < Array
     # @return [ Array<WpItem> ]
     def vulnerable_targets_items(wp_target, item_class, vulns_file)
       targets = []
-      xml     = xml(vulns_file)
+      json    = json(vulns_file)
 
-      xml.xpath(item_xpath).each do |node|
+      [*json].each do |item|
         targets << create_item(
           item_class,
-          node.attribute('name').text,
+          item.keys.inject,
           wp_target,
           vulns_file
         )
       end
+
       targets
     end
 
@@ -190,6 +225,7 @@ class WpItems < Array
           )
         end
       end
+
       targets
     end
 

lib/common/collections/wp_plugins/detectable.rb

@@ -9,9 +9,9 @@ class WpPlugins < WpItems
     end
 
     # @return [ String ]
-    def item_xpath
-      '//plugin'
-    end
+    # def item_xpath
+    #   '//plugin'
+    # end
 
     # @param [ WpTarget ] wp_target
     # @param [ Hash ] options
@@ -68,6 +68,10 @@ class WpPlugins < WpItems
         wp_plugins.add('all-in-one-seo-pack', version: $1)
       end
 
+      if body =~ /<!-- This site is optimized with the Yoast WordPress SEO plugin v([^\s]+) -/i
+        wp_plugins.add('wordpress-seo', version: $1)
+      end
+
       wp_plugins
     end
 

lib/common/collections/wp_themes/detectable.rb

@@ -9,9 +9,9 @@ class WpThemes < WpItems
     end
 
     # @return [ String ]
-    def item_xpath
-      '//theme'
-    end
+    # def item_xpath
+    #   '//theme'
+    # end
 
   end
 end

lib/common/collections/wp_users/output.rb

@@ -38,6 +38,7 @@ class WpUsers < WpItems
       junk = get_equal_string_end(display_names)
       unless junk.nil? or junk.empty?
         self.each do |u|
+          u.display_name ||= ''
           u.display_name = u.display_name.sub(/#{Regexp.escape(junk)}$/, '')
         end
       end

lib/common/common_helper.rb

@@ -1,40 +1,40 @@
 # encoding: UTF-8
 
-LIB_DIR              = File.expand_path(File.dirname(__FILE__) + '/..')
-ROOT_DIR             = File.expand_path(LIB_DIR + '/..') # expand_path is used to get "wpscan/" instead of "wpscan/lib/../"
-DATA_DIR             = ROOT_DIR + '/data'
-CONF_DIR             = ROOT_DIR + '/conf'
-CACHE_DIR            = ROOT_DIR + '/cache'
-WPSCAN_LIB_DIR       = LIB_DIR + '/wpscan'
-WPSTOOLS_LIB_DIR     = LIB_DIR + '/wpstools'
-UPDATER_LIB_DIR      = LIB_DIR + '/updater'
-COMMON_LIB_DIR       = LIB_DIR + '/common'
-MODELS_LIB_DIR       = COMMON_LIB_DIR + '/models'
-COLLECTIONS_LIB_DIR  = COMMON_LIB_DIR + '/collections'
+LIB_DIR              = File.expand_path(File.join(File.dirname(__FILE__), '..'))
+ROOT_DIR             = File.expand_path(File.join(LIB_DIR, '..')) # expand_path is used to get "wpscan/" instead of "wpscan/lib/../"
+DATA_DIR             = File.join(ROOT_DIR, 'data')
+CONF_DIR             = File.join(ROOT_DIR, 'conf')
+CACHE_DIR            = File.join(ROOT_DIR, 'cache')
+WPSCAN_LIB_DIR       = File.join(LIB_DIR, 'wpscan')
+WPSTOOLS_LIB_DIR     = File.join(LIB_DIR, 'wpstools')
+UPDATER_LIB_DIR      = File.join(LIB_DIR, 'updater')
+COMMON_LIB_DIR       = File.join(LIB_DIR, 'common')
+MODELS_LIB_DIR       = File.join(COMMON_LIB_DIR, 'models')
+COLLECTIONS_LIB_DIR  = File.join(COMMON_LIB_DIR, 'collections')
 
-LOG_FILE             = ROOT_DIR + '/log.txt'
+LOG_FILE             = File.join(ROOT_DIR, 'log.txt')
 
 # Plugins directories
-COMMON_PLUGINS_DIR   = COMMON_LIB_DIR + '/plugins'
-WPSCAN_PLUGINS_DIR   = WPSCAN_LIB_DIR + '/plugins' # Not used ATM
-WPSTOOLS_PLUGINS_DIR = WPSTOOLS_LIB_DIR + '/plugins'
+COMMON_PLUGINS_DIR   = File.join(COMMON_LIB_DIR, 'plugins')
+WPSCAN_PLUGINS_DIR   = File.join(WPSCAN_LIB_DIR, 'plugins') # Not used ATM
+WPSTOOLS_PLUGINS_DIR = File.join(WPSTOOLS_LIB_DIR, 'plugins')
 
 # Data files
-PLUGINS_FILE        = DATA_DIR + '/plugins.txt'
-PLUGINS_FULL_FILE   = DATA_DIR + '/plugins_full.txt'
-PLUGINS_VULNS_FILE  = DATA_DIR + '/plugin_vulns.xml'
-THEMES_FILE         = DATA_DIR + '/themes.txt'
-THEMES_FULL_FILE    = DATA_DIR + '/themes_full.txt'
-THEMES_VULNS_FILE   = DATA_DIR + '/theme_vulns.xml'
-WP_VULNS_FILE       = DATA_DIR + '/wp_vulns.xml'
-WP_VERSIONS_FILE    = DATA_DIR + '/wp_versions.xml'
-LOCAL_FILES_FILE    = DATA_DIR + '/local_vulnerable_files.xml'
-VULNS_XSD           = DATA_DIR + '/vuln.xsd'
-WP_VERSIONS_XSD     = DATA_DIR + '/wp_versions.xsd'
-LOCAL_FILES_XSD     = DATA_DIR + '/local_vulnerable_files.xsd'
-USER_AGENTS_FILE    = DATA_DIR + '/user-agents.txt'
+PLUGINS_FILE        = File.join(DATA_DIR, 'plugins.txt')
+PLUGINS_FULL_FILE   = File.join(DATA_DIR, 'plugins_full.txt')
+PLUGINS_VULNS_FILE  = File.join(DATA_DIR, 'plugin_vulns.json')
+THEMES_FILE         = File.join(DATA_DIR, 'themes.txt')
+THEMES_FULL_FILE    = File.join(DATA_DIR, 'themes_full.txt')
+THEMES_VULNS_FILE   = File.join(DATA_DIR, 'theme_vulns.json')
+WP_VULNS_FILE       = File.join(DATA_DIR, 'wp_vulns.json')
+WP_VERSIONS_FILE    = File.join(DATA_DIR, 'wp_versions.xml')
+LOCAL_FILES_FILE    = File.join(DATA_DIR, 'local_vulnerable_files.xml')
+# VULNS_XSD           = File.join(DATA_DIR, 'vuln.xsd')
+WP_VERSIONS_XSD     = File.join(DATA_DIR, 'wp_versions.xsd')
+LOCAL_FILES_XSD     = File.join(DATA_DIR, 'local_vulnerable_files.xsd')
+USER_AGENTS_FILE    = File.join(DATA_DIR, 'user-agents.txt')
 
-WPSCAN_VERSION       = '2.4.1'
+WPSCAN_VERSION       = '2.6'
 
 $LOAD_PATH.unshift(LIB_DIR)
 $LOAD_PATH.unshift(WPSCAN_LIB_DIR)
@@ -54,7 +54,7 @@ require 'environment'
 def require_files_from_directory(absolute_dir_path, files_pattern = '*.rb')
   files = Dir[File.join(absolute_dir_path, files_pattern)]
 
-  # Files in the root dir are loaded first, then thoses in the subdirectories
+  # Files in the root dir are loaded first, then those in the subdirectories
   files.sort_by { |file| [file.count("/"), file] }.each do |f|
     f = File.expand_path(f)
     #puts "require #{f}" # Used for debug
@@ -64,14 +64,6 @@ end
 
 require_files_from_directory(COMMON_LIB_DIR, '**/*.rb')
 
-# Hook to check if the target if down during the scan
-# The target is considered down after 10 requests with status = 0
-down = 0
-Typhoeus.on_complete do |response|
-  down += 1 if response.code == 0
-  fail 'The target seems to be down' if down >= 10
-end
-
 # Add protocol
 def add_http_protocol(url)
   url =~ /^https?:/ ? url : "http://#{url}"
@@ -81,18 +73,11 @@ def add_trailing_slash(url)
   url =~ /\/$/ ? url : "#{url}/"
 end
 
-# loading the updater
-require_files_from_directory(UPDATER_LIB_DIR)
-@updater = UpdaterFactory.get_updater(ROOT_DIR)
-
-if @updater
-  REVISION = @updater.local_revision_number()
-else
-  REVISION = nil
+def missing_db_file?
+  DbUpdater::FILES.each do |db_file|
+    return true unless File.exist?(File.join(DATA_DIR, db_file))
   end
-
-def version
-  REVISION ? "v#{WPSCAN_VERSION}r#{REVISION}" : "v#{WPSCAN_VERSION}"
+  false
 end
 
 # Define colors
@@ -124,6 +109,22 @@ def blue(text)
   colorize(text, 34)
 end
 
+def critical(text)
+  red(text)
+end
+
+def warning(text)
+  amber(text)
+end
+
+def info(text)
+  green(text)
+end
+
+def notice(text)
+  blue(text)
+end
+
 # our 1337 banner
 def banner
   puts '_______________________________________________________________'
@@ -135,13 +136,8 @@ def banner
   puts '            \\/  \\/   |_|    |_____/ \\___|\\__,_|_| |_|'
   puts
   puts '        WordPress Security Scanner by the WPScan Team '
-  # Alignment of the version (w & w/o the Revision)
-  if REVISION
-    puts "                    Version #{version}"
-  else
-    puts "                        Version #{version}"
-  end
-  puts '     Sponsored by the RandomStorm Open Source Initiative'
+  puts "                       Version #{WPSCAN_VERSION}"
+  puts '          Sponsored by Sucuri - https://sucuri.net'
   puts '   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_'
   puts '_______________________________________________________________'
   puts
@@ -153,6 +149,17 @@ def xml(file)
   end
 end
 
+def json(file)
+  content = File.open(file).read
+
+  begin
+    JSON.parse(content)
+  rescue => e
+    puts "[ERROR] In JSON file parsing #{file} #{e}"
+    raise
+  end
+end
+
 def redefine_constant(constant, value)
   Object.send(:remove_const, constant)
   Object.const_set(constant, value)
@@ -229,3 +236,10 @@ def get_random_user_agent
   # return ransom user-agent
   user_agents.sample
 end
+
+# Directory listing enabled on url?
+#
+# @return [ Boolean ]
+def directory_listing_enabled?(url)
+  Browser.get(url.to_s).body[%r{<title>Index of}] ? true : false
+end

lib/common/db_updater.rb

@@ -0,0 +1,115 @@
+# encoding: UTF-8
+
+# DB Updater
+class DbUpdater
+  FILES = %w(
+    local_vulnerable_files.xml local_vulnerable_files.xsd
+    plugins_full.txt plugins.txt themes_full.txt themes.txt
+    timthumbs.txt user-agents.txt wp_versions.xml wp_versions.xsd
+    plugin_vulns.json theme_vulns.json wp_vulns.json
+  )
+
+  attr_reader :repo_directory
+
+  def initialize(repo_directory)
+    @repo_directory = repo_directory
+
+    fail "#{repo_directory} is not writable" unless \
+      Pathname.new(repo_directory).writable?
+  end
+
+  # @return [ Hash ] The params for Typhoeus::Request
+  def request_params
+    {
+      ssl_verifyhost: 2,
+      ssl_verifypeer: true
+    }
+  end
+
+  # @return [ String ] The raw file URL associated with the given filename
+  def remote_file_url(filename)
+    "https://raw.githubusercontent.com/wpscanteam/vulndb/master/#{filename}"
+  end
+
+  # @return [ String ] The checksum of the associated remote filename
+  def remote_file_checksum(filename)
+    url = "#{remote_file_url(filename)}.sha512"
+
+    res = Browser.get(url, request_params)
+    fail "Unable to get #{url}" unless res.code == 200
+    res.body
+  end
+
+  def local_file_path(filename)
+    File.join(repo_directory, "#{filename}")
+  end
+
+  def local_file_checksum(filename)
+    Digest::SHA512.file(local_file_path(filename)).hexdigest
+  end
+
+  def backup_file_path(filename)
+    File.join(repo_directory, "#{filename}.back")
+  end
+
+  def create_backup(filename)
+    return unless File.exist?(local_file_path(filename))
+    FileUtils.cp(local_file_path(filename), backup_file_path(filename))
+  end
+
+  def restore_backup(filename)
+    return unless File.exist?(backup_file_path(filename))
+    FileUtils.cp(backup_file_path(filename), local_file_path(filename))
+  end
+
+  def delete_backup(filename)
+    FileUtils.rm(backup_file_path(filename))
+  end
+
+  # @return [ String ] The checksum of the downloaded file
+  def download(filename)
+    file_path = local_file_path(filename)
+    file_url  = remote_file_url(filename)
+
+    res = Browser.get(file_url, request_params)
+    fail "Error while downloading #{file_url}" unless res.code == 200
+    File.open(file_path, 'wb') { |f| f.write(res.body) }
+
+    local_file_checksum(filename)
+  end
+
+  def update(verbose = false)
+    FILES.each do |filename|
+      begin
+        puts "[+] Checking #{filename}" if verbose
+        db_checksum = remote_file_checksum(filename)
+
+        # Checking if the file needs to be updated
+        if File.exist?(local_file_path(filename)) && db_checksum == local_file_checksum(filename)
+          puts '  [i] Already Up-To-Date' if verbose
+          next
+        end
+
+        puts '  [i] Needs to be updated' if verbose
+        create_backup(filename)
+        puts '  [i] Backup Created' if verbose
+        puts '  [i] Downloading new file' if verbose
+        dl_checksum = download(filename)
+        puts "  [i] Downloaded File Checksum: #{dl_checksum}" if verbose
+
+        unless dl_checksum == db_checksum
+          fail "#{filename}: checksums do not match"
+        end
+      rescue => e
+        puts '  [i] Restoring Backup due to error' if verbose
+        restore_backup(filename)
+        raise e
+      ensure
+        if File.exist?(backup_file_path(filename))
+          puts '  [i] Deleting Backup' if verbose
+          delete_backup(filename)
+        end
+      end
+    end
+  end
+end

lib/common/hacks.rb

@@ -49,11 +49,11 @@ end
 
 # Override for puts to enable logging
 def puts(o = '')
-  # remove color for logging
-  if o.respond_to?(:gsub)
-    temp = o.gsub(/\e\[\d+m(.*)?\e\[0m/, '\1')
+  if $log && o.respond_to?(:gsub)
+    temp = o.gsub(/\e\[\d+m/, '') # remove color for logging
     File.open(LOG_FILE, 'a+') { |f| f.puts(temp) }
   end
+  
   super(o)
 end
 

lib/common/models/vulnerability.rb

@@ -35,27 +35,26 @@ class Vulnerability
   end
   # :nocov:
 
-  # Create the Vulnerability from the xml_node
+  # Create the Vulnerability from the json_item
   #
-  # @param [ Nokogiri::XML::Node ] xml_node
+  # @param [ Hash ] json_item
   #
   # @return [ Vulnerability ]
-  def self.load_from_xml_node(xml_node)
+  def self.load_from_json_item(json_item)
     references = {}
-    refs = xml_node.search('references')
-    if refs
-      references[:url] = refs.search('url').map(&:text)
-      references[:cve] = refs.search('cve').map(&:text)
-      references[:secunia] = refs.search('secunia').map(&:text)
-      references[:osvdb] = refs.search('osvdb').map(&:text)
-      references[:metasploit] = refs.search('metasploit').map(&:text)
-      references[:exploitdb] = refs.search('exploitdb').map(&:text)
+
+    %w(id url cve secunia osvdb metasploit exploitdb).each do |key|
+      if json_item[key]
+        json_item[key]  = [json_item[key]] if json_item[key].class != Array
+        references[key] = json_item[key]
       end
+    end
+
     new(
-      xml_node.search('title').text,
-      xml_node.search('type').text,
+      json_item['title'],
+      json_item['type'],
       references,
-      xml_node.search('fixed_in').text,
+      json_item['fixed_in'],
     )
   end
 

lib/common/models/vulnerability/output.rb

@@ -6,7 +6,7 @@ class Vulnerability
     # output the vulnerability
     def output(verbose = false)
       puts
-      puts "#{red('[!]')} Title: #{title}"
+      puts "#{critical('[!]')} Title: #{title}"
       references.each do |key, urls|
         methodname = "url_#{key}"
         urls.each do |u|
@@ -14,8 +14,8 @@ class Vulnerability
           puts "    Reference: #{url}" if url
         end
       end
-      if !fixed_in.empty?
-         puts "#{blue('[i]')} Fixed in: #{fixed_in}"
+      if !fixed_in.nil?
+         puts "#{notice('[i]')} Fixed in: #{fixed_in}"
       end
     end
   end

lib/common/models/vulnerability/urls.rb

@@ -6,7 +6,7 @@ class Vulnerability
     def url_metasploit(module_path)
       # remove leading slash
       module_path = module_path.sub(/^\//, '')
-      "http://www.metasploit.com/modules/#{module_path}"
+      "http://www.rapid7.com/db/modules/#{module_path}"
     end
 
     def url_url(url)
@@ -22,12 +22,15 @@ class Vulnerability
     end
 
     def url_secunia(id)
-      "http://secunia.com/advisories/#{id}"
+      "https://secunia.com/advisories/#{id}"
     end
 
     def url_exploitdb(id)
       "http://www.exploit-db.com/exploits/#{id}/"
     end
 
+    def url_id(id)
+      "https://wpvulndb.com/vulnerabilities/#{id}"
+    end
   end
 end

lib/common/models/wp_item/infos.rb

@@ -12,7 +12,9 @@ class WpItem
 
     # @return [ String,nil ] The url to the readme file, nil if not found
     def readme_url
-      %w{readme.txt README.txt}.each do |readme|
+      # See https://github.com/wpscanteam/wpscan/pull/737#issuecomment-66375445
+      # for any question about the order
+      %w{readme.txt README.txt Readme.txt ReadMe.txt README.TXT readme.TXT}.each do |readme|
         url = @uri.merge(readme).to_s
         return url if url_is_200?(url)
       end
@@ -40,7 +42,7 @@ class WpItem
 
     # @return [ Boolean ]
     def has_directory_listing?
-      Browser.get(@uri.to_s).body[%r{<title>Index of}] ? true : false
+      directory_listing_enabled?(@uri)
     end
 
     # Discover any error_log files created by WordPress

lib/common/models/wp_item/output.rb

@@ -6,16 +6,21 @@ class WpItem
     # @return [ Void ]
     def output(verbose = false)
       puts
-      puts "#{green('[+]')} Name: #{self}" #this will also output the version number if detected
+      puts "#{info('[+]')} Name: #{self}" #this will also output the version number if detected
       puts " |  Location: #{url}"
       #puts " | WordPress: #{wordpress_url}" if wordpress_org_item?
       puts " |  Readme: #{readme_url}" if has_readme?
       puts " |  Changelog: #{changelog_url}" if has_changelog?
-      puts "#{red('[!]')} Directory listing is enabled: #{url}" if has_directory_listing?
-      puts "#{red('[!]')} An error_log file has been found: #{error_log_url}" if has_error_log?
+      puts "#{warning('[!]')} Directory listing is enabled: #{url}" if has_directory_listing?
+      puts "#{warning('[!]')} An error_log file has been found: #{error_log_url}" if has_error_log?
 
       additional_output(verbose) if respond_to?(:additional_output)
 
+      if version.nil? && vulnerabilities.length > 0
+        puts
+        puts "#{warning('[+]')} We could not determine a version so all vulnerabilities are printed out"
+      end
+
       vulnerabilities.output
     end
   end

lib/common/models/wp_item/versionable.rb

@@ -13,7 +13,7 @@ class WpItem
         # This check is needed because readme_url can return nil
         if has_readme?
           response = Browser.get(readme_url)
-          @version = response.body[%r{stable tag: #{WpVersion.version_pattern}}i, 1]
+          @version = response.body[%r{(?:stable tag|version): #{WpVersion.version_pattern}}i, 1]
         end
       end
       @version

lib/common/models/wp_item/vulnerable.rb

@@ -2,22 +2,27 @@
 
 class WpItem
   module Vulnerable
-    attr_accessor :vulns_file, :vulns_xpath
+    attr_accessor :vulns_file, :identifier
 
     # Get the vulnerabilities associated to the WpItem
     # Filters out already fixed vulnerabilities
     #
     # @return [ Vulnerabilities ]
     def vulnerabilities
-      xml             = xml(vulns_file)
+      json            = json(vulns_file)
       vulnerabilities = Vulnerabilities.new
 
-      xml.xpath(vulns_xpath).each do |node|
-        vuln = Vulnerability.load_from_xml_node(node)
-        if vulnerable_to?(vuln)
-          vulnerabilities << vuln
+      json.each do |item|
+        asset = item[identifier]
+
+        if asset
+          asset['vulnerabilities'].each do |vulnerability|
+            vulnerability = Vulnerability.load_from_json_item(vulnerability)
+            vulnerabilities << vulnerability if vulnerable_to?(vulnerability)
           end
         end
+      end
+
       vulnerabilities
     end
 
@@ -32,7 +37,7 @@ class WpItem
     # @return [ Boolean ]
     def vulnerable_to?(vuln)
       if version && vuln && vuln.fixed_in && !vuln.fixed_in.empty?
-        unless VersionCompare::is_newer_or_same?(vuln.fixed_in, version)
+        unless VersionCompare::lesser_or_equal?(vuln.fixed_in, version)
           return true
         end
       else
@@ -41,5 +46,4 @@ class WpItem
       return false
     end
   end
-
 end

lib/common/models/wp_plugin/vulnerable.rb

@@ -12,8 +12,8 @@ class WpPlugin < WpItem
     end
 
     # @return [ String ]
-    def vulns_xpath
-      "//plugin[@name='#{@name}']/vulnerability"
+    def identifier
+      @name
     end
 
   end

lib/common/models/wp_theme.rb

@@ -15,15 +15,9 @@ class WpTheme < WpItem
   include WpTheme::Output
   include WpTheme::Childtheme
 
-  attr_writer :style_url
+  attr_accessor :referenced_url
 
-  def allowed_options; super << :style_url end
-
-  def initialize(*args)
-    super(*args)
-
-    parse_style
-  end
+  def allowed_options; super << :referenced_url end
 
   # Sets the @uri
   #
@@ -36,10 +30,7 @@ class WpTheme < WpItem
 
   # @return [ String ] The url to the theme stylesheet
   def style_url
-    unless @style_url
-      @style_url = uri.merge('style.css').to_s
-    end
-    @style_url
+    @uri.merge('style.css').to_s
   end
 
 end

lib/common/models/wp_theme/childtheme.rb

@@ -3,6 +3,10 @@
 class WpTheme < WpItem
   module Childtheme
 
+    def parent_theme_limit
+      3
+    end
+
     def is_child_theme?
       return true unless @theme_template.nil?
       false

lib/common/models/wp_theme/findable.rb

@@ -30,13 +30,13 @@ class WpTheme < WpItem
       response = Browser.get_and_follow_location(target_uri.to_s)
 
       # https + domain is optional because of relative links
-      matches = %r{(?:https?://[^"']+)?/([^/]+)/themes/([^"']+)/style.css}i.match(response.body)
+      matches = /(?:https?:\/\/[^"']+)?\/([^\/]+)\/themes\/([^"'\/]+)[^"']*\/style.css/i.match(response.body)
       if matches
         return new(
           target_uri,
           {
             name:           matches[2],
-            style_url:      matches[0],
+            referenced_url: matches[0],
             wp_content_dir: matches[1]
           }
         )

lib/common/models/wp_theme/output.rb

@@ -5,8 +5,11 @@ class WpTheme
 
     # @return [ Void ]
     def additional_output(verbose = false)
+      parse_style
+      
       theme_desc = verbose ? @theme_description : truncate(@theme_description, 100)
       puts " |  Style URL: #{style_url}"
+      puts " |  Referenced style.css: #{referenced_url}" if referenced_url && referenced_url != style_url
       puts " |  Theme Name: #@theme_name" if @theme_name
       puts " |  Theme URI: #@theme_uri" if @theme_uri
       puts " |  Description: #{theme_desc}"

lib/common/models/wp_theme/versionable.rb

@@ -2,16 +2,8 @@
 
 class WpTheme < WpItem
   module Versionable
-
     def version
-      unless @version
-        @version = Browser.get(style_url).body[%r{Version:\s*([^\s]+)}i, 1]
-
-        # Get Version from readme.txt
-        @version ||= super
-      end
-      @version
-    end
-
+      @version ||= Browser.get(style_url).body[%r{Version:\s*([^\s]+)}i, 1]
+    end
   end
 end

lib/common/models/wp_theme/vulnerable.rb

@@ -12,9 +12,8 @@ class WpTheme < WpItem
     end
 
     # @return [ String ]
-    def vulns_xpath
-      "//theme[@name='#{@name}']/vulnerability"
-    end
-
+    def identifier
+      @name
+    end
   end
 end

lib/common/models/wp_timthumb/output.rb

@@ -4,7 +4,10 @@ class WpTimthumb < WpItem
   module Output
 
     def output(verbose = false)
-      puts " | #{vulnerable? ? red('[!] Vulnerable') : green('[i] Not Vulnerable')} #{self}"
+      puts
+      puts "#{info('[+]')} #{self}" #this will also output the version number if detected
+
+      vulnerabilities.output
     end
 
   end

lib/common/models/wp_timthumb/vulnerable.rb

@@ -2,8 +2,54 @@
 
 class WpTimthumb < WpItem
   module Vulnerable
-    def vulnerable?
-      VersionCompare.is_newer_or_same?(version, '1.34')
+    # @return [ Vulnerabilities ]
+    def vulnerabilities
+      vulns = Vulnerabilities.new
+
+      [:check_rce_132, :check_rce_webshot].each do |method|
+        vuln = self.send(method)
+
+        vulns << vuln if vuln
+      end
+      vulns
+    end
+
+    def check_rce_132
+      return rce_132_vuln unless VersionCompare.lesser_or_equal?('1.33', version)
+    end
+
+    # Vulnerable versions : > 1.35 (or >= 2.0) and < 2.8.14
+    def check_rce_webshot
+      return if VersionCompare.lesser_or_equal?('2.8.14', version) || VersionCompare.lesser_or_equal?(version, '1.35')
+
+      response = Browser.get(uri.merge('?webshot=1&src=http://' + default_allowed_domains.sample))
+
+      return rce_webshot_vuln unless response.body =~ /WEBSHOT_ENABLED == true/
+    end
+
+    # @return [ Array<String> ] The default allowed domains (between the 2.0 and 2.8.13)
+    def default_allowed_domains
+      %w(flickr.com picasa.com img.youtube.com upload.wikimedia.org)
+    end
+
+    # @return [ Vulnerability ] The RCE in the <= 1.32
+    def rce_132_vuln
+      Vulnerability.new(
+        'Timthumb <= 1.32 Remote Code Execution',
+        'RCE',
+        { exploitdb: ['17602'] },
+        '1.33'
+      )
+    end
+
+    # @return [ Vulnerability ] The RCE due to the WebShot in the <= 2.8.13
+    def rce_webshot_vuln
+      Vulnerability.new(
+        'Timthumb <= 2.8.13 WebShot Remote Code Execution',
+        'RCE',
+        { url: ['http://seclists.org/fulldisclosure/2014/Jun/117'] },
+        '2.8.14'
+      )
     end
   end
 end

lib/common/models/wp_user/brute_forcable.rb

@@ -25,10 +25,10 @@ class WpUser < WpItem
       hydra        = browser.hydra
       queue_count  = 0
       found        = false
-      progress_bar = self.progress_bar(count_file_lines(wordlist), options)
+      progress_bar = self.progress_bar(count_file_lines(wordlist)+1, options)
 
       File.open(wordlist).each do |password|
-        password.chop!
+        password.chomp!
 
         # A successfull login will redirect us to the redirect_to parameter
         # Generate a random one on each request
@@ -63,6 +63,7 @@ class WpUser < WpItem
 
       # run all of the remaining requests
       hydra.run
+      puts if options[:show_progression] # mandatory to avoid the output of the progressbar to be overriden
     end
 
     # @param [ Integer ] targets_size
@@ -103,19 +104,19 @@ class WpUser < WpItem
     # @return [ Boolean ]
     def valid_password?(response, password, redirect_url, options = {})
       if response.code == 302 && response.headers_hash && response.headers_hash['Location'] == redirect_url
-        progression = "#{green('[SUCCESS]')} Login : #{login} Password : #{password}\n\n"
+        progression = "#{info('[SUCCESS]')} Login : #{login} Password : #{password}\n\n"
         valid       = true
       elsif response.body =~ /login_error/i
         verbose = "\n  Incorrect login and/or password."
       elsif response.timed_out?
-        progression = "#{red('ERROR:')} Request timed out."
+        progression = "#{critical('ERROR:')} Request timed out."
       elsif response.code == 0
-        progression = "#{red('ERROR:')} No response from remote server. WAF/IPS?"
+        progression = "#{critical('ERROR:')} No response from remote server. WAF/IPS?"
       elsif response.code.to_s =~ /^50/
-        progression = "#{red('ERROR:')} Server error, try reducing the number of threads."
+        progression = "#{critical('ERROR:')} Server error, try reducing the number of threads."
       else
-        progression = "#{red('ERROR:')} We received an unknown response for #{password}..."
-        verbose     = red("    Code: #{response.code}\n    Body: #{response.body}\n")
+        progression = "#{critical('ERROR:')} We received an unknown response for #{password}..."
+        verbose     = critical("    Code: #{response.code}\n    Body: #{response.body}\n")
       end
 
       puts "\n  " + progression if progression && options[:show_progression]

lib/common/models/wp_user/existable.rb

@@ -22,6 +22,8 @@ class WpUser < WpItem
       if response.code == 301 # login in location?
         location = response.headers_hash['Location']
 
+        return if location.nil? || location.empty?
+
         @login        = Existable.login_from_author_pattern(location)
         @display_name = Existable.display_name_from_body(
           Browser.get(location).body
@@ -66,9 +68,12 @@ class WpUser < WpItem
         title_tag.force_encoding('UTF-8') if title_tag.encoding == Encoding::ASCII_8BIT
         title_tag = Nokogiri::HTML::DocumentFragment.parse(title_tag).to_s
         # &amp; are not decoded with Nokogiri
-        title_tag.sub!('&amp;', '&')
+        title_tag.gsub!('&amp;', '&')
 
-        name = title_tag[%r{([^|«]+) }, 1]
+        # replace UTF chars like  &#187; with dummy character
+        title_tag.gsub!(/&#(\d+);/, '|')
+
+        name = title_tag[%r{([^|«»]+) }, 1]
 
         return name.strip if name
       end

lib/common/models/wp_version/findable.rb

@@ -100,18 +100,6 @@ class WpVersion < WpItem
       )
     end
 
-    # Attempts to find the WordPress version from,
-    # the generator tag in the RSS2 feed source.
-    #
-    # Have not been able to find an example of this - Ryan
-    #def find_from_rss2_generator(target_uri)
-    #  scan_url(
-    #    target_uri,
-    #    %r{<generator>http://wordpress.org/?v=(#{WpVersion.version_pattern})</generator>}i,
-    #    'feed/rss/'
-    #  )
-    #end
-
     # Attempts to find the WordPress version from,
     # the generator tag in the Atom source.
     #
@@ -126,18 +114,6 @@ class WpVersion < WpItem
       )
     end
 
-    # Attempts to find the WordPress version from,
-    # the generator tag in the comment rss source.
-    #
-    # Have not been able to find an example of this - Ryan
-    #def find_from_comments_rss_generator(target_uri)
-    # scan_url(
-    # target_uri,
-    # %r{<!-- generator="WordPress/#{WpVersion.version_pattern}" -->}i,
-    # 'comments/feed/'
-    # )
-    #end
-
     # Uses data/wp_versions.xml to try to identify a
     # wordpress version.
     #

lib/common/models/wp_version/output.rb

@@ -5,12 +5,12 @@ class WpVersion < WpItem
 
     def output(verbose = false)
       puts
-      puts "#{green('[+]')} WordPress version #{self.number} identified from #{self.found_from}"
+      puts "#{info('[+]')} WordPress version #{self.number} identified from #{self.found_from}"
 
       vulnerabilities = self.vulnerabilities
 
       unless vulnerabilities.empty?
-        puts "#{red('[!]')} #{vulnerabilities.size} vulnerabilities identified from the version number"
+        puts "#{critical('[!]')} #{vulnerabilities.size} vulnerabilities identified from the version number"
 
         vulnerabilities.output
       end

lib/common/models/wp_version/vulnerable.rb

@@ -12,9 +12,14 @@ class WpVersion < WpItem
     end
 
     # @return [ String ]
-    def vulns_xpath
-      "//wordpress[@version='#{@number}']/vulnerability"
+    def identifier
+      @number
     end  
 
+    # @return [ String ]
+    # def vulns_xpath
+    #   "//wordpress[@version='#{@number}']/vulnerability"
+    # end
+
   end
 end

lib/common/updater/git_updater.rb

@@ -1,37 +0,0 @@
-# encoding: UTF-8
-
-require 'common/updater/updater'
-
-class GitUpdater < Updater
-
-  def is_installed?
-    %x[git #{repo_directory_arguments()} status 2>&1] =~ /On branch/ ? true : false
-  end
-
-  # Git has not a revsion number like SVN,
-  # so we will take the 7 first chars of the last commit hash
-  def local_revision_number
-    git_log = %x[git #{repo_directory_arguments()} log -1 2>&1]
-    git_log[/commit ([0-9a-z]{7})/i, 1].to_s
-  end
-
-  def update
-    %x[git #{repo_directory_arguments()} pull]
-  end
-
-  def has_local_changes?
-    %x[git #{repo_directory_arguments()} diff --exit-code 2>&1] =~ /diff/ ? true : false
-  end
-
-  def reset_head
-    %x[git #{repo_directory_arguments()} reset --hard HEAD]
-  end
-
-  protected
-  def repo_directory_arguments
-    if @repo_directory
-      return "--git-dir=\"#{@repo_directory}/.git\" --work-tree=\"#{@repo_directory}\""
-    end
-  end
-
-end

lib/common/updater/svn_updater.rb

@@ -1,23 +0,0 @@
-# encoding: UTF-8
-
-require 'common/updater/updater'
-
-class SvnUpdater < Updater
-
-  REVISION_PATTERN = /revision="(\d+)"/i
-  TRUNK_URL        = 'https://github.com/wpscanteam/wpscan'
-
-  def is_installed?
-    %x[svn info "#@repo_directory" --xml 2>&1] =~ /revision=/ ? true : false
-  end
-
-  def local_revision_number
-    local_revision = %x[svn info "#@repo_directory" --xml 2>&1]
-    local_revision[REVISION_PATTERN, 1].to_s
-  end
-
-  def update
-    %x[svn up "#@repo_directory"]
-  end
-
-end

lib/common/updater/updater.rb

@@ -1,25 +0,0 @@
-# encoding: UTF-8
-
-# This class act as an absract one
-class Updater
-
-  attr_reader :repo_directory
-
-  # TODO : add a last '/ to repo_directory if it's not present
-  def initialize(repo_directory = nil)
-    @repo_directory = repo_directory
-  end
-
-  def is_installed?
-    raise NotImplementedError
-  end
-
-  def local_revision_number
-    raise NotImplementedError
-  end
-
-  def update
-    raise NotImplementedError
-  end
-
-end

lib/common/updater/updater_factory.rb

@@ -1,23 +0,0 @@
-# encoding: UTF-8
-
-class UpdaterFactory
-
-  def self.get_updater(repo_directory)
-    self.available_updaters_classes().each do |updater_symbol|
-      updater = Object.const_get(updater_symbol).new(repo_directory)
-
-      if updater.is_installed?
-        return updater
-      end
-    end
-    nil
-  end
-
-  protected
-
-  # return array of class symbols
-  def self.available_updaters_classes
-    Object.constants.grep(/^.+Updater$/)
-  end
-
-end

lib/common/version_compare.rb

@@ -2,14 +2,18 @@
 
 class VersionCompare
 
-  # Compares two version strings. Returns true if version1 is equal to version2
-  # or when version1 is older than version2
+  # Compares two version strings. Returns true if version1 <= version2
+  # and false otherwise
   #
   # @param [ String ] version1
   # @param [ String ] version2
   #
   # @return [ Boolean ]
-  def self.is_newer_or_same?(version1, version2)
+  def self.lesser_or_equal?(version1, version2)
+    # Prepend a '0' if the version starts with a '.'
+    version1 = "0#{version1}" if version1 && version1[0,1] == '.'
+    version2 = "0#{version2}" if version2 && version2[0,1] == '.'
+
     return true if (version1 == version2)
     # Both versions must be set
     return false unless (version1 and version2)

lib/environment.rb

@@ -28,6 +28,7 @@ begin
   require 'pp'
   require 'shellwords'
   require 'fileutils'
+  require 'pathname'
   # Third party libs
   require 'typhoeus'
   require 'json'

lib/wpscan/web_site.rb

@@ -52,8 +52,12 @@ class WebSite
     url ||= @uri.to_s
     response = Browser.get(url)
 
+    redirected_uri = URI.parse(add_trailing_slash(add_http_protocol(url)))
     if response.code == 301 || response.code == 302
       redirection = response.headers_hash['location']
+      if redirection[0] == '/'
+        redirection = "#{redirected_uri.scheme}://#{redirected_uri.host}#{redirection}"
+      end
 
       # Let's check if there is a redirection in the redirection
       if other_redirection = redirection(redirection)

lib/wpscan/web_site/robots_txt.rb

@@ -12,9 +12,7 @@ class WebSite
     # Gets a robots.txt URL
     # @return [ String ]
     def robots_url
-      temp = @uri.clone
-      temp.path = '/robots.txt'
-      temp.to_s
+      @uri.clone.merge('robots.txt').to_s
     end
 
 

lib/wpscan/wp_target.rb

@@ -1,19 +1,19 @@
 # encoding: UTF-8
 
 require 'web_site'
-require 'wp_target/malwares'
 require 'wp_target/wp_readme'
 require 'wp_target/wp_registrable'
 require 'wp_target/wp_config_backup'
+require 'wp_target/wp_must_use_plugins'
 require 'wp_target/wp_login_protection'
 require 'wp_target/wp_custom_directories'
 require 'wp_target/wp_full_path_disclosure'
 
 class WpTarget < WebSite
-  include WpTarget::Malwares
   include WpTarget::WpReadme
   include WpTarget::WpRegistrable
   include WpTarget::WpConfigBackup
+  include WpTarget::WpMustUsePlugins
   include WpTarget::WpLoginProtection
   include WpTarget::WpCustomDirectories
   include WpTarget::WpFullPathDisclosure
@@ -28,7 +28,6 @@ class WpTarget < WebSite
     @wp_plugins_dir = options[:wp_plugins_dir]
     @multisite      = nil
 
-    Browser.instance(options.merge(:max_threads => options[:threads]))
     Browser.instance.referer = url
   end
 
@@ -122,7 +121,12 @@ class WpTarget < WebSite
 
   # @return [ String ]
   def debug_log_url
-    @uri.merge("#{wp_content_dir()}/debug.log").to_s
+    @uri.merge("#{wp_content_dir}/debug.log").to_s
+  end
+
+  # @return [ String ]
+  def upload_dir_url
+    @uri.merge("#{wp_content_dir}/uploads/").to_s
   end
 
   # Script for replacing strings in wordpress databases
@@ -139,4 +143,8 @@ class WpTarget < WebSite
     resp = Browser.get(search_replace_db_2_url)
     resp.code == 200 && resp.body[%r{by interconnect}i]
   end
+
+  def upload_directory_listing_enabled?
+    directory_listing_enabled?(upload_dir_url)
+  end
 end

lib/wpscan/wp_target/malwares.rb

@@ -1,50 +0,0 @@
-# encoding: UTF-8
-
-class WpTarget < WebSite
-  module Malwares
-    # Used as cache :
-    #   nil => malwares not checked,
-    #   [] => no malwares,
-    #   otherwise array of malwares url found
-    @malwares = nil
-
-    def has_malwares?(malwares_file_path = nil)
-      !malwares(malwares_file_path).empty?
-    end
-
-    # return array of string (url of malwares found)
-    def malwares(malwares_file_path = nil)
-      unless @malwares
-        malwares_found = []
-        malwares_file = Malwares.malwares_file(malwares_file_path)
-        index_page_body = Browser.get(@uri.to_s).body
-
-        File.open(malwares_file, 'r') do |file|
-          file.readlines.collect do |url|
-            chomped_url = url.chomp
-
-            if chomped_url.length > 0
-              malwares_found += index_page_body.scan(Malwares.malware_pattern(chomped_url))
-            end
-          end
-        end
-
-        malwares_found.flatten!
-        malwares_found.uniq!
-
-        @malwares = malwares_found
-      end
-      @malwares
-    end
-
-    def self.malwares_file(malwares_file_path)
-      malwares_file_path || DATA_DIR + '/malwares.txt'
-    end
-
-    def self.malware_pattern(url_regex)
-      # no need to escape regex here, because malware.txt contains regex
-      %r{<(?:script|iframe).* src=(?:"|')(#{url_regex}[^"']*)(?:"|')[^>]*>}i
-    end
-
-  end
-end

lib/wpscan/wp_target/wp_config_backup.rb

@@ -40,9 +40,9 @@ class WpTarget < WebSite
     # @return [ Array ]
     def self.config_backup_files
       %w{
-        wp-config.php~ #wp-config.php# wp-config.php.save wp-config.php.swp wp-config.php.swo wp-config.php_bak
-        wp-config.bak wp-config.php.bak wp-config.save wp-config.old wp-config.php.old wp-config.php.orig
-        wp-config.orig wp-config.php.original wp-config.original wp-config.txt
+        wp-config.php~ #wp-config.php# wp-config.php.save .wp-config.php.swp wp-config.php.swp wp-config.php.swo 
+        wp-config.php_bak wp-config.bak wp-config.php.bak wp-config.save wp-config.old wp-config.php.old
+        wp-config.php.orig wp-config.orig wp-config.php.original wp-config.original wp-config.txt
       } # thanks to Feross.org for these
     end
 

lib/wpscan/wp_target/wp_must_use_plugins.rb

@@ -0,0 +1,26 @@
+# encoding: UTF-8
+
+class WpTarget < WebSite
+  module WpMustUsePlugins
+
+    # Checks to see if the must use plugin folder exists
+    #
+    # @return [ Boolean ]
+    def has_must_use_plugins?
+      response = Browser.get(must_use_url)
+
+      if response && WpTarget.valid_response_codes.include?(response.code)
+        hash = WebSite.page_hash(response.body)
+        return true if hash != error_404_hash && hash != homepage_hash
+      end
+
+      false
+    end
+
+    # @return [ String ] The must use plugins directory URL
+    def must_use_url
+      @uri.merge("#{wp_content_dir}/mu-plugins/").to_s
+    end
+
+  end
+end

lib/wpscan/wpscan_helper.rb

@@ -46,7 +46,7 @@ def usage
   puts '-Use custom plugins directory ...'
   puts "ruby #{script_name} -u www.example.com --wp-plugins-dir wp-content/custom-plugins"
   puts
-  puts '-Update ...'
+  puts '-Update the DB ...'
   puts "ruby #{script_name} --update"
   puts
   puts '-Debug output ...'
@@ -62,7 +62,7 @@ def help
   puts
   puts 'Some values are settable in a config file, see the example.conf.json'
   puts
-  puts '--update                            Update to the latest revision.'
+  puts '--update                            Update to the database to the latest version.'
   puts '--url       | -u <target url>       The WordPress URL/domain to scan.'
   puts '--force     | -f                    Forces WPScan to not check if the remote site is running WordPress.'
   puts '--enumerate | -e [option(s)]        Enumeration.'
@@ -84,6 +84,7 @@ def help
   puts '                                    You do not need to provide the regexp delimiters, but you must write the quotes (simple or double).'
   puts '--config-file  | -c <config file>   Use the specified config file, see the example.conf.json.'
   puts '--user-agent   | -a <User-Agent>    Use the specified User-Agent.'
+  puts '--cookie <String>                   String to read cookies from.'
   puts '--random-agent | -r                 Use a random User-Agent.'
   puts '--follow-redirection                If the target url has a redirection, it will be followed without asking if you wanted to do so or not'
   puts '--batch                             Never ask for user input, use the default behaviour.'
@@ -96,8 +97,9 @@ def help
   puts '                                    If no protocol is given (format host:port), HTTP will be used.'
   puts '--proxy-auth <username:password>    Supply the proxy login credentials.'
   puts '--basic-auth <username:password>    Set the HTTP Basic authentication.'
-  puts '--wordlist | -w <wordlist>          Supply a wordlist for the password bruter and do the brute.'
+  puts '--wordlist | -w <wordlist>          Supply a wordlist for the password brute forcer.'
   puts '--username | -U <username>          Only brute force the supplied username.'
+  puts '--usernames     <path-to-file>      Only brute force the usernames from the file.'
   puts '--threads  | -t <number of threads> The number of threads to use when multi-threading requests.'
   puts '--cache-ttl       <cache-ttl>       Typhoeus cache TTL.'
   puts '--request-timeout <request-timeout> Request Timeout.'
@@ -105,5 +107,14 @@ def help
   puts '--max-threads     <max-threads>     Maximum Threads.'
   puts '--help     | -h                     This help screen.'
   puts '--verbose  | -v                     Verbose output.'
+  puts '--version                           Output the current version and exit.'
   puts
 end
+
+# Hook to check if the target if down during the scan
+# The target is considered down after 10 requests with status = 0
+down = 0
+Typhoeus.on_complete do |response|
+  down += 1 if response.code == 0
+  fail 'The target seems to be down' if down >= 10
+end

lib/wpscan/wpscan_options.rb

@@ -14,6 +14,7 @@ class WpscanOptions
     :enumerate_usernames,
     :enumerate_usernames_range,
     :no_color,
+    :log,
     :proxy,
     :proxy_auth,
     :threads,
@@ -23,12 +24,14 @@ class WpscanOptions
     :update,
     :verbose,
     :username,
+    :usernames,
     :password,
     :follow_redirection,
     :wp_content_dir,
     :wp_plugins_dir,
     :help,
     :config_file,
+    :cookie,
     :exclude_content_based,
     :basic_auth,
     :debug_output,
@@ -67,6 +70,12 @@ class WpscanOptions
     end
   end
 
+  def usernames=(file)
+    fail "The file #{file} does not exist" unless File.exists?(file)
+
+    @usernames = file
+  end
+
   def proxy=(proxy)
     if proxy.index(':') == nil
       raise 'Invalid proxy format. Should be host:port.'
@@ -236,6 +245,7 @@ class WpscanOptions
       ['--url', '-u', GetoptLong::REQUIRED_ARGUMENT],
       ['--enumerate', '-e', GetoptLong::OPTIONAL_ARGUMENT],
       ['--username', '-U', GetoptLong::REQUIRED_ARGUMENT],
+      ['--usernames', GetoptLong::REQUIRED_ARGUMENT],
       ['--wordlist', '-w', GetoptLong::REQUIRED_ARGUMENT],
       ['--threads', '-t', GetoptLong::REQUIRED_ARGUMENT],
       ['--force', '-f', GetoptLong::NO_ARGUMENT],
@@ -259,7 +269,9 @@ class WpscanOptions
       ['--connect-timeout', GetoptLong::REQUIRED_ARGUMENT],
       ['--max-threads', GetoptLong::REQUIRED_ARGUMENT],
       ['--batch', GetoptLong::NO_ARGUMENT],
-      ['--no-color', GetoptLong::NO_ARGUMENT]
+      ['--no-color', GetoptLong::NO_ARGUMENT],
+      ['--cookie', GetoptLong::REQUIRED_ARGUMENT],
+      ['--log', GetoptLong::NO_ARGUMENT]
     )
   end
 

lib/wpstools/plugins/checker/checker_plugin.rb

@@ -29,11 +29,18 @@ class CheckerPlugin < Plugin
     puts '[+] Checking vulnerabilities reference urls'
 
     vuln_ref_files.each do |vuln_ref_file|
-      xml = xml(vuln_ref_file)
+      json = json(vuln_ref_file)
 
       urls = []
-      xml.xpath('//references/url').each { |node| urls << node.text }
-
+      json.each do |asset|
+        asset[asset.keys.inject]['vulnerabilities'].each do |url|
+          unless url['url'].nil?
+            url['url'].each do |url|
+              urls << url
+            end
+          end
+        end
+      end
       urls.uniq!
 
       puts "[!] No URLs found in #{vuln_ref_file}!" if urls.empty?
@@ -75,17 +82,19 @@ class CheckerPlugin < Plugin
   end
 
   def check_local_vulnerable_files(dir_to_scan)
-    if Dir::exist?(dir_to_scan)
+    if Dir.exist?(dir_to_scan)
       xml_file               = LOCAL_FILES_FILE
       local_hashes           = {}
       file_extension_to_scan = '*.{js,php,swf,html,htm}'
 
       print '[+] Generating local hashes ... '
 
-      Dir[File::join(dir_to_scan, '**', file_extension_to_scan)].each do |filename|
+      Dir[File.join(dir_to_scan, '**', file_extension_to_scan)]
+      .select { |f| File.file?(f) }
+      .each do |filename|
         sha1sum = Digest::SHA1.file(filename).hexdigest
 
-        if local_hashes.has_key?(sha1sum)
+        if local_hashes.key?(sha1sum)
           local_hashes[sha1sum] << filename
         else
           local_hashes[sha1sum] = [filename]

lib/wpstools/plugins/list_generator/generate_list.rb

@@ -1,104 +0,0 @@
-# encoding: UTF-8
-
-# This tool generates a list to use for plugin and theme enumeration
-class GenerateList
-
-  attr_accessor :verbose
-
-  # type = themes | plugins
-  def initialize(type, verbose)
-    if type =~ /plugins/i
-      @type           = 'plugin'
-      @svn_url        = 'http://plugins.svn.wordpress.org/'
-      @popular_url    = 'http://wordpress.org/plugins/browse/popular/'
-      @popular_regex  = %r{<h3><a href="http://wordpress.org/plugins/([^/]+)/">.+</a></h3>}i
-    elsif type =~ /themes/i
-      @type           = 'theme'
-      @svn_url        = 'http://themes.svn.wordpress.org/'
-      @popular_url    = 'http://wordpress.org/themes/browse/popular/'
-      @popular_regex  = %r{<h3><a href="http://wordpress.org/themes/([^/]+)">.+</a></h3>}i
-    else
-      raise "Type #{type} not defined"
-    end
-    @verbose  = verbose
-    @browser  = Browser.instance(request_timeout: 20000, connect_timeout: 20000, max_threads: 1, cache_ttl: 0)
-  end
-
-  def set_file_name(type)
-    case @type
-    when 'plugin'
-      case type
-      when :full
-        @file_name = PLUGINS_FULL_FILE
-      when :popular
-        @file_name = PLUGINS_FILE
-      else
-        raise 'Unknown type'
-      end
-    when 'theme'
-      case type
-      when :full
-        @file_name = THEMES_FULL_FILE
-      when :popular
-        @file_name = THEMES_FILE
-      else
-        raise 'Unknown type'
-      end
-      else
-        raise "Unknown type #@type"
-    end
-  end
-
-  def generate_full_list
-    set_file_name(:full)
-    items = SvnParser.new(@svn_url).parse
-    save items
-  end
-
-  def generate_popular_list(pages)
-    set_file_name(:popular)
-    items = get_popular_items(pages)
-    save items
-  end
-
-  # Send a HTTP request to the WordPress most popular theme or plugin webpage
-  # parse the response for the names.
-  def get_popular_items(pages)
-    found_items = []
-    page_count = 1
-
-    (1...(pages.to_i + 1)).each do |page|
-      # First page has another URL
-      url = (page == 1) ? @popular_url : @popular_url + 'page/' + page.to_s + '/'
-      puts "[+] Parsing page #{page_count}" if @verbose
-      code = 0
-      while code != 200
-        puts red("[!] Retrying request for page #{page} (Code: #{code})") unless code == 0
-        request = @browser.forge_request(url)
-        response = request.run
-        code = response.code
-        sleep(5) unless code == 200
-      end
-      page_count += 1
-      found = 0
-      response.body.scan(@popular_regex).each do |item|
-        found_items << item[0]
-        found = found + 1
-      end
-      puts "[+] Found #{found} items on page #{page}" if @verbose
-    end
-
-    found_items.sort!
-    found_items.uniq
-  end
-
-  # Save the file
-  def save(items)
-    items.sort!
-    items.uniq!
-    puts "[*] We have parsed #{items.length} #{@type}s"
-    File.open(@file_name, 'w') { |f| f.puts(items) }
-    puts "New #@file_name file created"
-  end
-
-end

lib/wpstools/plugins/list_generator/list_generator_plugin.rb

@@ -1,53 +0,0 @@
-# encoding: UTF-8
-
-class ListGeneratorPlugin < Plugin
-
-  def initialize
-    super(author: 'WPScanTeam - @FireFart')
-
-    register_options(
-      ['--generate-plugin-list [NUMBER_OF_PAGES]', '--gpl', Integer, 'Generate a new data/plugins.txt file. (supply number of *pages* to parse, default : 150)'],
-      ['--generate-full-plugin-list', '--gfpl', 'Generate a new full data/plugins.txt file'],
-
-      ['--generate-theme-list [NUMBER_OF_PAGES]', '--gtl', Integer, 'Generate a new data/themes.txt file. (supply number of *pages* to parse, default : 20)'],
-      ['--generate-full-theme-list', '--gftl', 'Generate a new full data/themes.txt file'],
-
-      ['--generate-all', '--ga', 'Generate a new full plugins, full themes, popular plugins and popular themes list']
-    )
-  end
-
-  def run(options = {})
-    @verbose     = options[:verbose] || false
-    generate_all = options[:generate_all] || false
-
-    if options.has_key?(:generate_plugin_list) || generate_all
-      most_popular('plugin', options[:generate_plugin_list] || 150)
-    end
-
-    if options[:generate_full_plugin_list] || generate_all
-      full('plugin')
-    end
-
-    if options.has_key?(:generate_theme_list) || generate_all
-      most_popular('theme', options[:generate_theme_list] || 20)
-    end
-
-    if options[:generate_full_theme_list] || generate_all
-      full('theme')
-    end
-  end
-
-  private
-
-  def most_popular(type, number_of_pages)
-    puts "[+] Generating new most popular #{type} list"
-    puts
-    GenerateList.new(type + 's', @verbose).generate_popular_list(number_of_pages)
-  end
-
-  def full(type)
-    puts "[+] Generating new full #{type} list"
-    puts
-    GenerateList.new(type + 's', @verbose).generate_full_list
-  end
-end

lib/wpstools/plugins/list_generator/svn_parser.rb

@@ -1,31 +0,0 @@
-# encoding: UTF-8
-
-# This Class Parses SVN Repositories via HTTP
-class SvnParser
-
-  attr_accessor :verbose, :svn_root, :keep_empty_dirs
-
-  def initialize(svn_root)
-    @svn_root    = svn_root
-  end
-
-  def parse
-    get_root_directories
-  end
-
-  #Private methods start here
-  private
-
-  # Gets all directories in the SVN root
-  def get_root_directories
-    dirs      = []
-    rootindex = Browser.get(@svn_root).body
-
-    rootindex.scan(%r{<li><a href=".+">(.+)/</a></li>}i).each do |dir|
-      dirs << dir[0]
-    end
-
-    dirs.sort!
-    dirs.uniq
-  end
-end

lib/wpstools/plugins/stats/stats_plugin.rb

@@ -48,38 +48,39 @@ class StatsPlugin < Plugin
   end
 
   def vuln_core_count(file=WP_VULNS_FILE)
-    xml(file).xpath('count(//wordpress)').to_i
+    json(file).size
   end
 
   def vuln_plugin_count(file=PLUGINS_VULNS_FILE)
-    xml(file).xpath('count(//plugin)').to_i
+    json(file).size
   end
 
   def vuln_theme_count(file=THEMES_VULNS_FILE)
-    xml(file).xpath('count(//theme)').to_i
+    json(file).size
   end
 
   def version_vulns_count(file=WP_VULNS_FILE)
-    xml(file).xpath('count(//vulnerability)').to_i
+    asset_vulns_count(json(file))
   end
+
   def fix_version_count(file=WP_VULNS_FILE)
-    xml(file).xpath('count(//fixed_in)').to_i
+    asset_fixed_in_count(json(file))
   end
 
   def plugin_vulns_count(file=PLUGINS_VULNS_FILE)
-    xml(file).xpath('count(//vulnerability)').to_i
+    asset_vulns_count(json(file))
   end
 
   def fix_plugin_count(file=PLUGINS_VULNS_FILE)
-    xml(file).xpath('count(//fixed_in)').to_i
+    asset_fixed_in_count(json(file))
   end
 
   def theme_vulns_count(file=THEMES_VULNS_FILE)
-    xml(file).xpath('count(//vulnerability)').to_i
+    asset_vulns_count(json(file))
   end
 
   def fix_theme_count(file=THEMES_VULNS_FILE)
-    xml(file).xpath('count(//fixed_in)').to_i
+    asset_fixed_in_count(json(file))
   end
 
   def total_plugins(file=PLUGINS_FULL_FILE)
@@ -94,4 +95,12 @@ class StatsPlugin < Plugin
     IO.readlines(file).size
   end
 
+  def asset_vulns_count(json)
+    json.map { |asset| asset[asset.keys.inject]['vulnerabilities'].size }.inject(:+)
+  end
+
+  def asset_fixed_in_count(json)
+    json.map { |asset| asset[asset.keys.inject]['vulnerabilities'].map {|a| a['fixed_in'].nil? ? 0 : 1 }.inject(:+) }.inject(:+)
+  end
+
 end

lib/wpstools/wpstools_helper.rb

@@ -12,21 +12,6 @@ def usage
   puts
   puts 'Examples:'
   puts
-  puts "- Generate a new 'most popular' plugin list, up to 150 pages ..."
-  puts "ruby #{script_name} --generate-plugin-list 150"
-  puts
-  puts '- Generate a new full plugin list'
-  puts "ruby #{script_name} --generate-full-plugin-list"
-  puts
-  puts "- Generate a new 'most popular' theme list, up to 150 pages ..."
-  puts "ruby #{script_name} --generate-theme-list 150"
-  puts
-  puts '- Generate a new full theme list'
-  puts "ruby #{script_name} --generate-full-theme-list"
-  puts
-  puts '- Generate all list'
-  puts "ruby #{script_name} --generate-all"
-  puts
   puts 'Locally scan a wordpress installation for vulnerable files or shells'
   puts "ruby #{script_name} --check-local-vulnerable-files /var/www/wordpress/"
   puts

spec/lib/common/browser_spec.rb

@@ -25,7 +25,7 @@ describe Browser do
     json_expected_vars['max_threads'] ||= 20 # max_thread can not be nil
 
     instance_vars_to_check.each do |variable_name|
-      browser.send(:"#{variable_name}").should === json_expected_vars[variable_name]
+      expect(browser.send(:"#{variable_name}")).to be === json_expected_vars[variable_name]
     end
   end
 
@@ -50,7 +50,7 @@ describe Browser do
       let(:cache_dir) { CACHE_DIR + '/somewhere' }
       let(:options) { { cache_dir: cache_dir } }
 
-      after { subject.cache_dir.should == cache_dir }
+      after { expect(subject.cache_dir).to eq cache_dir }
 
       it 'sets @cache_dir' do
         @json_expected_vars = json_config_without_proxy
@@ -84,11 +84,11 @@ describe Browser do
 
   describe '::append_params_header_field' do
     after :each do
-      Browser.append_params_header_field(
+      expect(Browser.append_params_header_field(
         @params,
         @field,
         @field_value
-      ).should === @expected
+      )).to be === @expected
     end
 
     context 'when there is no headers' do
@@ -140,7 +140,7 @@ describe Browser do
       browser.user_agent = 'SomeUA'
       browser.cache_ttl = 250
 
-      browser.merge_request_params(params).should == @expected
+      expect(browser.merge_request_params(params)).to eq @expected
     end
 
     it 'sets the User-Agent header field and cache_ttl' do
@@ -190,18 +190,27 @@ describe Browser do
         @expected = default_expectation.merge(params)
       end
     end
+
+    context 'when @cookie' do
+      let(:cookie) { 'foor=bar;bar=foo' }
+      before       { browser.cookie = cookie }
+
+      it 'sets the cookie' do
+        @expected = default_expectation.merge(cookie: cookie)
+      end
+    end
   end
 
   describe '#forge_request' do
     let(:url) { 'http://example.localhost' }
 
     it 'returns the correct Typhoeus::Request' do
-      subject.stub(merge_request_params: { cache_ttl: 10 })
+      allow(subject).to receive_messages(merge_request_params: { cache_ttl: 10 })
 
       request = subject.forge_request(url)
-      request.should be_a Typhoeus::Request
-      request.url.should == url
-      request.cache_ttl.should == 10
+      expect(request).to be_a Typhoeus::Request
+      expect(request.url).to eq url
+      expect(request.cache_ttl).to eq 10
     end
 
   end
@@ -216,7 +225,7 @@ describe Browser do
       response1 = Browser.get(url)
       response2 = Browser.get(url)
 
-      response1.body.should == response2.body
+      expect(response1.body).to eq response2.body
       #WebMock.should have_requested(:get, url).times(1) # This one fail, dunno why :s (but it works without mock)
     end
   end

spec/lib/common/cache_file_store_spec.rb

@@ -17,33 +17,50 @@ describe CacheFileStore do
 
   describe '#storage_path' do
     it 'returns the storage path given in the #new' do
-      @cache.storage_path.should match(/#{cache_dir}/)
+      expect(@cache.storage_path).to match(/#{cache_dir}/)
     end
   end
 
   describe '#serializer' do
     it 'should return the default serializer : Marshal' do
-      @cache.serializer.should     == Marshal
-      @cache.serializer.should_not == YAML
+      expect(@cache.serializer).to     eq Marshal
+      expect(@cache.serializer).not_to eq YAML
     end
   end
 
   describe '#clean' do
     it "should remove all files from the cache dir (#{@cache_dir}" do
-      # let's create some files into the directory first
-      (0..5).each do |i|
-        File.new(@cache.storage_path + "/file_#{i}.txt", File::CREAT)
-      end
-
-      count_files_in_dir(@cache.storage_path, 'file_*.txt').should == 6
+      # clean is executed by other tests before
+      before = count_files_in_dir(@cache.cache_dir)
+      test_dir = File.expand_path("#{@cache.cache_dir}/test")
+      Dir.mkdir test_dir
+      #change the modification date
+      %x[ touch -t 200701310846.26 #{test_dir} ]
+      expect(count_files_in_dir(@cache.cache_dir)).to eq (before + 1)
       @cache.clean
-      count_files_in_dir(@cache.storage_path).should == 0
+      expect(count_files_in_dir(@cache.cache_dir)).to eq before
     end
   end
 
-  describe '#read_entry (nonexistent entry)' do
+  describe '#read_entry' do
+    after { expect(@cache.read_entry(key)).to eq @expected }
+
+    context 'when the entry does not exist' do
+      let(:key) { Digest::SHA1.hexdigest('hello world') }
+
       it 'should return nil' do
-      @cache.read_entry(Digest::SHA1.hexdigest('hello world')).should be_nil
+        @expected = nil
+      end
+    end
+
+    context 'when the file exist but is empty (marshal data too short error)' do
+      let(:key) { 'empty-file' }
+
+      it 'returns nil' do
+        File.new(File.join(@cache.storage_path, key), File::CREAT)
+
+        @expected = nil
+      end
     end
   end
 
@@ -51,7 +68,7 @@ describe CacheFileStore do
 
     after :each do
       @cache.write_entry(@key, @data, @timeout)
-      @cache.read_entry(@key).should === @expected
+      expect(@cache.read_entry(@key)).to be === @expected
     end
 
     it 'should get the correct entry (string)' do
@@ -79,7 +96,7 @@ describe CacheFileStore do
         storage_dirs << CacheFileStore.new(cache_dir).storage_path
       end
 
-      storage_dirs.uniq.size.should == 5
+      expect(storage_dirs.uniq.size).to eq 5
     end
   end
 end

spec/lib/common/collections/wp_items_spec.rb

@@ -18,12 +18,7 @@ describe WpItems do
         vulnerable_targets_items: [ WpItem.new(uri, name: 'mr-smith'),
                                     WpItem.new(uri, name: 'neo')],
 
-        passive_detection: WpItems.new << WpItem.new(uri, name: 'js-source') <<
-                                          WpItem.new(uri, name: 'escaped-url') <<
-                                          WpItem.new(uri, name: 'link-tag') <<
-                                          WpItem.new(uri, name: 'script-tag') <<
-                                          WpItem.new(uri, name: 'style-tag') <<
-                                          WpItem.new(uri, name: 'style-tag-import')
+        passive_detection: (1..13).reduce(WpItems.new) { |o, i| o << WpItem.new(uri, name: "detect-me-#{i}") }
       }
     end
   end

spec/lib/common/collections/wp_plugins/detectable_spec.rb

@@ -15,7 +15,7 @@ describe 'WpPlugins::Detectable' do
     context 'when no header' do
       it 'returns an empty WpPlugins' do
         stub_request(:get, url).to_return(status: 200)
-        subject.send(:from_header, wp_target).should == subject.new
+        expect(subject.send(:from_header, wp_target)).to eq subject.new
       end
     end
 
@@ -25,7 +25,7 @@ describe 'WpPlugins::Detectable' do
 
       after :each do
         stub_request(:get, url).to_return(status: 200, headers: headers, body: '')
-        subject.send(:from_header, wp_target).should == expected
+        expect(subject.send(:from_header, wp_target)).to eq expected
       end
 
       context 'when w3-total-cache detected' do
@@ -66,7 +66,7 @@ describe 'WpPlugins::Detectable' do
     context 'when no body' do
       it 'returns an empty WpPlugins' do
         stub_request(:get, url).to_return(status: 200, body: '')
-        subject.send(:from_content, wp_target).should == subject.new
+        expect(subject.send(:from_content, wp_target)).to eq subject.new
       end
     end
 
@@ -77,7 +77,7 @@ describe 'WpPlugins::Detectable' do
       after :each do
         stub_request(:get, url).to_return(status: 200, body: @body)
         stub_request(:get, /readme\.txt/i).to_return(status: 404)
-        subject.send(:from_content, wp_target).should == expected
+        expect(subject.send(:from_content, wp_target)).to eq expected
       end
 
       context 'when w3 total cache detected' do

spec/lib/common/collections/wp_plugins_spec.rb

@@ -19,8 +19,7 @@ describe WpPlugins do
         vulnerable_targets_items:         [ WpPlugin.new(uri, name: 'mr-smith'),
                                             WpPlugin.new(uri, name: 'neo')],
 
-        passive_detection: WpPlugins.new << WpPlugin.new(uri, name: 'js-source') <<
-                                            WpPlugin.new(uri, name: 'escaped-url') <<
+        passive_detection: WpPlugins.new << WpPlugin.new(uri, name: 'escaped-url') <<
                                             WpPlugin.new(uri, name: 'link-tag') <<
                                             WpPlugin.new(uri, name: 'script-tag') <<
                                             WpPlugin.new(uri, name: 'style-tag') <<

spec/lib/common/collections/wp_timthumbs/detectable_spec.rb

@@ -38,7 +38,7 @@ describe 'WpTimthumbs::Detectable' do
 
   describe '::passive_detection' do
     it 'returns an empty WpTimthumbs' do
-      subject.passive_detection(wp_target).should == subject.new
+      expect(subject.passive_detection(wp_target)).to eq subject.new
     end
   end
 
@@ -46,7 +46,7 @@ describe 'WpTimthumbs::Detectable' do
     after do
       targets = subject.send(:targets_items_from_file, file, wp_target)
 
-      targets.map { |t| t.url }.should == @expected.map { |t| t.url }
+      expect(targets.map { |t| t.url }).to eq @expected.map { |t| t.url }
     end
 
     context 'when an empty file' do
@@ -71,7 +71,7 @@ describe 'WpTimthumbs::Detectable' do
       theme   = 'hello-world'
       targets = subject.send(:theme_timthumbs, theme, wp_target)
 
-      targets.map { |t| t.url }.should == expected_targets_from_theme(theme).map { |t| t.url }
+      expect(targets.map { |t| t.url }).to eq expected_targets_from_theme(theme).map { |t| t.url }
     end
   end
 
@@ -81,7 +81,7 @@ describe 'WpTimthumbs::Detectable' do
     after do
       targets = subject.send(:targets_items, wp_target, options)
 
-      targets.map { |t| t.url }.should == @expected.sort.map { |t| t.url }
+      expect(targets.map { |t| t.url }).to eq @expected.sort.map { |t| t.url }
     end
 
     context 'when no :theme_name' do

spec/lib/common/collections/wp_users/detectable_spec.rb

@@ -22,13 +22,13 @@ describe 'WpUsers::Detectable' do
 
   describe '::request_params' do
     it 'return an empty Hash' do
-      subject.request_params.should === {}
+      expect(subject.request_params).to be === {}
     end
   end
 
   describe '::passive_detection' do
     it 'return an empty WpUsers' do
-      subject.passive_detection(wp_target).should == subject.new
+      expect(subject.passive_detection(wp_target)).to eq subject.new
     end
   end
 
@@ -36,7 +36,7 @@ describe 'WpUsers::Detectable' do
     after do
       targets = subject.send(:targets_items, wp_target, options)
 
-      targets.should == @expected
+      expect(targets).to eq @expected
     end
 
     context 'when no :range' do

spec/lib/common/collections/wp_users/output_spec.rb

@@ -25,19 +25,19 @@ describe 'WpUsers::Output' do
       subject.push(@input)
       subject.flatten!
       subject.remove_junk_from_display_names
-      subject.should === @expected
+      expect(subject).to eq @expected
     end
 
-    it 'should return an empty array' do
+    it 'returns an empty array' do
       @expected = @input
     end
 
-    it 'should return input object' do
+    it 'returns input object' do
       @input.push(WpUser.new(nil))
       @expected = @input
     end
 
-    it 'should return input object' do
+    it 'returns input object' do
       @input.push(WpUser.new(''))
       @expected = @input
     end
@@ -50,23 +50,37 @@ describe 'WpUsers::Output' do
       @expected.push(WpUser.new('', login: '', id: 2, display_name: 'ijrjd'))
     end
 
-    it 'should return unmodified input object' do
+    it 'returns unmodified input object' do
       @input.push(WpUser.new('', login: '', id: 1, display_name: 'lkjh asdfa'))
       @input.push(WpUser.new('', login: '', id: 2, display_name: 'ijrjd asdf'))
       @expected = @input
     end
 
-    it 'should return input object' do
+    it 'returns input object' do
       @input.push(WpUser.new('', login: '', id: 1, display_name: 'lkjh asdf'))
       @expected = @input
     end
 
-    it 'should return an empty display_name' do
+    it 'returns an empty display_name' do
       @input.push(WpUser.new('', login: '', id: 1, display_name: 'lkhj asdf'))
       @input.push(WpUser.new('', login: '', id: 2, display_name: 'lkhj asdf'))
       @expected = WpUsers.new(0)
       @expected.push(WpUser.new('', login: '', id: 1, display_name: ''))
       @expected.push(WpUser.new('', login: '', id: 2, display_name: ''))
     end
+
+    context 'when a user has no display_name' do
+      it 'returns an empty display_name' do
+        @input.push(WpUser.new('', login: '', id: 1, display_name: 'lkhj asdf'))
+        @input.push(WpUser.new('', login: '', id: 2, display_name: 'lkhj asdf'))
+        @input.push(WpUser.new('', login: '', id: 3))
+
+        @expected = WpUsers.new(0)
+
+        (1..3).each do |id|
+          @expected.push(WpUser.new('', login: '', id: id, display_name: ''))
+        end
+      end
+    end
   end
 end

spec/lib/common/common_helper_spec.rb

@@ -7,7 +7,7 @@ describe 'common_helper' do
     after :each do
       output = get_equal_string_end(@input)
 
-      output.should == @expected
+      expect(output).to eq @expected
     end
 
     it 'returns an empty string' do
@@ -75,7 +75,7 @@ describe 'common_helper' do
   describe '#remove_base64_images_from_html' do
     after :each do
       output = remove_base64_images_from_html(@html)
-      output.should == @expected
+      expect(output).to eq @expected
     end
 
     it 'removes the valid base64 image' do
@@ -92,7 +92,7 @@ describe 'common_helper' do
   describe '#truncate' do
     after :each do
       output = truncate(@input, @length, @trailing)
-      output.should == @expected
+      expect(output).to eq @expected
     end
 
     it 'returns nil on no input' do

spec/lib/common/custom_option_parser_spec.rb

@@ -15,7 +15,7 @@ describe CustomOptionParser do
       if @exception
         expect { CustomOptionParser::option_to_symbol(@option) }.to raise_error(@exception)
       else
-        CustomOptionParser::option_to_symbol(@option).should === @expected
+        expect(CustomOptionParser::option_to_symbol(@option)).to be === @expected
       end
     end
 
@@ -100,7 +100,7 @@ describe CustomOptionParser do
       parser.add_option(['-v', '--verbose'])
       parser.add_option(['--url TARGET_URL'])
 
-      parser.symbols_used.sort.should === [:url, :verbose]
+      expect(parser.symbols_used.sort).to be === [:url, :verbose]
     end
 
     context 'parsing' do
@@ -118,7 +118,7 @@ describe CustomOptionParser do
 
       it 'should retrieve the correct argument' do
         parser.parse!(['-u', 'iam_the_target'])
-        parser.results.should === { url: 'iam_the_target' }
+        expect(parser.results).to be === { url: 'iam_the_target' }
       end
     end
   end
@@ -134,8 +134,8 @@ describe CustomOptionParser do
 
     context 'single option' do
       it 'should add the :url option, and retrieve the correct argument' do
-        parser.symbols_used.should === [:url]
-        parser.results(['-u', 'target.com']).should === { url: 'target.com' }
+        expect(parser.symbols_used).to be === [:url]
+        expect(parser.results(['-u', 'target.com'])).to be === { url: 'target.com' }
       end
     end
 
@@ -146,8 +146,8 @@ describe CustomOptionParser do
           ['--test [TEST_NUMBER]']
         ])
 
-        parser.symbols_used.sort.should === [:test, :url, :verbose]
-        parser.results(['-u', 'wp.com', '-v', '--test']).should === { test: nil, url: 'wp.com', verbose: true }
+        expect(parser.symbols_used.sort).to be === [:test, :url, :verbose]
+        expect(parser.results(['-u', 'wp.com', '-v', '--test'])).to be === { test: nil, url: 'wp.com', verbose: true }
       end
     end
   end

spec/lib/common/models/vulnerability_spec.rb

@@ -21,6 +21,7 @@ describe Vulnerability do
 
     context 'with fixed version argument' do
       let(:fixed_version) { '1.0' }
+
       its(:title)      { should be title }
       its(:references) { should be references }
       its(:type)       { should be type }
@@ -29,19 +30,20 @@ describe Vulnerability do
 
   end
 
-  describe '::load_from_xml_node' do
-    subject(:vulnerability) { Vulnerability.load_from_xml_node(node) }
-    let(:node) {
-      xml(MODELS_FIXTURES + '/vulnerability/xml_node.xml').xpath('//vulnerability')
+  describe '::load_from_json_item' do
+    subject(:vulnerability) { Vulnerability.load_from_json_item(item) }
+    let(:item) {
+      json(MODELS_FIXTURES + '/vulnerability/json_item.json')
     }
 
     expected_refs = {
-        :url=>['Ref 1', 'Ref 2'],
-        :cve=>['2011-001'],
-        :secunia=>['secunia'],
-        :osvdb=>['osvdb'],
-        :metasploit=>['exploit/ex1'],
-        :exploitdb=>['exploitdb']
+      'id'         => ['3911'],
+      'url'        => ['Ref 1,Ref 2'],
+      'cve'        => ['2011-001'],
+      'secunia'    => ['secunia'],
+      'osvdb'      => ['osvdb'],
+      'metasploit' => ['exploit/ex1'],
+      'exploitdb'  => ['exploitdb']
     }
 
     its(:title)      { should == 'Vuln Title' }

spec/lib/common/models/wp_item_spec.rb

@@ -11,17 +11,18 @@ describe WpItem do
   end
   it_behaves_like 'WpItem::Versionable'
   it_behaves_like 'WpItem::Vulnerable' do
-    let(:vulns_file)     { MODELS_FIXTURES + '/wp_item/vulnerable/items_vulns.xml' }
-    let(:vulns_xpath)    { "//item[@name='neo']/vulnerability" }
+    let(:vulns_file)     { MODELS_FIXTURES + '/wp_item/vulnerable/items_vulns.json' }
+    let(:identifier)    { 'neo' }
     let(:expected_refs)  { {
-        :url => ['Ref 1', 'Ref 2'],
-        :cve => ['2011-001'],
-        :secunia => ['secunia'],
-        :osvdb => ['osvdb'],
-        :metasploit => ['exploit/ex1'],
-        :exploitdb => ['exploitdb']
+        'id'  => [2993],
+        'url' => ['Ref 1,Ref 2'],
+        'cve' => ['2011-001'],
+        'secunia' => ['secunia'],
+        'osvdb' => ['osvdb'],
+        'metasploit' => ['exploit/ex1'],
+        'exploitdb' => ['exploitdb']
     } }
-    let(:expected_vulns) { Vulnerabilities.new << Vulnerability.new("I'm the one", 'XSS', expected_refs) }
+    let(:expected_vulns) { Vulnerabilities.new(1, Vulnerability.new("I'm the one", 'XSS', expected_refs)) }
   end
 
   subject(:wp_item) { WpItem.new(uri, options) }
@@ -30,30 +31,30 @@ describe WpItem do
 
   describe '#new' do
     context 'with no options' do
-      its(:wp_content_dir) { should == 'wp-content' }
-      its(:wp_plugins_dir) { should == 'wp-content/plugins' }
-      its(:uri) { should be uri }
+      its(:wp_content_dir) { is_expected.to eq 'wp-content' }
+      its(:wp_plugins_dir) { is_expected.to eq 'wp-content/plugins' }
+      its(:uri) { is_expected.to be uri }
     end
 
     context 'with :wp_content_dir' do
       let(:options) { { wp_content_dir: 'custom' } }
 
-      its(:wp_content_dir) { should == 'custom' }
-      its(:wp_plugins_dir) { should == 'custom/plugins' }
+      its(:wp_content_dir) { is_expected.to eq 'custom' }
+      its(:wp_plugins_dir) { is_expected.to eq 'custom/plugins' }
     end
 
     context 'with :wp_plugins_dir' do
       let(:options) { { wp_plugins_dir: 'c-plugins' } }
 
-      its(:wp_content_dir) { should == 'wp-content' }
-      its(:wp_plugins_dir) { should == 'c-plugins' }
+      its(:wp_content_dir) { is_expected.to eq 'wp-content' }
+      its(:wp_plugins_dir) { is_expected.to eq 'c-plugins' }
     end
   end
 
   describe '#set_options' do
     context 'no an allowed option' do
       it 'ignores the option' do
-        wp_item.should_not_receive(:not_allowed=)
+        expect(wp_item).not_to receive(:not_allowed=)
 
         wp_item.send(:set_options, { not_allowed: 'owned' })
       end
@@ -61,7 +62,7 @@ describe WpItem do
 
     context 'allowed option, w/o setter method' do
       it 'raises an error' do
-        wp_item.stub(:allowed_options).and_return([:no_setter])
+        allow(wp_item).to receive(:allowed_options).and_return([:no_setter])
 
         expect {
           wp_item.send(:set_options, { no_setter: 'hello' })
@@ -73,7 +74,7 @@ describe WpItem do
   describe '#path=' do
     after do
       wp_item.path = @path
-      wp_item.path.should == @expected
+      expect(wp_item.path).to eq @expected
     end
 
     context 'with default variable value' do
@@ -90,8 +91,8 @@ describe WpItem do
 
     context 'whith custom variable values' do
       before {
-        wp_item.stub(:wp_content_dir).and_return('custom-content')
-        wp_item.stub(:wp_plugins_dir).and_return('plugins')
+        allow(wp_item).to receive(:wp_content_dir).and_return('custom-content')
+        allow(wp_item).to receive(:wp_plugins_dir).and_return('plugins')
       }
 
       it 'replaces $wp-content$ by custom-content' do
@@ -117,7 +118,7 @@ describe WpItem do
         path         = 'somedir/somefile.php'
         wp_item.path = path
 
-        wp_item.uri.should == uri.merge(path)
+        expect(wp_item.uri).to eq uri.merge(path)
       end
     end
   end
@@ -127,7 +128,7 @@ describe WpItem do
       wp_item.name = 'a-name'
       other = WpItem.new(uri, name: 'other-name')
 
-      wp_item.<=>(other).should === 'a-name'.<=>('other-name')
+      expect(wp_item.<=>(other)).to be === 'a-name'.<=>('other-name')
     end
   end
 
@@ -137,7 +138,7 @@ describe WpItem do
         wp_item.name = 'some-name'
         other = WpItem.new(uri, name: 'some-name')
 
-        wp_item.should == other
+        expect(wp_item).to eq other
       end
     end
 
@@ -146,7 +147,7 @@ describe WpItem do
         wp_item.name = 'Test'
         other = WpItem.new(uri, name: 'hello')
 
-        wp_item.should_not == other
+        expect(wp_item).not_to eq other
       end
     end
   end
@@ -156,13 +157,13 @@ describe WpItem do
 
     context 'when the :name and :version are the same' do
       it 'is ===' do
-        WpItem.new(uri, options).should === WpItem.new(uri.merge('yo'), options)
+        expect(WpItem.new(uri, options)).to be === WpItem.new(uri.merge('yo'), options)
       end
     end
 
     context 'otherwise' do
       it 'is not ===' do
-        WpItem.new(uri, options).should_not === WpItem.new(uri, options.merge(version: '1.0'))
+        expect(WpItem.new(uri, options)).not_to be === WpItem.new(uri, options.merge(version: '1.0'))
       end
     end
   end

spec/lib/common/models/wp_plugin_spec.rb

@@ -6,14 +6,15 @@ describe WpPlugin do
   it_behaves_like 'WpPlugin::Vulnerable'
   it_behaves_like 'WpItem::Vulnerable' do
     let(:options)        { { name: 'white-rabbit' } }
-    let(:vulns_file)     { MODELS_FIXTURES + '/wp_plugin/vulnerable/plugins_vulns.xml' }
+    let(:vulns_file)     { MODELS_FIXTURES + '/wp_plugin/vulnerable/plugins_vulns.json' }
     let(:expected_refs)  { {
-        :url => ['Ref 1', 'Ref 2'],
-        :cve => ['2011-001'],
-        :secunia => ['secunia'],
-        :osvdb => ['osvdb'],
-        :metasploit => ['exploit/ex1'],
-        :exploitdb => ['exploitdb']
+        'id'  => [2993],
+        'url' => ['Ref 1,Ref 2'],
+        'cve' => ['2011-001'],
+        'secunia' => ['secunia'],
+        'osvdb' => ['osvdb'],
+        'metasploit' => ['exploit/ex1'],
+        'exploitdb' => ['exploitdb']
     } }
     let(:expected_vulns) { Vulnerabilities.new << Vulnerability.new('Follow me!', 'REDIRECT', expected_refs) }
   end
@@ -23,7 +24,7 @@ describe WpPlugin do
   let(:options)       { { name: 'plugin-name' } }
 
   describe '#forge_uri' do
-    its('uri.to_s') { should == 'http://example.com/wp-content/plugins/plugin-name/' }
+    its('uri.to_s') { is_expected.to eq 'http://example.com/wp-content/plugins/plugin-name/' }
   end
 
 end

spec/lib/common/models/wp_theme/findable_spec.rb

@@ -18,9 +18,9 @@ describe 'WpTheme::Findable' do
       wp_theme = WpTheme.send(:find_from_css_link, uri)
 
       if @expected
-        wp_theme.should be_a WpTheme
+        expect(wp_theme).to be_a WpTheme
       end
-      wp_theme.should == @expected
+      expect(wp_theme).to eq @expected
     end
 
     context 'when theme is not present' do
@@ -52,6 +52,13 @@ describe 'WpTheme::Findable' do
       end
     end
 
+    context 'when other style.css is referenced' do
+      it 'returns the WpTheme' do
+        @file = 'yootheme.html'
+        @expected = WpTheme.new(uri, name: 'yoo_solar_wp', referenced_url: '/wp-content/themes/yoo_solar_wp/styles/wood/css/style.css')
+      end
+    end
+
   end
 
   describe '::find_from_wooframework' do
@@ -66,9 +73,9 @@ describe 'WpTheme::Findable' do
       wp_theme = WpTheme.send(:find_from_wooframework, uri)
 
       if @expected
-        wp_theme.should be_a WpTheme
+        expect(wp_theme).to be_a WpTheme
       end
-      wp_theme.should == @expected
+      expect(wp_theme).to eq @expected
     end
 
     context 'when theme is not present' do
@@ -96,7 +103,7 @@ describe 'WpTheme::Findable' do
     # Stub all WpTheme::find_from_* to return nil
     def stub_all_to_nil
       WpTheme.methods.grep(/^find_from_/).each do |method|
-        WpTheme.stub(method).and_return(nil)
+        allow(WpTheme).to receive(method).and_return(nil)
       end
     end
 
@@ -120,7 +127,7 @@ describe 'WpTheme::Findable' do
       it 'returns nil' do
         stub_all_to_nil()
 
-        WpTheme.find(uri).should be_nil
+        expect(WpTheme.find(uri)).to be_nil
       end
     end
 
@@ -130,12 +137,12 @@ describe 'WpTheme::Findable' do
         stub_request(:get, /.+\/the-oracle\/style.css$/).to_return(status: 200)
         expected = WpTheme.new(uri, name: 'the-oracle')
 
-        WpTheme.stub(:find_from_css_link).and_return(expected)
+        allow(WpTheme).to receive(:find_from_css_link).and_return(expected)
         wp_theme = WpTheme.find(uri)
 
-        wp_theme.should be_a WpTheme
-        wp_theme.should == expected
-        wp_theme.found_from.should === 'css link'
+        expect(wp_theme).to be_a WpTheme
+        expect(wp_theme).to eq expected
+        expect(wp_theme.found_from).to be === 'css link'
       end
     end
 

spec/lib/common/models/wp_theme_spec.rb

@@ -3,22 +3,19 @@
 require 'spec_helper'
 
 describe WpTheme do
-  before do
-    stub_request(:get, /.+\/style.css$/).to_return(status: 200)
-  end
-
   it_behaves_like 'WpTheme::Versionable'
   it_behaves_like 'WpTheme::Vulnerable'
   it_behaves_like 'WpItem::Vulnerable' do
     let(:options)        { { name: 'the-oracle' } }
-    let(:vulns_file)     { MODELS_FIXTURES + '/wp_theme/vulnerable/themes_vulns.xml' }
+    let(:vulns_file)     { MODELS_FIXTURES + '/wp_theme/vulnerable/themes_vulns.json' }
     let(:expected_refs)  { {
-        :url => ['Ref 1', 'Ref 2'],
-        :cve => ['2011-001'],
-        :secunia => ['secunia'],
-        :osvdb => ['osvdb'],
-        :metasploit => ['exploit/ex1'],
-        :exploitdb => ['exploitdb']
+        'id' => [2993],
+        'url' => ['Ref 1,Ref 2'],
+        'cve' => ['2011-001'],
+        'secunia' => ['secunia'],
+        'osvdb' => ['osvdb'],
+        'metasploit' => ['exploit/ex1'],
+        'exploitdb' => ['exploitdb']
     } }
     let(:expected_vulns) { Vulnerabilities.new << Vulnerability.new('I see you', 'FPD', expected_refs) }
   end
@@ -29,24 +26,11 @@ describe WpTheme do
   let(:theme_path)    { 'wp-content/themes/theme-name/' }
 
   describe '#allowed_options' do
-    its(:allowed_options) { should include :style_url }
+    its(:allowed_options) { is_expected.to include :referenced_url }
   end
 
   describe '#forge_uri' do
-    its(:uri) { should == uri.merge(theme_path) }
-  end
-
-  describe '#style_url' do
-    its(:style_url) { should == uri.merge(theme_path + '/style.css').to_s }
-
-    context 'when its already set' do
-      it 'returns it instead of the default one' do
-        url                = uri.merge(theme_path + '/custom.css').to_s
-        wp_theme.style_url = url
-
-        wp_theme.style_url.should == url
-      end
-    end
+    its(:uri) { is_expected.to eq uri.merge(theme_path) }
   end
 
 end

spec/lib/common/models/wp_timthumb_spec.rb

@@ -13,17 +13,19 @@ describe WpTimthumb do
   describe '#==' do
     context 'when both url are equal' do
       it 'returns true' do
-        WpTimthumb.new(uri, path: 'timtuhumb.php').
-        should ==
+        expect(WpTimthumb.new(uri, path: 'timtuhumb.php')).
+        to eq(
         WpTimthumb.new(uri, path: 'timtuhumb.php')
+        )
       end
     end
 
     context 'when urls are different' do
       it 'returns false' do
-        WpTimthumb.new(uri, path: 'hello/timtuhumb.php').
-        should_not ==
+        expect(WpTimthumb.new(uri, path: 'hello/timtuhumb.php')).
+        not_to eq(
         WpTimthumb.new(uri, path: 'some-dir/timtuhumb.php')
+        )
       end
     end
   end

spec/lib/common/models/wp_user_spec.rb

@@ -12,10 +12,10 @@ describe WpUser do
 
   describe '#allowed_options' do
     [:id, :login, :display_name, :password].each do |sym|
-      its(:allowed_options) { should include sym }
+      its(:allowed_options) { is_expected.to include sym }
     end
 
-    its(:allowed_options) { should_not include :name }
+    its(:allowed_options) { is_expected.not_to include :name }
   end
 
   describe '#uri' do
@@ -29,7 +29,7 @@ describe WpUser do
       it 'returns the uri to the auhor page' do
         wp_user.id = 2
 
-        wp_user.uri.should == uri.merge('?author=2')
+        expect(wp_user.uri).to eq uri.merge('?author=2')
       end
     end
   end
@@ -37,7 +37,7 @@ describe WpUser do
   describe '#to_s' do
     after do
       subject.id = 1
-      subject.to_s.should == @expected
+      expect(subject.to_s).to eq @expected
     end
 
     it 'returns @id' do
@@ -67,20 +67,20 @@ describe WpUser do
       wp_user.id = 1
       other      = WpUser.new(uri, id: 3)
 
-      wp_user.<=>(other).should === 1.<=>(3)
+      expect(wp_user.<=>(other)).to be === 1.<=>(3)
     end
   end
 
   describe '#===, #==' do
     context 'when the :id and :login are the same' do
       it 'is ===, and ==' do
-        WpUser.new(uri, id: 1, name: 'yo').should == WpUser.new(uri, id: 1, name: 'yo')
+        expect(WpUser.new(uri, id: 1, name: 'yo')).to eq WpUser.new(uri, id: 1, name: 'yo')
       end
     end
 
     context 'when :id and :login are different' do
       it 'is not === or ==' do
-        WpUser.new(uri, id: 1, name: 'yo').should_not == WpUser.new(uri, id: 2, name:'yo')
+        expect(WpUser.new(uri, id: 1, name: 'yo')).not_to eq WpUser.new(uri, id: 2, name:'yo')
       end
     end
   end

spec/lib/common/models/wp_version/findable_spec.rb

@@ -26,7 +26,7 @@ describe 'WpVersion::Findable' do
         fixture = fixtures_dir + dir_name + @fixture
         stub_request_to_fixture(url: url, fixture: fixture)
 
-        WpVersion.send(method, uri).should == @expected
+        expect(WpVersion.send(method, uri)).to eq @expected
       end
 
       context 'when generator not found' do
@@ -81,7 +81,7 @@ describe 'WpVersion::Findable' do
         :find_from_advanced_fingerprinting,
         uri, wp_content_dir, wp_plugins_dir, versions_xml
       )
-      version.should == @expected
+      expect(version).to eq @expected
     end
 
     context 'when' do
@@ -108,7 +108,7 @@ describe 'WpVersion::Findable' do
       fixture = fixtures_dir + 'readme' + @fixture
       stub_request_to_fixture(url: url, fixture: fixture)
 
-      WpVersion.send(:find_from_readme, uri).should == @expected
+      expect(WpVersion.send(:find_from_readme, uri)).to eq @expected
     end
 
     context 'when version not found' do
@@ -138,7 +138,7 @@ describe 'WpVersion::Findable' do
       fixture = fixtures_dir + 'links_opml' + @fixture
       stub_request_to_fixture(url: url, fixture: fixture)
 
-      WpVersion.send(:find_from_links_opml, uri).should == @expected
+      expect(WpVersion.send(:find_from_links_opml, uri)).to eq @expected
     end
 
     it 'returns 3.4.2' do
@@ -158,7 +158,7 @@ describe 'WpVersion::Findable' do
     # Stub all WpVersion::find_from_* to return nil
     def stub_all_to_nil
       WpVersion.methods.grep(/^find_from_/).each do |method|
-        WpVersion.stub(method).and_return(nil)
+        allow(WpVersion).to receive(method).and_return(nil)
       end
     end
 
@@ -170,9 +170,9 @@ describe 'WpVersion::Findable' do
       stub_request(:get, /#{uri.to_s}.*/).to_return(status: 0)
 
       version = WpVersion.find(uri, wp_content_dir, wp_plugins_dir, version_xml)
-      version.should == @expected
+      expect(version).to eq @expected
       if @expected
-        version.found_from.should == @found_from
+        expect(version.found_from).to eq @found_from
       end
     end
 
@@ -191,7 +191,7 @@ describe 'WpVersion::Findable' do
         it "returns the correct WpVersion" do
           stub_all_to_nil()
 
-          WpVersion.stub(method).and_return(number)
+          allow(WpVersion).to receive(method).and_return(number)
 
           @expected = WpVersion.new(uri, number: number)
           @found_from = found_from

spec/lib/common/models/wp_version_spec.rb

@@ -6,14 +6,15 @@ describe WpVersion do
   it_behaves_like 'WpVersion::Vulnerable'
   it_behaves_like 'WpItem::Vulnerable' do
     let(:options)        { { number: '3.2' } }
-    let(:vulns_file)     { MODELS_FIXTURES + '/wp_version/vulnerable/versions_vulns.xml' }
+    let(:vulns_file)     { MODELS_FIXTURES + '/wp_version/vulnerable/versions_vulns.json' }
     let(:expected_refs)  { {
-        :url => ['Ref 1', 'Ref 2'],
-        :cve => ['2011-001'],
-        :secunia => ['secunia'],
-        :osvdb => ['osvdb'],
-        :metasploit => ['exploit/ex1'],
-        :exploitdb => ['exploitdb']
+        'id' => [2993],
+        'url' => ['Ref 1,Ref 2'],
+        'cve' => ['2011-001'],
+        'secunia' => ['secunia'],
+        'osvdb' => ['osvdb'],
+        'metasploit' => ['exploit/ex1'],
+        'exploitdb' => ['exploitdb']
     } }
     let(:expected_vulns) { Vulnerabilities.new << Vulnerability.new('Here I Am', 'SQLI', expected_refs) }
   end
@@ -24,7 +25,7 @@ describe WpVersion do
 
   describe '#allowed_options' do
     [:number, :found_from].each do |sym|
-      its(:allowed_options) { should include sym }
+      its(:allowed_options) { is_expected.to include sym }
     end
   end
 

spec/lib/common/plugins/plugin_spec.rb

@@ -10,7 +10,7 @@ describe Plugin do
       subject(:plugin) { Plugin.new(infos) }
       let(:infos) { { author: 'John' } }
 
-      its(:author) { should === infos[:author] }
+      its(:author) { is_expected.to be === infos[:author] }
     end
   end
 
@@ -26,7 +26,7 @@ describe Plugin do
         expect { plugin.register_options(*@options) }.to raise_error(@exception)
       else
         plugin.register_options(*@options)
-        plugin.registered_options.sort.should === @expected.sort
+        expect(plugin.registered_options.sort).to be === @expected.sort
       end
     end