correct stats an correct data files

WP Metadata Integration

.ruby-version

@@ -1 +1 @@
-2.2.2
+2.3.1

.travis.yml

@@ -1,26 +1,22 @@
 language: ruby
+sudo: false
+cache: bundler
 rvm:
-  - 1.9.2
-  - 1.9.3
-  - 2.0.0
-  - 2.1.0
-  - 2.1.1
-  - 2.1.2
-  - 2.1.3
-  - 2.1.4
-  - 2.1.5
+  # Still not in Travis :(
+  # - 2.1.9
   - 2.2.0
   - 2.2.1
   - 2.2.2
+  - 2.2.3
+  - 2.2.4
+  - 2.3.0
+  - 2.3.1
 before_install:
   - "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
 script: bundle exec rspec
 notifications:
   email:
-    - wpscanteam@gmail.com
-matrix:
-  allow_failures:
-    - rvm: 1.9.2
+    - team@wpscan.org
 # do not build gh-pages branch
 branches:
   except:

CHANGELOG.md

@@ -1,6 +1,60 @@
 # Changelog
 ## Master
-[Work in progress](https://github.com/wpscanteam/wpscan/compare/2.8...master)
+[Work in progress](https://github.com/wpscanteam/wpscan/compare/2.9.1...master)
+
+## Version 2.9.1
+Released: 2016-05-06
+
+* Update to Ruby 2.3.1, drop older ruby support
+* New data file location
+* Added experimental Windows support
+* Display WordPress metadata on the detected version
+* Several small fixes
+
+WPScan Database Statistics:
+* Total vulnerable versions: 156
+* Total vulnerable plugins:  1324
+* Total vulnerable themes:   376
+* Total version vulnerabilities: 1998
+* Total plugin vulnerabilities:  2057
+* Total theme vulnerabilities:   449
+
+## Version 2.9
+Released: 2015-10-15
+
+New
+* GZIP Encoding in updater
+* Adds --throttle option to throttle requests
+* Uses new API and local database file structure
+* Adds last updated and latest version to plugins and themes
+
+Removed
+* ArchAssault from README
+* APIv1 local databases
+
+General core
+* Update to Ruby 2.2.3
+* Use yajl-ruby as JSON parser
+* New dependancy for Ubuntu 14.04 (libgmp-dev)
+* Use Travis container based infra and caching
+
+Fixed issues
+* Fix #835 - Readme requests to wp root dir
+* Fix #836 - Critical icon output twice when the site is not running WP
+* Fix #839 - Terminal-table dependency is broken
+* Fix #841 - error: undefined method `cells' for #<Array:0x000000029cc2f8>
+* Fix #852 - GZIP Encoding in updater
+* Fix #853 - APIv2 integration
+* Fix #858 - Detection FP
+* Fix #873 - false positive "site has Must Use Plugins"
+
+WPScan Database Statistics:
+* Total vulnerable versions: 132
+* Total vulnerable plugins:  1170
+* Total vulnerable themes:   368
+* Total version vulnerabilities: 1476
+* Total plugin vulnerabilities:  1913
+* Total theme vulnerabilities:   450
 
 ## Version 2.8
 Released: 2015-06-22
@@ -79,7 +133,7 @@ Fixed issues
 * Fix #746 - Add a global counter for all active requests to server.
 * Fix #747 - Add 'security-protection' plugin to wp_login_protection module
 * Fix #753 - undefined method `round' for "10":String for request or connect timeouts
-* Fix #760 - typhoeus issue (infinite loop) 
+* Fix #760 - typhoeus issue (infinite loop)
 
 WPScan Database Statistics:
 * Total vulnerable versions: 89
@@ -100,7 +154,7 @@ New
 * Add Sucuri sponsor to banner
 * Add protocol to sucuri url in banner
 * Add response code to proxy error output
-* Add a statement about mendatory newlines at the end of list
+* Add a statement about mandatory newlines at the end of list
 * Give warning if default username 'admin' is still used
 * License amendment to make it more clear about value added usage
 
@@ -456,4 +510,3 @@ Fixed issues
 
 ## Version 2.1
 Released 2013-3-4
-

CREDITS

@@ -1,6 +1,6 @@
 **CREDITS**
 
-This file is used to state the individual WPScan Team members (core developers) and give credit to WPScan's other contributors. If you feel your name should be in here email wpscanteam@gmail.com.
+This file is used to state the individual WPScan Team members (core developers) and give credit to WPScan's other contributors. If you feel your name should be in here email team@wpscan.org.
 
 *WPScan Team*
 

Gemfile

@@ -1,15 +1,18 @@
 source 'https://rubygems.org'
 
-gem 'typhoeus', '~>0.7.0'
-gem 'nokogiri'
+gem 'typhoeus', '>=0.8.0'
+gem 'nokogiri', '>=1.6.7.1'
 gem 'addressable'
-gem 'json'
-gem 'terminal-table'
+gem 'yajl-ruby' # Better JSON parser regarding memory usage
+# TODO: update the below when terminal-table 1.5.3+ is released.
+# See issue #841 for details
+# (and delete the Terminal module in lib/common/hacks.rb)
+gem 'terminal-table', '~>1.4.5'
 gem 'ruby-progressbar', '>=1.6.0'
 
 group :test do
   gem 'webmock', '>=1.17.2'
   gem 'simplecov'
-  gem 'rspec', '>= 3.3.0'
+  gem 'rspec', '>=3.3.0'
   gem 'rspec-its'
 end

LICENSE

@@ -1,6 +1,6 @@
 WPScan Public Source License
 
-The WPScan software (henceforth referred to simply as "WPScan") is dual-licensed - Copyright 2011-2015 WPScan Team.
+The WPScan software (henceforth referred to simply as "WPScan") is dual-licensed - Copyright 2011-2016 WPScan Team.
 
 Cases that include commercialization of WPScan require a commercial, non-free license. Otherwise, WPScan can be used without charge under the terms set out below.
 
@@ -27,7 +27,7 @@ Example cases which do not require a commercial license, and thus fall under the
  - Using WPScan to test your own systems.
  - Any non-commercial use of WPScan.
 
-If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - wpscanteam@gmail.com. 
+If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - team@wpscan.org.
 
 We may grant commercial licenses at no monetary cost at our own discretion if the commercial usage is deemed by the WPScan Team to significantly benefit WPScan.
 

README.md

@@ -9,7 +9,7 @@
 
 #### WPScan Public Source License
 
-The WPScan software (henceforth referred to simply as "WPScan") is dual-licensed - Copyright 2011-2015 WPScan Team.
+The WPScan software (henceforth referred to simply as "WPScan") is dual-licensed - Copyright 2011-2016 WPScan Team.
 
 Cases that include commercialization of WPScan require a commercial, non-free license. Otherwise, WPScan can be used without charge under the terms set out below.
 
@@ -38,7 +38,7 @@ Example cases which do not require a commercial license, and thus fall under the
  - Using WPScan to test your own systems.
  - Any non-commercial use of WPScan.
 
-If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - wpscanteam@gmail.com.
+If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - team@wpscan.org.
 
 We may grant commercial licenses at no monetary cost at our own discretion if the commercial usage is deemed by the WPScan Team to significantly benefit WPScan.
 
@@ -88,12 +88,11 @@ WPScan comes pre-installed on the following Linux distributions:
 - [Kali Linux](http://www.kali.org/)
 - [Pentoo](http://www.pentoo.ch/)
 - [SamuraiWTF](http://samurai.inguardians.com/)
-- [ArchAssault](https://archassault.org/)
 - [BlackArch](http://blackarch.org/)
 
 Prerequisites:
 
-- Ruby >= 1.9.2 - Recommended: 2.2.2
+- Ruby >= 2.1.9 - Recommended: 2.3.1
 - Curl >= 7.21  - Recommended: latest - FYI the 7.29 has a segfault
 - RubyGems      - Recommended: latest
 - Git
@@ -112,14 +111,14 @@ Before Ubuntu 14.04:
 
 From Ubuntu 14.04:
 
-    sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential
+    sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev
     git clone https://github.com/wpscanteam/wpscan.git
     cd wpscan
     sudo gem install bundler && bundle install --without test
 
 ####Installing on Debian:
 
-    sudo apt-get install git ruby ruby-dev libcurl4-openssl-dev make
+    sudo apt-get install git ruby ruby-dev libcurl4-openssl-dev make zlib1g-dev
     git clone https://github.com/wpscanteam/wpscan.git
     cd wpscan
     sudo gem install bundler
@@ -127,7 +126,7 @@ From Ubuntu 14.04:
 
 ####Installing on Fedora:
 
-    sudo yum install gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch
+    sudo dnf install gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch rpm-build
     git clone https://github.com/wpscanteam/wpscan.git
     cd wpscan
     sudo gem install bundler && bundle install --without test
@@ -150,14 +149,15 @@ Apple Xcode, Command Line Tools and the libffi are needed (to be able to install
     cd wpscan
     sudo gem install bundler && sudo bundle install --without test
 
-####Installing with RVM:
+####Installing with RVM (recommended):
 
+    # Install all prerequisites for your OS (look above)
     cd ~
     curl -sSL https://get.rvm.io | bash -s stable
     source ~/.rvm/scripts/rvm
     echo "source ~/.rvm/scripts/rvm" >> ~/.bashrc
-    rvm install 2.2.2
-    rvm use 2.2.2 --default
+    rvm install 2.3.1
+    rvm use 2.3.1 --default
     echo "gem: --no-ri --no-rdoc" > ~/.gemrc
     gem install bundler
     git clone https://github.com/wpscanteam/wpscan.git
@@ -192,7 +192,7 @@ Apple Xcode, Command Line Tools and the libffi are needed (to be able to install
 
       Then, open the directory of the readline gem (you have to locate it)
 
-        cd ~/.rvm/src/ruby-1.9.2-p180/ext/readline
+        cd ~/.rvm/src/ruby-XXXX/ext/readline
         ruby extconf.rb
         make
         make install
@@ -210,13 +210,10 @@ Apple Xcode, Command Line Tools and the libffi are needed (to be able to install
 
 #### WPSCAN ARGUMENTS
 
-    --update   Update the databases.
-
-    --url   | -u <target url>  The WordPress URL/domain to scan.
-
-    --force | -f Forces WPScan to not check if the remote site is running WordPress.
-
-    --enumerate | -e [option(s)]  Enumeration.
+    --update                            Update the database to the latest version.
+    --url       | -u <target url>       The WordPress URL/domain to scan.
+    --force     | -f                    Forces WPScan to not check if the remote site is running WordPress.
+    --enumerate | -e [option(s)]        Enumeration.
       option :
         u        usernames from id 1 to 10
         u[10-20] usernames from id 10 to 20 (you must write [] chars)
@@ -230,53 +227,36 @@ Apple Xcode, Command Line Tools and the libffi are needed (to be able to install
       Multiple values are allowed : "-e tt,p" will enumerate timthumbs and plugins
       If no option is supplied, the default is "vt,tt,u,vp"
 
-    --exclude-content-based "<regexp or string>" Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied
-                                                 You do not need to provide the regexp delimiters, but you must write the quotes (simple or double)
-
-    --config-file | -c <config file> Use the specified config file, see the example.conf.json
-
-    --user-agent | -a <User-Agent> Use the specified User-Agent
-
-    --random-agent | -r Use a random User-Agent
-
-    --follow-redirection  If the target url has a redirection, it will be followed without asking if you wanted to do so or not
-
-    --wp-content-dir <wp content dir>  WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. Subdirectories are allowed
-
-    --wp-plugins-dir <wp plugins dir>  Same thing than --wp-content-dir but for the plugins directory. If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed
-
-    --proxy <[protocol://]host:port> Supply a proxy (will override the one from conf/browser.conf.json).
-                                     HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported. If no protocol is given (format host:port), HTTP will be used
-
-    --proxy-auth <username:password>  Supply the proxy login credentials.
-
-    --basic-auth <username:password>  Set the HTTP Basic authentication.
-
-    --wordlist | -w <wordlist>  Supply a wordlist for the password brute forcer.
-
-    --threads  | -t <number of threads>  The number of threads to use when multi-threading requests.
-
-    --username | -U <username>  Only brute force the supplied username.
-
-    --usernames  <path-to-file>  Only brute force the usernames from the file.
-
-    --cache-ttl <cache-ttl>  Typhoeus cache TTL.
-
-    --request-timeout <request-timeout>  Request Timeout.
-
-    --connect-timeout <connect-timeout>  Connect Timeout.
-
-    --max-threads <max-threads>  Maximum Threads.
-
-    --help     | -h This help screen.
-
-    --verbose  | -v Verbose output.
-
-    --batch Never ask for user input, use the default behavior.
-
-    --no-color Do not use colors in the output.
-
-    --log Save STDOUT to log.txt
+    --exclude-content-based "<regexp or string>"
+                                        Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied.
+                                        You do not need to provide the regexp delimiters, but you must write the quotes (simple or double).
+    --config-file  | -c <config file>   Use the specified config file, see the example.conf.json.
+    --user-agent   | -a <User-Agent>    Use the specified User-Agent.
+    --cookie <String>                   String to read cookies from.
+    --random-agent | -r                 Use a random User-Agent.
+    --follow-redirection                If the target url has a redirection, it will be followed without asking if you wanted to do so or not
+    --batch                             Never ask for user input, use the default behaviour.
+    --no-color                          Do not use colors in the output.
+    --wp-content-dir <wp content dir>   WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it.
+                                        Subdirectories are allowed.
+    --wp-plugins-dir <wp plugins dir>   Same thing than --wp-content-dir but for the plugins directory.
+                                        If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed
+    --proxy <[protocol://]host:port>    Supply a proxy. HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported.
+                                        If no protocol is given (format host:port), HTTP will be used.
+    --proxy-auth <username:password>    Supply the proxy login credentials.
+    --basic-auth <username:password>    Set the HTTP Basic authentication.
+    --wordlist | -w <wordlist>          Supply a wordlist for the password brute forcer.
+    --username | -U <username>          Only brute force the supplied username.
+    --usernames     <path-to-file>      Only brute force the usernames from the file.
+    --threads  | -t <number of threads> The number of threads to use when multi-threading requests.
+    --cache-ttl       <cache-ttl>       Typhoeus cache TTL.
+    --request-timeout <request-timeout> Request Timeout.
+    --connect-timeout <connect-timeout> Connect Timeout.
+    --max-threads     <max-threads>     Maximum Threads.
+    --throttle        <milliseconds>    Milliseconds to wait before doing another web request. If used, the --threads should be set to 1.
+    --help     | -h                     This help screen.
+    --verbose  | -v                     Verbose output.
+    --version                           Output the current version and exit.
 
 #### WPSCAN EXAMPLES
 

dev/stats.rb

@@ -0,0 +1,19 @@
+#!/usr/bin/env ruby
+# encoding: UTF-8
+
+require File.dirname(__FILE__) + '/../lib/wpscan/wpscan_helper'
+
+wordpress_json = json(WORDPRESSES_FILE)
+plugins_json = json(PLUGINS_FILE)
+themes_json = json(THEMES_FILE)
+
+puts 'WPScan Database Statistics:'
+puts "* Total tracked wordpresses: #{wordpress_json.count}"
+puts "* Total tracked plugins: #{plugins_json.count}"
+puts "* Total tracked themes: #{themes_json.count}"
+puts "* Total vulnerable wordpresses: #{wordpress_json.select { |item| !wordpress_json[item]['vulnerabilities'].empty? }.count}"
+puts "* Total vulnerable plugins: #{plugins_json.select { |item| !plugins_json[item]['vulnerabilities'].empty? }.count}"
+puts "* Total vulnerable themes: #{themes_json.select { |item| !themes_json[item]['vulnerabilities'].empty? }.count}"
+puts "* Total wordpress vulnerabilities: #{}"
+puts "* Total plugin vulnerabilities: #{}"
+puts "* Total theme vulnerabilities: #{}"

lib/common/browser.rb

@@ -17,14 +17,15 @@ class Browser
     :proxy_auth,
     :request_timeout,
     :connect_timeout,
-    :cookie
+    :cookie,
+    :throttle
   ]
 
   @@instance = nil
 
   attr_reader :hydra, :cache_dir
 
-  attr_accessor :referer, :cookie
+  attr_accessor :referer, :cookie, :vhost
 
   # @param [ Hash ] options
   #
@@ -70,12 +71,14 @@ class Browser
   # sets browser default values
   #
   def browser_defaults
-    @max_threads = 20
-    # 10 minutes, at this time the cache is cleaned before each scan. If this value is set to 0, the cache will be disabled
-    @cache_ttl = 600
+    @max_threads     = 20
+    # 10 minutes, at this time the cache is cleaned before each scan.
+    # If this value is set to 0, the cache will be disabled
+    @cache_ttl       = 600
     @request_timeout = 60 # 60s
     @connect_timeout = 10 # 10s
-    @user_agent = "WPScan v#{WPSCAN_VERSION} (http://wpscan.org)"
+    @user_agent      = "WPScan v#{WPSCAN_VERSION} (http://wpscan.org)"
+    @throttle        = 0
   end
 
   #
@@ -86,7 +89,6 @@ class Browser
   #
   # @return [ void ]
   def load_config(config_file = nil)
-
     if File.symlink?(config_file)
       raise '[ERROR] Config file is a symlink.'
     else
@@ -99,7 +101,6 @@ class Browser
         self.send(:"#{option_name}=", data[option_name])
       end
     end
-
   end
 
   # @param [ String ] url
@@ -121,11 +122,8 @@ class Browser
     )
 
     if @proxy
-      params = params.merge(proxy: @proxy)
-
-      if @proxy_auth
-        params = params.merge(proxyauth: @proxy_auth)
-      end
+      params.merge!(proxy: @proxy)
+      params.merge!(proxyauth: @proxy_auth) if @proxy_auth
     end
 
     if @basic_auth
@@ -136,19 +134,27 @@ class Browser
       )
     end
 
+    if vhost
+      params = Browser.append_params_header_field(
+        params,
+        'Host',
+        vhost
+      )
+    end
+
     params.merge!(referer: referer)
-    params.merge!(timeout: @request_timeout) if @request_timeout
-    params.merge!(connecttimeout: @connect_timeout) if @connect_timeout
+    params.merge!(timeout: @request_timeout) if @request_timeout && !params.key?(:timeout)
+    params.merge!(connecttimeout: @connect_timeout) if @connect_timeout && !params.key?(:connecttimeout)
 
     # Used to enable the cache system if :cache_ttl > 0
-    params.merge!(cache_ttl: @cache_ttl) unless params.has_key?(:cache_ttl)
+    params.merge!(cache_ttl: @cache_ttl) unless params.key?(:cache_ttl)
 
     # Prevent infinite self redirection
-    params.merge!(maxredirs: 3) unless params.has_key?(:maxredirs)
+    params.merge!(maxredirs: 3) unless params.key?(:maxredirs)
 
     # Disable SSL-Certificate checks
-    params.merge!(ssl_verifypeer: false)
-    params.merge!(ssl_verifyhost: 0)
+    params.merge!(ssl_verifypeer: false) unless params.key?(:ssl_verifypeer)
+    params.merge!(ssl_verifyhost: 0) unless params.key?(:ssl_verifyhost)
 
     params.merge!(cookiejar: @cache_dir + '/cookie-jar')
     params.merge!(cookiefile: @cache_dir + '/cookie-jar')
@@ -172,5 +178,4 @@ class Browser
     end
     params
   end
-
 end

lib/common/browser/options.rb

@@ -3,8 +3,8 @@
 class Browser
   module Options
 
-    attr_accessor :cache_ttl, :request_timeout, :connect_timeout
-    attr_reader   :basic_auth, :proxy, :proxy_auth
+    attr_accessor :request_timeout, :connect_timeout
+    attr_reader   :basic_auth, :cache_ttl, :proxy, :proxy_auth, :throttle
     attr_writer   :user_agent
 
     # Sets the Basic Authentification credentials
@@ -25,6 +25,10 @@ class Browser
      end
     end
 
+    def cache_ttl=(ttl)
+      @cache_ttl = ttl.to_i
+    end
+
     # @return [ Integer ]
     def max_threads
       @max_threads || 1
@@ -93,6 +97,11 @@ class Browser
       @connect_timeout = timeout.to_i
     end
 
+    # @param [ String, Integer ] throttle
+    def throttle=(throttle)
+      @throttle = throttle.to_i.abs / 1000.0
+    end
+
     protected
 
     def invalid_proxy_auth_format
@@ -110,6 +119,5 @@ class Browser
         end
       end
     end
-
   end
 end

lib/common/cache_file_store.rb

@@ -23,9 +23,7 @@ class CacheFileStore
     @storage_path = File.expand_path(File.join(storage_path, storage_dir))
     @serializer   = serializer
 
-    # File.directory? for ruby <= 1.9 otherwise,
-    # it makes more sense to do Dir.exist? :/
-    unless File.directory?(@storage_path)
+    unless Dir.exist?(@storage_path)
       FileUtils.mkdir_p(@storage_path)
     end
   end
@@ -51,7 +49,7 @@ class CacheFileStore
   end
 
   def write_entry(key, data_to_store, cache_ttl)
-    if cache_ttl > 0
+    if cache_ttl && cache_ttl > 0
       File.open(get_entry_file_path(key), 'w') do |f|
         begin
           f.write(@serializer.dump(data_to_store))

lib/common/collections/wp_items.rb

@@ -67,6 +67,7 @@ class WpItems < Array
   end
 
   protected
+
   # @return [ Class ]
   def item_class
     Object.const_get(self.class.to_s.gsub(/.$/, ''))

lib/common/collections/wp_items/detectable.rb

@@ -32,11 +32,7 @@ class WpItems < Array
           progress_bar.progress += 1 if options[:show_progression]
 
           if target_item.exists?(exist_options, response)
-            unless results.include?(target_item)
-              if !options[:only_vulnerable] || options[:only_vulnerable] && target_item.vulnerable?
-                results << target_item
-              end
-            end
+            results << target_item unless results.include?(target_item)
           end
         end
 
@@ -53,7 +49,7 @@ class WpItems < Array
       # run the remaining requests
       hydra.run
 
-      results.select!(&:vulnerable?) if options[:only_vulnerable]
+      results.select!(&:vulnerable?) if options[:type] == :vulnerable
       results.sort!
 
       results  # can't just return results.sort as it would return an array, and we want a WpItems
@@ -155,15 +151,7 @@ class WpItems < Array
       item_class = self.item_class
       vulns_file = self.vulns_file
 
-      targets = vulnerable_targets_items(wp_target, item_class, vulns_file)
-
-      unless options[:only_vulnerable]
-        unless options[:file]
-          raise 'A file must be supplied'
-        end
-
-        targets += targets_items_from_file(options[:file], wp_target, item_class, vulns_file)
-      end
+      targets = target_items_from_type(wp_target, item_class, vulns_file, options[:type])
 
       targets.uniq! { |t| t.name }
       targets.sort_by { rand }
@@ -174,14 +162,25 @@ class WpItems < Array
     # @param [ String ] vulns_file
     #
     # @return [ Array<WpItem> ]
-    def vulnerable_targets_items(wp_target, item_class, vulns_file)
+    def target_items_from_type(wp_target, item_class, vulns_file, type)
       targets = []
       json    = json(vulns_file)
 
-      [*json].each do |item|
+      case type
+      when :vulnerable
+        items = json.select { |item| !json[item]['vulnerabilities'].empty? }.keys
+      when :popular
+        items = json.select { |item| json[item]['popular'] == true }.keys
+      when :all
+        items = json.keys
+      else
+        raise "Unknown type #{type}"
+      end
+
+      items.each do |item|
         targets << create_item(
           item_class,
-          item.keys.inject,
+          item,
           wp_target,
           vulns_file
         )
@@ -233,6 +232,5 @@ class WpItems < Array
     def item_class
       Object.const_get(self.to_s.gsub(/.$/, ''))
     end
-
   end
 end

lib/common/collections/wp_plugins.rb

@@ -1,8 +1,8 @@
-# encoding: UTF-8
-
-require 'common/collections/wp_plugins/detectable'
-
-class WpPlugins < WpItems
-  extend WpPlugins::Detectable
-
-end
+# encoding: UTF-8
+
+require 'common/collections/wp_plugins/detectable'
+
+class WpPlugins < WpItems
+  extend WpPlugins::Detectable
+
+end

lib/common/collections/wp_plugins/detectable.rb

@@ -2,17 +2,11 @@
 
 class WpPlugins < WpItems
   module Detectable
-
     # @return [ String ]
     def vulns_file
-      PLUGINS_VULNS_FILE
+      PLUGINS_FILE
     end
 
-    # @return [ String ]
-    # def item_xpath
-    #   '//plugin'
-    # end
-
     # @param [ WpTarget ] wp_target
     # @param [ Hash ] options
     #

lib/common/collections/wp_themes.rb

@@ -1,8 +1,8 @@
-# encoding: UTF-8
-
-require 'common/collections/wp_themes/detectable'
-
-class WpThemes < WpItems
-  extend WpThemes::Detectable
-
-end
+# encoding: UTF-8
+
+require 'common/collections/wp_themes/detectable'
+
+class WpThemes < WpItems
+  extend WpThemes::Detectable
+
+end

lib/common/collections/wp_themes/detectable.rb

@@ -5,13 +5,7 @@ class WpThemes < WpItems
 
     # @return [ String ]
     def vulns_file
-      THEMES_VULNS_FILE
+      THEMES_FILE
     end
-
-    # @return [ String ]
-    # def item_xpath
-    #   '//theme'
-    # end
-
   end
 end

lib/common/collections/wp_timthumbs.rb

@@ -1,8 +1,8 @@
-# encoding: UTF-8
-
-require 'common/collections/wp_timthumbs/detectable'
-
-class WpTimthumbs < WpItems
-  extend WpTimthumbs::Detectable
-
-end
+# encoding: UTF-8
+
+require 'common/collections/wp_timthumbs/detectable'
+
+class WpTimthumbs < WpItems
+  extend WpTimthumbs::Detectable
+
+end

lib/common/collections/wp_users.rb

@@ -1,11 +1,11 @@
-# encoding: UTF-8
-
-require 'common/collections/wp_users/detectable'
-require 'common/collections/wp_users/output'
-require 'common/collections/wp_users/brute_forcable'
-
-class WpUsers < WpItems
-  extend WpUsers::Detectable
-  include WpUsers::Output
-  include WpUsers::BruteForcable
-end
+# encoding: UTF-8
+
+require 'common/collections/wp_users/detectable'
+require 'common/collections/wp_users/output'
+require 'common/collections/wp_users/brute_forcable'
+
+class WpUsers < WpItems
+  extend WpUsers::Detectable
+  include WpUsers::Output
+  include WpUsers::BruteForcable
+end

lib/common/collections/wp_users/detectable.rb

@@ -1,34 +1,34 @@
-# encoding: UTF-8
-
-class WpUsers < WpItems
-  module Detectable
-
-    # @return [ Hash ]
-    def request_params; {} end
-
-    # No passive detection
-    #
-    # @return [ WpUsers ]
-    def passive_detection(wp_target, options = {})
-      new
-    end
-
-    protected
-
-    # @param [ WpTarget ] wp_target
-    # @param [ Hash ] options
-    # @option options [ Range ] :range ((1..10))
-    #
-    # @return [ Array<WpUser> ]
-    def targets_items(wp_target, options = {})
-      range   = options[:range] || (1..10)
-      targets = []
-
-      range.each do |user_id|
-        targets << WpUser.new(wp_target.uri, id: user_id)
-      end
-      targets
-    end
-
-  end
-end
+# encoding: UTF-8
+
+class WpUsers < WpItems
+  module Detectable
+
+    # @return [ Hash ]
+    def request_params; {} end
+
+    # No passive detection
+    #
+    # @return [ WpUsers ]
+    def passive_detection(wp_target, options = {})
+      new
+    end
+
+    protected
+
+    # @param [ WpTarget ] wp_target
+    # @param [ Hash ] options
+    # @option options [ Range ] :range ((1..10))
+    #
+    # @return [ Array<WpUser> ]
+    def targets_items(wp_target, options = {})
+      range   = options[:range] || (1..10)
+      targets = []
+
+      range.each do |user_id|
+        targets << WpUser.new(wp_target.uri, id: user_id)
+      end
+      targets
+    end
+
+  end
+end

lib/common/common_helper.rb

@@ -18,22 +18,19 @@ COMMON_PLUGINS_DIR   = File.join(COMMON_LIB_DIR, 'plugins')
 WPSCAN_PLUGINS_DIR   = File.join(WPSCAN_LIB_DIR, 'plugins') # Not used ATM
 
 # Data files
-PLUGINS_FILE        = File.join(DATA_DIR, 'plugins.txt')
-PLUGINS_FULL_FILE   = File.join(DATA_DIR, 'plugins_full.txt')
-PLUGINS_VULNS_FILE  = File.join(DATA_DIR, 'plugin_vulns.json')
-THEMES_FILE         = File.join(DATA_DIR, 'themes.txt')
-THEMES_FULL_FILE    = File.join(DATA_DIR, 'themes_full.txt')
-THEMES_VULNS_FILE   = File.join(DATA_DIR, 'theme_vulns.json')
-WP_VULNS_FILE       = File.join(DATA_DIR, 'wp_vulns.json')
-WP_VERSIONS_FILE    = File.join(DATA_DIR, 'wp_versions.xml')
-LOCAL_FILES_FILE    = File.join(DATA_DIR, 'local_vulnerable_files.xml')
-# VULNS_XSD           = File.join(DATA_DIR, 'vuln.xsd')
-WP_VERSIONS_XSD     = File.join(DATA_DIR, 'wp_versions.xsd')
-LOCAL_FILES_XSD     = File.join(DATA_DIR, 'local_vulnerable_files.xsd')
-USER_AGENTS_FILE    = File.join(DATA_DIR, 'user-agents.txt')
-LAST_UPDATE_FILE    = File.join(DATA_DIR, '.last_update')
+WORDPRESSES_FILE  = File.join(DATA_DIR, 'wordpresses.json')
+PLUGINS_FILE      = File.join(DATA_DIR, 'plugins.json')
+THEMES_FILE       = File.join(DATA_DIR, 'themes.json')
+WP_VERSIONS_FILE  = File.join(DATA_DIR, 'wp_versions.xml')
+LOCAL_FILES_FILE  = File.join(DATA_DIR, 'local_vulnerable_files.xml')
+WP_VERSIONS_XSD   = File.join(DATA_DIR, 'wp_versions.xsd')
+LOCAL_FILES_XSD   = File.join(DATA_DIR, 'local_vulnerable_files.xsd')
+USER_AGENTS_FILE  = File.join(DATA_DIR, 'user-agents.txt')
+LAST_UPDATE_FILE  = File.join(DATA_DIR, '.last_update')
 
-WPSCAN_VERSION       = '2.8'
+MIN_RUBY_VERSION = '2.1.9'
+
+WPSCAN_VERSION = '2.9.1'
 
 $LOAD_PATH.unshift(LIB_DIR)
 $LOAD_PATH.unshift(WPSCAN_LIB_DIR)
@@ -47,16 +44,25 @@ def kali_linux?
   end
 end
 
+# Determins if installed on Windows OS
+def windows?
+  Gem.win_platform?
+end
+
 require 'environment'
 
+def escape_glob(s)
+  s.gsub(/[\\\{\}\[\]\*\?]/) { |x| '\\' + x }
+end
+
 # TODO : add an exclude pattern ?
 def require_files_from_directory(absolute_dir_path, files_pattern = '*.rb')
-  files = Dir[File.join(absolute_dir_path, files_pattern)]
+  files = Dir[File.join(escape_glob(absolute_dir_path), files_pattern)]
 
   # Files in the root dir are loaded first, then those in the subdirectories
   files.sort_by { |file| [file.count('/'), file] }.each do |f|
     f = File.expand_path(f)
-    #puts "require #{f}" # Used for debug
+    # puts "require #{f}" # Used for debug
     require f
   end
 end
@@ -224,7 +230,11 @@ end
 #
 # @return [ Integer ] The number of lines in the given file
 def count_file_lines(file)
-  `wc -l #{file.shellescape}`.split[0].to_i
+  if windows?
+    `findstr /R /N "^" #{file.shellescape} | find /C ":"`.split[0].to_i
+  else
+    `wc -l #{file.shellescape}`.split[0].to_i
+  end
 end
 
 # Truncates a string to a specific length and adds ... at the end
@@ -258,3 +268,7 @@ end
 def directory_listing_enabled?(url)
   Browser.get(url.to_s).body[%r{<title>Index of}] ? true : false
 end
+
+def url_encode(str)
+  CGI.escape(str).gsub("+", "%20")
+end

lib/common/db_updater.rb

@@ -4,9 +4,8 @@
 class DbUpdater
   FILES = %w(
     local_vulnerable_files.xml local_vulnerable_files.xsd
-    plugins_full.txt plugins.txt themes_full.txt themes.txt
     timthumbs.txt user-agents.txt wp_versions.xml wp_versions.xsd
-    plugin_vulns.json theme_vulns.json wp_vulns.json LICENSE
+    wordpresses.json plugins.json themes.json LICENSE
   )
 
   attr_reader :repo_directory
@@ -22,13 +21,16 @@ class DbUpdater
   def request_params
     {
       ssl_verifyhost: 2,
-      ssl_verifypeer: true
+      ssl_verifypeer: true,
+      accept_encoding: 'gzip, deflate',
+      timeout: 300,
+      connecttimeout: 20
     }
   end
 
   # @return [ String ] The raw file URL associated with the given filename
   def remote_file_url(filename)
-    "https://wpvulndb.com/data/#{filename}"
+    "https://data.wpscan.org/#{filename}"
   end
 
   # @return [ String ] The checksum of the associated remote filename
@@ -99,7 +101,7 @@ class DbUpdater
         puts "  [i] Database File Checksum  : #{db_checksum}" if verbose
 
         unless dl_checksum == db_checksum
-          fail "#{filename}: checksums do not match"
+          fail "#{filename}: checksums do not match (local: #{dl_checksum} remote: #{db_checksum})"
         end
       rescue => e
         puts '  [i] Restoring Backup due to error' if verbose

lib/common/hacks.rb

@@ -1,35 +1,5 @@
 # encoding: UTF-8
 
-# Since ruby 1.9.2, URI::escape is obsolete
-# See http://rosettacode.org/wiki/URL_encoding#Ruby and http://www.ruby-forum.com/topic/207489
-if RUBY_VERSION >= '1.9.2'
-  module URI
-    extend self
-
-    def escape(str)
-      URI::Parser.new.escape(str)
-    end
-    alias :encode :escape
-
-  end
-end
-
-if RUBY_VERSION < '1.9'
-  class Array
-    # Fix for grep with symbols in ruby <= 1.8.7
-    def _grep_(regexp)
-      matches = []
-      self.each do |value|
-        value = value.to_s
-        matches << value if value.match(regexp)
-      end
-      matches
-    end
-
-    alias_method :grep, :_grep_
-  end
-end
-
 # This is used in WpItem::Existable
 module Typhoeus
   class Response
@@ -101,8 +71,8 @@ end
 class Numeric
   def bytes_to_human
     units = %w{B KB MB GB TB}
-    e = (Math.log(self)/Math.log(1024)).floor
-    s = '%.3f' % (to_f / 1024**e)
+    e = (Math.log(abs)/Math.log(1024)).floor
+    s = '%.3f' % (abs.to_f / 1024**e)
     s.sub(/\.?0*$/, ' ' + units[e])
   end
 end

lib/common/models/vulnerability.rb

@@ -1,61 +1,62 @@
-# encoding: UTF-8
-
-require 'vulnerability/output'
-require 'vulnerability/urls'
-
-class Vulnerability
-  include Vulnerability::Output
-  include Vulnerability::Urls
-
-  attr_accessor :title, :references, :type, :fixed_in
-
-  #
-  # @param [ String ] title The title of the vulnerability
-  # @param [ String ] type  The type of the vulnerability
-  # @param [ Hash ] references References
-  # @param [ String ] fixed_in  Vuln fixed in Version X
-  #
-  # @return [ Vulnerability ]
-  def initialize(title, type, references = {}, fixed_in = '')
-    @title              = title
-    @type               = type
-    @references         = references
-    @fixed_in           = fixed_in
-  end
-
-  # @param [ Vulnerability ] other
-  #
-  # @return [ Boolean ]
-  # :nocov:
-  def ==(other)
-    title == other.title &&
-        type == other.type &&
-        references == other.references &&
-        fixed_in == other.fixed_in
-  end
-  # :nocov:
-
-  # Create the Vulnerability from the json_item
-  #
-  # @param [ Hash ] json_item
-  #
-  # @return [ Vulnerability ]
-  def self.load_from_json_item(json_item)
-    references = {}
-
-    %w(id url cve secunia osvdb metasploit exploitdb).each do |key|
-      if json_item[key]
-        json_item[key]  = [json_item[key]] if json_item[key].class != Array
-        references[key] = json_item[key]
-      end
-    end
-
-    new(
-      json_item['title'],
-      json_item['type'],
-      references,
-      json_item['fixed_in'],
-    )
-  end
-
-end
+# encoding: UTF-8
+
+require 'vulnerability/output'
+require 'vulnerability/urls'
+
+class Vulnerability
+  include Vulnerability::Output
+  include Vulnerability::Urls
+
+  attr_accessor :title, :references, :type, :fixed_in
+
+  #
+  # @param [ String ] title The title of the vulnerability
+  # @param [ String ] type  The type of the vulnerability
+  # @param [ Hash ] references References
+  # @param [ String ] fixed_in  Vuln fixed in Version X
+  #
+  # @return [ Vulnerability ]
+  def initialize(title, type, references = {}, fixed_in = '')
+    @title              = title
+    @type               = type
+    @references         = references
+    @fixed_in           = fixed_in
+  end
+
+  # @param [ Vulnerability ] other
+  #
+  # @return [ Boolean ]
+  # :nocov:
+  def ==(other)
+    title == other.title &&
+        type == other.type &&
+        references == other.references &&
+        fixed_in == other.fixed_in
+  end
+  # :nocov:
+
+  # Create the Vulnerability from the json_item
+  #
+  # @param [ Hash ] json_item
+  #
+  # @return [ Vulnerability ]
+  def self.load_from_json_item(json_item)
+    references = {}
+    references['id'] = [json_item['id']]
+
+    %w(url cve secunia osvdb metasploit exploitdb).each do |key|
+      if json_item['references'][key]
+        json_item['references'][key] = [json_item['references'][key]] if json_item['references'][key].class != Array
+        references[key] = json_item['references'][key]
+      end
+    end
+
+    new(
+      json_item['title'],
+      json_item['type'],
+      references,
+      json_item['fixed_in']
+    )
+  end
+
+end

lib/common/models/vulnerability/output.rb

@@ -2,22 +2,22 @@
 
 class Vulnerability
   module Output
-
     # output the vulnerability
     def output(verbose = false)
       puts
       puts critical("Title: #{title}")
+
       references.each do |key, urls|
         methodname = "url_#{key}"
+
         urls.each do |u|
           next unless respond_to?(methodname)
           url = send(methodname, u)
           puts "    Reference: #{url}" if url
         end
       end
-      unless fixed_in.nil?
-        puts notice("Fixed in: #{fixed_in}")
-      end
+      
+      puts notice("Fixed in: #{fixed_in}") if fixed_in
     end
   end
 end

lib/common/models/wp_item.rb

@@ -1,103 +1,121 @@
-# encoding: UTF-8
-
-require 'wp_item/findable'
-require 'wp_item/versionable'
-require 'wp_item/vulnerable'
-require 'wp_item/existable'
-require 'wp_item/infos'
-require 'wp_item/output'
-
-class WpItem
-
-  extend  WpItem::Findable
-  include WpItem::Versionable
-  include WpItem::Vulnerable
-  include WpItem::Existable
-  include WpItem::Infos
-  include WpItem::Output
-
-  attr_reader   :path
-  attr_accessor :name, :wp_content_dir, :wp_plugins_dir
-
-  # @return [ Array ]
-  # Make it private ?
-  def allowed_options
-    [:name, :wp_content_dir, :wp_plugins_dir, :path, :version, :vulns_file]
-  end
-
-  # @param [ URI ] target_base_uri
-  # @param [ Hash ] options See allowed_option
-  #
-  # @return [ WpItem ]
-  def initialize(target_base_uri, options = {})
-
-    options[:wp_content_dir] ||= 'wp-content'
-    options[:wp_plugins_dir] ||= options[:wp_content_dir] + '/plugins'
-
-    set_options(options)
-    forge_uri(target_base_uri)
-  end
-
-  # @param [ Hash ] options
-  #
-  # @return [ void ]
-  def set_options(options)
-    allowed_options.each do |allowed_option|
-      if options.has_key?(allowed_option)
-        method = :"#{allowed_option}="
-
-        if self.respond_to?(method)
-          self.send(method, options[allowed_option])
-        else
-          raise "#{self.class} does not respond to #{method}"
-        end
-      end
-    end
-  end
-  private :set_options
-
-  # @param [ URI ] target_base_uri
-  #
-  # @return [ void ]
-  def forge_uri(target_base_uri)
-    @uri = target_base_uri
-  end
-
-  # @return [ URI ] The uri to the WpItem, with the path if present
-  def uri
-    path ? @uri.merge(path) : @uri
-  end
-
-  # @return [ String ] The url to the WpItem
-  def url; uri.to_s end
-
-  # Sets the path
-  #
-  # Variable, such as $wp-plugins$ and $wp-content$ can be used
-  # and will be replace by their value
-  #
-  # @param [ String ] path
-  #
-  # @return [ void ]
-  def path=(path)
-    @path = URI.encode(
-      path.gsub(/\$wp-plugins\$/i, wp_plugins_dir).gsub(/\$wp-content\$/i, wp_content_dir)
-    )
-  end
-
-  # @param [ WpItem ] other
-  def <=>(other)
-    name <=> other.name
-  end
-
-  # @param [ WpItem ] other
-  def ==(other)
-    name === other.name
-  end
-
-  # @param [ WpItem ] other
-  def ===(other)
-    self == other && version === other.version
-  end
-
-end
+# encoding: UTF-8
+
+require 'wp_item/findable'
+require 'wp_item/versionable'
+require 'wp_item/vulnerable'
+require 'wp_item/existable'
+require 'wp_item/infos'
+require 'wp_item/output'
+
+class WpItem
+
+  extend  WpItem::Findable
+  include WpItem::Versionable
+  include WpItem::Vulnerable
+  include WpItem::Existable
+  include WpItem::Infos
+  include WpItem::Output
+
+  attr_reader   :path
+  attr_accessor :name, :wp_content_dir, :wp_plugins_dir
+
+  # @return [ Array ]
+  # Make it private ?
+  def allowed_options
+    [:name, :wp_content_dir, :wp_plugins_dir, :path, :version, :db_file]
+  end
+
+  # @param [ URI ] target_base_uri
+  # @param [ Hash ] options See allowed_option
+  #
+  # @return [ WpItem ]
+  def initialize(target_base_uri, options = {})
+    options[:wp_content_dir] ||= 'wp-content'
+    options[:wp_plugins_dir] ||= options[:wp_content_dir] + '/plugins'
+
+    set_options(options)
+    forge_uri(target_base_uri)
+  end
+
+  def identifier
+    @identifier ||= name
+  end
+
+  # @return [ Hash ]
+  def db_data
+    @db_data ||= json(db_file)[identifier] || {}
+  end
+
+  def latest_version
+    db_data['latest_version']
+  end
+
+  def last_updated
+    db_data['last_ipdated']
+  end
+
+  def popular?
+    db_data['popular']
+  end
+
+  # @param [ Hash ] options
+  #
+  # @return [ void ]
+  def set_options(options)
+    allowed_options.each do |allowed_option|
+      if options.has_key?(allowed_option)
+        method = :"#{allowed_option}="
+
+        if self.respond_to?(method)
+          self.send(method, options[allowed_option])
+        else
+          raise "#{self.class} does not respond to #{method}"
+        end
+      end
+    end
+  end
+  private :set_options
+
+  # @param [ URI ] target_base_uri
+  #
+  # @return [ void ]
+  def forge_uri(target_base_uri)
+    @uri = target_base_uri
+  end
+
+  # @return [ URI ] The uri to the WpItem, with the path if present
+  def uri
+    path ? @uri.merge(path) : @uri
+  end
+
+  # @return [ String ] The url to the WpItem
+  def url; uri.to_s end
+
+  # Sets the path
+  #
+  # Variable, such as $wp-plugins$ and $wp-content$ can be used
+  # and will be replace by their value
+  #
+  # @param [ String ] path
+  #
+  # @return [ void ]
+  def path=(path)
+    @path = path.gsub(/\$wp-plugins\$/i, wp_plugins_dir).gsub(/\$wp-content\$/i, wp_content_dir)
+  end
+
+  # @param [ WpItem ] other
+  def <=>(other)
+    name <=> other.name
+  end
+
+  # @param [ WpItem ] other
+  def ==(other)
+    name === other.name
+  end
+
+  # @param [ WpItem ] other
+  def ===(other)
+    self == other && version === other.version
+  end
+
+end

lib/common/models/wp_item/existable.rb

@@ -1,50 +1,50 @@
-# encoding: UTF-8
-
-class WpItem
-  module Existable
-
-    # Check the existence of the WpItem
-    # If the response is supplied, it's used for the verification
-    # Otherwise a new request is done
-    #
-    # @param [ Hash ] options See exists_from_response?
-    # @param [ Typhoeus::Response ] response
-    #
-    # @return [ Boolean ]
-    def exists?(options = {}, response = nil)
-      unless response
-        response = Browser.get(url)
-      end
-      exists_from_response?(response, options)
-    end
-
-    protected
-
-    # @param [ Typhoeus::Response ] response
-    # @param [ options ] options
-    #
-    # @option options [ Hash ] :error_404_hash  The hash of the error 404 page
-    # @option options [ Hash ] :homepage_hash   The hash of the homepage
-    # @option options [ Hash ] :exclude_content A regexp with the pattern to exclude from the body of the response
-    #
-    # @return [ Boolean ]
-    def exists_from_response?(response, options = {})
-      # 301 included as some items do a self-redirect
-      # Redirects to the 404 and homepage should be ignored (unless dynamic content is used)
-      # by the page hashes (error_404_hash & homepage_hash)
-      if [200, 401, 403, 301].include?(response.code)
-        if response.has_valid_hash?(options[:error_404_hash], options[:homepage_hash])
-          if options[:exclude_content]
-            unless response.body.match(options[:exclude_content])
-              return true
-            end
-          else
-            return true
-          end
-        end
-      end
-      false
-    end
-
-  end
-end
+# encoding: UTF-8
+
+class WpItem
+  module Existable
+
+    # Check the existence of the WpItem
+    # If the response is supplied, it's used for the verification
+    # Otherwise a new request is done
+    #
+    # @param [ Hash ] options See exists_from_response?
+    # @param [ Typhoeus::Response ] response
+    #
+    # @return [ Boolean ]
+    def exists?(options = {}, response = nil)
+      unless response
+        response = Browser.get(url)
+      end
+      exists_from_response?(response, options)
+    end
+
+    protected
+
+    # @param [ Typhoeus::Response ] response
+    # @param [ options ] options
+    #
+    # @option options [ Hash ] :error_404_hash  The hash of the error 404 page
+    # @option options [ Hash ] :homepage_hash   The hash of the homepage
+    # @option options [ Hash ] :exclude_content A regexp with the pattern to exclude from the body of the response
+    #
+    # @return [ Boolean ]
+    def exists_from_response?(response, options = {})
+      # 301 included as some items do a self-redirect
+      # Redirects to the 404 and homepage should be ignored (unless dynamic content is used)
+      # by the page hashes (error_404_hash & homepage_hash)
+      if [200, 401, 403, 301].include?(response.code)
+        if response.has_valid_hash?(options[:error_404_hash], options[:homepage_hash])
+          if options[:exclude_content]
+            unless response.body.match(options[:exclude_content])
+              return true
+            end
+          else
+            return true
+          end
+        end
+      end
+      false
+    end
+
+  end
+end

lib/common/models/wp_item/findable.rb

@@ -1,19 +1,19 @@
-# encoding: UTF-8
-
-class WpItem
-  attr_reader :found_from
-
-  # Sets the found_from attribute
-  #
-  # @param [ String ] method The method which found the WpItem
-  #
-  # @return [ void ]
-  def found_from=(method)
-    found       = method[%r{find_from_(.*)}, 1]
-    @found_from = found.gsub('_', ' ') if found
-  end
-
-  module Findable
-
-  end
-end
+# encoding: UTF-8
+
+class WpItem
+  attr_reader :found_from
+
+  # Sets the found_from attribute
+  #
+  # @param [ String ] method The method which found the WpItem
+  #
+  # @return [ void ]
+  def found_from=(method)
+    found       = method[%r{find_from_(.*)}, 1]
+    @found_from = found.gsub('_', ' ') if found
+  end
+
+  module Findable
+
+  end
+end

lib/common/models/wp_item/output.rb

@@ -5,12 +5,17 @@ class WpItem
 
     # @return [ Void ]
     def output(verbose = false)
+      outdated = VersionCompare.lesser?(version, latest_version) if latest_version
+
       puts
       puts info("Name: #{self}") #this will also output the version number if detected
+      puts " |  Latest version: #{latest_version} #{'(up to date)' if version}" if latest_version && !outdated
+      puts " |  Last updated: #{last_updated}" if last_updated
       puts " |  Location: #{url}"
-      #puts " | WordPress: #{wordpress_url}" if wordpress_org_item?
       puts " |  Readme: #{readme_url}" if has_readme?
       puts " |  Changelog: #{changelog_url}" if has_changelog?
+      puts warning("The version is out of date, the latest version is #{latest_version}") if latest_version && outdated
+
       puts warning("Directory listing is enabled: #{url}") if has_directory_listing?
       puts warning("An error_log file has been found: #{error_log_url}") if has_error_log?
 

lib/common/models/wp_item/vulnerable.rb

@@ -1,51 +1,44 @@
-# encoding: UTF-8
-
-class WpItem
-  module Vulnerable
-    attr_accessor :vulns_file, :identifier
-
-    # Get the vulnerabilities associated to the WpItem
-    # Filters out already fixed vulnerabilities
-    #
-    # @return [ Vulnerabilities ]
-    def vulnerabilities
-      json            = json(vulns_file)
-      vulnerabilities = Vulnerabilities.new
-
-      json.each do |item|
-        asset = item[identifier]
-
-        next unless asset
-
-        asset['vulnerabilities'].each do |vulnerability|
-          vulnerability = Vulnerability.load_from_json_item(vulnerability)
-          vulnerabilities << vulnerability if vulnerable_to?(vulnerability)
-        end
-
-        break # No need to iterate any further
-      end
-
-      vulnerabilities
-    end
-
-    def vulnerable?
-      vulnerabilities.empty? ? false : true
-    end
-
-    # Checks if a item is vulnerable to a specific vulnerability
-    #
-    # @param [ Vulnerability ] vuln Vulnerability to check the item against
-    #
-    # @return [ Boolean ]
-    def vulnerable_to?(vuln)
-      if version && vuln && vuln.fixed_in && !vuln.fixed_in.empty?
-        unless VersionCompare::lesser_or_equal?(vuln.fixed_in, version)
-          return true
-        end
-      else
-        return true
-      end
-      return false
-    end
-  end
-end
+# encoding: UTF-8
+
+class WpItem
+  module Vulnerable
+    attr_accessor :db_file, :identifier
+
+    # Get the vulnerabilities associated to the WpItem
+    # Filters out already fixed vulnerabilities
+    #
+    # @return [ Vulnerabilities ]
+    def vulnerabilities
+      return @vulnerabilities if @vulnerabilities
+
+      @vulnerabilities = Vulnerabilities.new
+
+      [*db_data['vulnerabilities']].each do |vulnerability|
+        vulnerability = Vulnerability.load_from_json_item(vulnerability)
+        @vulnerabilities << vulnerability if vulnerable_to?(vulnerability)
+      end
+
+      @vulnerabilities
+    end
+
+    def vulnerable?
+      vulnerabilities.empty? ? false : true
+    end
+
+    # Checks if a item is vulnerable to a specific vulnerability
+    #
+    # @param [ Vulnerability ] vuln Vulnerability to check the item against
+    #
+    # @return [ Boolean ]
+    def vulnerable_to?(vuln)
+      if version && vuln && vuln.fixed_in && !vuln.fixed_in.empty?
+        unless VersionCompare::lesser_or_equal?(vuln.fixed_in, version)
+          return true
+        end
+      else
+        return true
+      end
+      return false
+    end
+  end
+end

lib/common/models/wp_plugin.rb

@@ -1,17 +1,16 @@
-# encoding: UTF-8
-
-require 'wp_plugin/vulnerable'
-
-class WpPlugin < WpItem
-  include WpPlugin::Vulnerable
-
-  # Sets the @uri
-  #
-  # @param [ URI ] target_base_uri The URI of the wordpress blog
-  #
-  # @return [ void ]
-  def forge_uri(target_base_uri)
-    @uri = target_base_uri.merge(URI.encode(wp_plugins_dir + '/' + name + '/'))
-  end
-
-end
+# encoding: UTF-8
+
+class WpPlugin < WpItem
+  # Sets the @uri
+  #
+  # @param [ URI ] target_base_uri The URI of the wordpress blog
+  #
+  # @return [ void ]
+  def forge_uri(target_base_uri)
+    @uri = target_base_uri.merge("#{wp_plugins_dir}/#{url_encode(name)}/")
+  end
+
+  def db_file
+    @db_file ||= PLUGINS_FILE
+  end
+end

lib/common/models/wp_plugin/vulnerable.rb

@@ -1,20 +0,0 @@
-# encoding: UTF-8
-
-class WpPlugin < WpItem
-  module Vulnerable
-
-    # @return [ String ] The path to the file containing vulnerabilities
-    def vulns_file
-      unless @vulns_file
-        @vulns_file = PLUGINS_VULNS_FILE
-      end
-      @vulns_file
-    end
-
-    # @return [ String ]
-    def identifier
-      @name
-    end
-
-  end
-end

lib/common/models/wp_theme.rb

@@ -1,36 +1,37 @@
-# encoding: UTF-8
-
-require 'wp_theme/findable'
-require 'wp_theme/versionable'
-require 'wp_theme/vulnerable'
-require 'wp_theme/info'
-require 'wp_theme/output'
-require 'wp_theme/childtheme'
-
-class WpTheme < WpItem
-  extend WpTheme::Findable
-  include WpTheme::Versionable
-  include WpTheme::Vulnerable
-  include WpTheme::Info
-  include WpTheme::Output
-  include WpTheme::Childtheme
-
-  attr_accessor :referenced_url
-
-  def allowed_options; super << :referenced_url end
-
-  # Sets the @uri
-  #
-  # @param [ URI ] target_base_uri The URI of the wordpress blog
-  #
-  # @return [ void ]
-  def forge_uri(target_base_uri)
-    @uri = target_base_uri.merge(URI.encode(wp_content_dir + '/themes/' + name + '/'))
-  end
-
-  # @return [ String ] The url to the theme stylesheet
-  def style_url
-    @uri.merge('style.css').to_s
-  end
-
-end
+# encoding: UTF-8
+
+require 'wp_theme/findable'
+require 'wp_theme/versionable'
+require 'wp_theme/info'
+require 'wp_theme/output'
+require 'wp_theme/childtheme'
+
+class WpTheme < WpItem
+  extend WpTheme::Findable
+  include WpTheme::Versionable
+  include WpTheme::Info
+  include WpTheme::Output
+  include WpTheme::Childtheme
+
+  attr_accessor :referenced_url
+
+  def allowed_options; super << :referenced_url end
+
+  # Sets the @uri
+  #
+  # @param [ URI ] target_base_uri The URI of the wordpress blog
+  #
+  # @return [ void ]
+  def forge_uri(target_base_uri)
+    @uri = target_base_uri.merge("#{wp_content_dir}/themes/#{url_encode(name)}/")
+  end
+
+  # @return [ String ] The url to the theme stylesheet
+  def style_url
+    @uri.merge('style.css').to_s
+  end
+
+  def db_file
+    @db_file ||= THEMES_FILE
+  end
+end

lib/common/models/wp_theme/findable.rb

@@ -1,64 +1,64 @@
-# encoding: UTF-8
-
-class WpTheme < WpItem
-  module Findable
-
-    # Find the main theme of the blog
-    #
-    # @param [ URI ] target_uri
-    #
-    # @return [ WpTheme ]
-    def find(target_uri)
-      methods.grep(/^find_from_/).each do |method|
-        if wp_theme = self.send(method, target_uri)
-          wp_theme.found_from = method
-
-          return wp_theme
-        end
-      end
-      nil
-    end
-
-    protected
-
-    # Discover the wordpress theme by parsing the css link rel
-    #
-    # @param [ URI ] target_uri
-    #
-    # @return [ WpTheme ]
-    def find_from_css_link(target_uri)
-      response = Browser.get_and_follow_location(target_uri.to_s)
-
-      # https + domain is optional because of relative links
-      return unless response.body =~ %r{(?:https?://[^"']+/)?([^/\s]+)/themes/([^"'/]+)[^"']*/style.css}i
-
-      new(
-        target_uri,
-        name:           Regexp.last_match[2],
-        referenced_url: Regexp.last_match[0],
-        wp_content_dir: Regexp.last_match[1]
-      )
-    end
-
-    # @param [ URI ] target_uri
-    #
-    # @return [ WpTheme ]
-    def find_from_wooframework(target_uri)
-      body = Browser.get(target_uri.to_s).body
-      regexp = %r{<meta name="generator" content="([^\s"]+)\s?([^"]+)?" />\s+<meta name="generator" content="WooFramework\s?([^"]+)?" />}
-
-      if matches = regexp.match(body)
-        woo_theme_name = matches[1]
-        woo_theme_version = matches[2]
-        #woo_framework_version = matches[3] # Not used at this time
-
-        return new(
-          target_uri,
-          name:    woo_theme_name,
-          version: woo_theme_version
-        )
-      end
-    end
-
-  end
-end
+# encoding: UTF-8
+
+class WpTheme < WpItem
+  module Findable
+
+    # Find the main theme of the blog
+    #
+    # @param [ URI ] target_uri
+    #
+    # @return [ WpTheme ]
+    def find(target_uri)
+      methods.grep(/^find_from_/).each do |method|
+        if wp_theme = self.send(method, target_uri)
+          wp_theme.found_from = method
+
+          return wp_theme
+        end
+      end
+      nil
+    end
+
+    protected
+
+    # Discover the wordpress theme by parsing the css link rel
+    #
+    # @param [ URI ] target_uri
+    #
+    # @return [ WpTheme ]
+    def find_from_css_link(target_uri)
+      response = Browser.get_and_follow_location(target_uri.to_s)
+
+      # https + domain is optional because of relative links
+      return unless response.body =~ %r{(?:https?://[^"']+/)?([^/\s]+)/themes/([^"'/]+)[^"']*/style.css}i
+
+      new(
+        target_uri,
+        name:           Regexp.last_match[2],
+        referenced_url: Regexp.last_match[0],
+        wp_content_dir: Regexp.last_match[1]
+      )
+    end
+
+    # @param [ URI ] target_uri
+    #
+    # @return [ WpTheme ]
+    def find_from_wooframework(target_uri)
+      body = Browser.get(target_uri.to_s).body
+      regexp = %r{<meta name="generator" content="([^\s"]+)\s?([^"]+)?" />\s+<meta name="generator" content="WooFramework\s?([^"]+)?" />}
+
+      if matches = regexp.match(body)
+        woo_theme_name = matches[1]
+        woo_theme_version = matches[2]
+        #woo_framework_version = matches[3] # Not used at this time
+
+        return new(
+          target_uri,
+          name:    woo_theme_name,
+          version: woo_theme_version
+        )
+      end
+    end
+
+  end
+end

lib/common/models/wp_theme/output.rb

@@ -6,13 +6,13 @@ class WpTheme
     # @return [ Void ]
     def additional_output(verbose = false)
       parse_style
-      
+
       theme_desc = verbose ? @theme_description : truncate(@theme_description, 100)
       puts " |  Style URL: #{style_url}"
       puts " |  Referenced style.css: #{referenced_url}" if referenced_url && referenced_url != style_url
       puts " |  Theme Name: #{@theme_name}" if @theme_name
       puts " |  Theme URI: #{@theme_uri}" if @theme_uri
-      puts " |  Description: #{theme_desc}"
+      puts " |  Description: #{theme_desc}" if theme_desc
       puts " |  Author: #{@theme_author}" if @theme_author
       puts " |  Author URI: #{@theme_author_uri}" if @theme_author_uri
       puts " |  Template: #{@theme_template}" if @theme_template and verbose

lib/common/models/wp_theme/versionable.rb

@@ -1,9 +1,9 @@
-# encoding: UTF-8
-
-class WpTheme < WpItem
-  module Versionable
-    def version
-      @version ||= Browser.get(style_url).body[%r{Version:\s*(?!trunk)([0-9a-z\.-]+)}i, 1]
-    end
-  end
-end
+# encoding: UTF-8
+
+class WpTheme < WpItem
+  module Versionable
+    def version
+      @version ||= Browser.get(style_url).body[%r{Version:\s*(?!trunk)([0-9a-z\.-]+)}i, 1]
+    end
+  end
+end

lib/common/models/wp_theme/vulnerable.rb

@@ -1,19 +0,0 @@
-# encoding: UTF-8
-
-class WpTheme < WpItem
-  module Vulnerable
-
-    # @return [ String ] The path to the file containing vulnerabilities
-    def vulns_file
-      unless @vulns_file
-        @vulns_file = THEMES_VULNS_FILE
-      end
-      @vulns_file
-    end
-
-    # @return [ String ]
-    def identifier
-      @name
-    end
-  end
-end

lib/common/models/wp_timthumb.rb

@@ -1,20 +1,20 @@
-# encoding: UTF-8
-
-require 'wp_timthumb/versionable'
-require 'wp_timthumb/existable'
-require 'wp_timthumb/output'
-require 'wp_timthumb/vulnerable'
-
-class WpTimthumb < WpItem
-  include WpTimthumb::Versionable
-  include WpTimthumb::Existable
-  include WpTimthumb::Output
-  include WpTimthumb::Vulnerable
-
-  # @param [ WpTimthumb ] other
-  #
-  # @return [ Boolean ]
-  def ==(other)
-    url == other.url
-  end
-end
+# encoding: UTF-8
+
+require 'wp_timthumb/versionable'
+require 'wp_timthumb/existable'
+require 'wp_timthumb/output'
+require 'wp_timthumb/vulnerable'
+
+class WpTimthumb < WpItem
+  include WpTimthumb::Versionable
+  include WpTimthumb::Existable
+  include WpTimthumb::Output
+  include WpTimthumb::Vulnerable
+
+  # @param [ WpTimthumb ] other
+  #
+  # @return [ Boolean ]
+  def ==(other)
+    url == other.url
+  end
+end

lib/common/models/wp_timthumb/versionable.rb

@@ -1,24 +1,24 @@
-# encoding: UTF-8
-
-class WpTimthumb < WpItem
-  module Versionable
-
-    # Get the version from the body of an invalid request
-    # See https://code.google.com/p/timthumb/source/browse/trunk/timthumb.php#426
-    #
-    # @return [ String ] The version
-    def version
-      unless @version
-        response = Browser.get(url)
-        @version = response.body[%r{TimThumb version\s*: ([^<]+)} , 1]
-      end
-      @version
-    end
-
-    # @return [ String ]
-    def to_s
-      "#{url}#{ ' v' + version if version}"
-    end
-
-  end
-end
+# encoding: UTF-8
+
+class WpTimthumb < WpItem
+  module Versionable
+
+    # Get the version from the body of an invalid request
+    # See https://code.google.com/p/timthumb/source/browse/trunk/timthumb.php#426
+    #
+    # @return [ String ] The version
+    def version
+      unless @version
+        response = Browser.get(url)
+        @version = response.body[%r{TimThumb version\s*: ([^<]+)} , 1]
+      end
+      @version
+    end
+
+    # @return [ String ]
+    def to_s
+      "#{url}#{ ' v' + version if version}"
+    end
+
+  end
+end

lib/common/models/wp_user/brute_forcable.rb

@@ -3,6 +3,8 @@
 class WpUser < WpItem
   module BruteForcable
 
+    attr_reader :progress_bar
+
     # Brute force the user with the wordlist supplied
     #
     # It can take a long time to queue 2 million requests,
@@ -25,7 +27,8 @@ class WpUser < WpItem
       hydra        = browser.hydra
       queue_count  = 0
       found        = false
-      progress_bar = self.progress_bar(count_file_lines(wordlist)+1, options)
+
+      create_progress_bar(count_file_lines(wordlist)+1, options)
 
       File.open(wordlist).each do |password|
         password.chomp!
@@ -42,7 +45,7 @@ class WpUser < WpItem
         request.on_complete do |response|
           progress_bar.progress += 1 if options[:show_progression] && !found
 
-          puts "\n  Trying Username : #{login} Password : #{password}" if options[:verbose]
+          progress_bar.log("  Trying Username: #{login} Password: #{password}") if options[:verbose]
 
           if valid_password?(response, password, redirect_url, options)
             found         = true
@@ -57,7 +60,7 @@ class WpUser < WpItem
         if queue_count >= browser.max_threads
           hydra.run
           queue_count = 0
-          puts "Sent #{browser.max_threads} requests ..." if options[:verbose]
+          progress_bar.log("  Sent #{browser.max_threads} request/s ...") if options[:verbose]
         end
       end
 
@@ -71,9 +74,9 @@ class WpUser < WpItem
     #
     # @return [ ProgressBar ]
     # :nocov:
-    def progress_bar(passwords_size, options)
+    def create_progress_bar(passwords_size, options)
       if options[:show_progression]
-        ProgressBar.create(
+        @progress_bar = ProgressBar.create(
           format: '%t %a <%B> (%c / %C) %P%% %e',
           title: "  Brute Forcing '#{login}'",
           total: passwords_size
@@ -107,20 +110,20 @@ class WpUser < WpItem
         progression = "#{info('[SUCCESS]')} Login : #{login} Password : #{password}\n\n"
         valid       = true
       elsif response.body =~ /login_error/i
-        verbose = "\n  Incorrect login and/or password."
+        verbose = "Incorrect login and/or password."
       elsif response.timed_out?
         progression = critical('ERROR: Request timed out.')
       elsif response.code == 0
         progression = critical("ERROR: No response from remote server. WAF/IPS? (#{response.return_message})")
       elsif response.code.to_s =~ /^50/
-        progression = critical('ERROR: Server error, try reducing the number of threads.')
+        progression = critical('ERROR: Server error, try reducing the number of threads or use the --throttle option.')
       else
         progression = critical("ERROR: We received an unknown response for #{password}...")
-        verbose     = critical("    Code: #{response.code}\n    Body: #{response.body}\n")
+        verbose     = critical("  Code: #{response.code}\n    Body: #{response.body}\n")
       end
 
-      puts "\n  " + progression if progression && options[:show_progression]
-      puts verbose if verbose && options[:verbose]
+      progress_bar.log("  #{progression}") if progression && options[:show_progression]
+      progress_bar.log("  #{verbose}") if verbose && options[:verbose]
 
       valid || false
     end

lib/common/models/wp_user/existable.rb

@@ -1,86 +1,86 @@
-# encoding: UTF-8
-
-class WpUser < WpItem
-  module Existable
-
-    # @param [ Typhoeus::Response ] response
-    # @param [ Hash ] options
-    #
-    # @return [ Boolean ]
-    def exists_from_response?(response, options = {})
-      load_from_response(response)
-
-      @login ? true : false
-    end
-
-    # Load the login and display_name from the response
-    #
-    # @param [ Typhoeus::Response ] response
-    #
-    # @return [ void ]
-    def load_from_response(response)
-      if response.code == 301 # login in location?
-        location = response.headers_hash['Location']
-
-        return if location.nil? || location.empty?
-
-        @login        = Existable.login_from_author_pattern(location)
-        @display_name = Existable.display_name_from_body(
-          Browser.get(location).body
-        )
-      elsif response.code == 200 # login in body?
-        @login        = Existable.login_from_body(response.body)
-        @display_name = Existable.display_name_from_body(response.body)
-      end
-    end
-    private :load_from_response
-
-    # @param [ String ] text
-    #
-    # @return [ String ] The login
-    def self.login_from_author_pattern(text)
-      return unless text =~ %r{/author/([^/\b]+)/?}i
-
-      Regexp.last_match[1].force_encoding('UTF-8')
-    end
-
-    # @param [ String ] body
-    #
-    # @return [ String ] The login
-    def self.login_from_body(body)
-      # Feed URL with Permalinks
-      login = WpUser::Existable.login_from_author_pattern(body)
-
-      unless login
-        # No Permalinks
-        login = body[%r{<body class="archive author author-([^\s]+)[ "]}i, 1]
-        login ? login.force_encoding('UTF-8') : nil
-      end
-
-      login
-    end
-
-    # @note Some bodies are encoded in ASCII-8BIT, and Nokogiri doesn't support it
-    #   So it's forced to UTF-8 when this encoding is detected
-    #
-    # @param [ String ] body
-    #
-    # @return [ String ] The display_name
-    def self.display_name_from_body(body)
-      if title_tag = body[%r{<title>([^<]+)</title>}i, 1]
-        title_tag.force_encoding('UTF-8') if title_tag.encoding == Encoding::ASCII_8BIT
-        title_tag = Nokogiri::HTML::DocumentFragment.parse(title_tag).to_s
-        # &amp; are not decoded with Nokogiri
-        title_tag.gsub!('&amp;', '&')
-
-        # replace UTF chars like  &#187; with dummy character
-        title_tag.gsub!(/&#(\d+);/, '|')
-
-        name = title_tag[%r{([^|«»]+) }, 1]
-
-        return name.strip if name
-      end
-    end
-
-  end
-end
+# encoding: UTF-8
+
+class WpUser < WpItem
+  module Existable
+
+    # @param [ Typhoeus::Response ] response
+    # @param [ Hash ] options
+    #
+    # @return [ Boolean ]
+    def exists_from_response?(response, options = {})
+      load_from_response(response)
+
+      @login ? true : false
+    end
+
+    # Load the login and display_name from the response
+    #
+    # @param [ Typhoeus::Response ] response
+    #
+    # @return [ void ]
+    def load_from_response(response)
+      if response.code == 301 # login in location?
+        location = response.headers_hash['Location']
+
+        return if location.nil? || location.empty?
+
+        @login        = Existable.login_from_author_pattern(location)
+        @display_name = Existable.display_name_from_body(
+          Browser.get(location).body
+        )
+      elsif response.code == 200 # login in body?
+        @login        = Existable.login_from_body(response.body)
+        @display_name = Existable.display_name_from_body(response.body)
+      end
+    end
+    private :load_from_response
+
+    # @param [ String ] text
+    #
+    # @return [ String ] The login
+    def self.login_from_author_pattern(text)
+      return unless text =~ %r{/author/([^/\b"']+)/?}i
+
+      Regexp.last_match[1].force_encoding('UTF-8')
+    end
+
+    # @param [ String ] body
+    #
+    # @return [ String ] The login
+    def self.login_from_body(body)
+      # Feed URL with Permalinks
+      login = WpUser::Existable.login_from_author_pattern(body)
+
+      unless login
+        # No Permalinks
+        login = body[%r{<body class="archive author author-([^\s]+)[ "]}i, 1]
+        login ? login.force_encoding('UTF-8') : nil
+      end
+
+      login
+    end
+
+    # @note Some bodies are encoded in ASCII-8BIT, and Nokogiri doesn't support it
+    #   So it's forced to UTF-8 when this encoding is detected
+    #
+    # @param [ String ] body
+    #
+    # @return [ String ] The display_name
+    def self.display_name_from_body(body)
+      if title_tag = body[%r{<title>([^<]+)</title>}i, 1]
+        title_tag.force_encoding('UTF-8') if title_tag.encoding == Encoding::ASCII_8BIT
+        title_tag = Nokogiri::HTML::DocumentFragment.parse(title_tag).to_s
+        # &amp; are not decoded with Nokogiri
+        title_tag.gsub!('&amp;', '&')
+
+        # replace UTF chars like  &#187; with dummy character
+        title_tag.gsub!(/&#(\d+);/, '|')
+
+        name = title_tag[%r{([^|«»]+) }, 1]
+
+        return name.strip if name
+      end
+    end
+
+  end
+end

lib/common/models/wp_version.rb

@@ -1,33 +1,48 @@
-# encoding: UTF-8
-
-require 'wp_version/findable'
-require 'wp_version/vulnerable'
-require 'wp_version/output'
-
-class WpVersion < WpItem
-
-  extend  WpVersion::Findable
-  include WpVersion::Vulnerable
-  include WpVersion::Output
-
-  # The version number
-  attr_accessor :number
-
-  # @return [ Array ]
-  def allowed_options; super << :number << :found_from end
-
-  # @param [ WpVersion ] other
-  #
-  # @return [ Boolean ]
-  def ==(other)
-    number == other.number
-  end
-
-  # @return [ Array<String> ] All the stable versions from version_file
-  def self.all(versions_file = WP_VERSIONS_FILE)
-    Nokogiri.XML(File.open(versions_file)).css('version').reduce([]) do |a, node|
-      a << node.text.to_s
-    end
-  end
-
-end
+# encoding: UTF-8
+
+require 'wp_version/findable'
+require 'wp_version/output'
+
+class WpVersion < WpItem
+  extend  WpVersion::Findable
+  include WpVersion::Output
+
+  # The version number
+  attr_accessor :number, :metadata
+  alias_method :version, :number # Needed to have the right behaviour in Vulnerable#vulnerable_to?
+
+  # @return [ Array ]
+  def allowed_options; super << :number << :found_from end
+
+  def identifier
+    @identifier ||= number
+  end
+
+  def db_file
+    @db_file ||= WORDPRESSES_FILE
+  end
+
+  # @param [ WpVersion ] other
+  #
+  # @return [ Boolean ]
+  def ==(other)
+    number == other.number
+  end
+
+  # @return [ Array<String> ] All the stable versions from version_file
+  def self.all(versions_file = WP_VERSIONS_FILE)
+    Nokogiri.XML(File.open(versions_file)).css('version').reduce([]) do |a, node|
+      a << node.text.to_s
+    end
+  end
+
+  # @return [ Hash ] Metadata for specific WP version from WORDPRESSES_FILE
+  def metadata(version)
+    json = json(db_file)
+
+    metadata = {}
+    metadata[:release_date]  = json[version]['release_date']
+    metadata[:changelog_url] = json[version]['changelog_url']
+    metadata
+  end
+end

lib/common/models/wp_version/findable.rb

@@ -1,222 +1,219 @@
-# encoding: UTF-8
-
-class WpVersion < WpItem
-
-  module Findable
-
-    # Find the version of the blog designated from target_uri
-    #
-    # @param [ URI ] target_uri
-    # @param [ String ] wp_content_dir
-    # @param [ String ] wp_plugins_dir
-    #
-    # @return [ WpVersion ]
-    def find(target_uri, wp_content_dir, wp_plugins_dir, versions_xml)
-      methods.grep(/^find_from_/).each do |method|
-
-        if method === :find_from_advanced_fingerprinting
-          version = send(method, target_uri, wp_content_dir, wp_plugins_dir, versions_xml)
-        else
-          version = send(method, target_uri)
-        end
-
-        if version
-          return new(target_uri, number: version, found_from: method)
-        end
-      end
-      nil
-    end
-
-    # Used to check if the version is correct: must contain at least one dot.
-    #
-    # @return [ String ]
-    def version_pattern
-      '([^\r\n"\']+\.[^\r\n"\']+)'
-    end
-
-    protected
-
-    # Returns the first match of <pattern> in the body of the url
-    #
-    # @param [ URI ] target_uri
-    # @param [ Regex ] pattern
-    # @param [ String ] path
-    #
-    # @return [ String ]
-    def scan_url(target_uri, pattern, path = nil)
-      url = path ? target_uri.merge(path).to_s : target_uri.to_s
-      response = Browser.get_and_follow_location(url)
-
-      response.body[pattern, 1]
-    end
-
-    #
-    # DO NOT Change the order of the following methods
-    # unless you know what you are doing
-    # See WpVersion.find
-    #
-
-    # Attempts to find the wordpress version from,
-    # the generator meta tag in the html source.
-    #
-    # The meta tag can be removed however it seems,
-    # that it is reinstated on upgrade.
-    #
-    # @param [ URI ] target_uri
-    #
-    # @return [ String ] The version number
-    def find_from_meta_generator(target_uri)
-      scan_url(
-        target_uri,
-        %r{name="generator" content="wordpress #{version_pattern}"}i
-      )
-    end
-
-    # Attempts to find the WordPress version from,
-    # the generator tag in the RSS feed source.
-    #
-    # @param [ URI ] target_uri
-    #
-    # @return [ String ] The version number
-    def find_from_rss_generator(target_uri)
-      scan_url(
-        target_uri,
-        %r{<generator>http://wordpress.org/\?v=#{version_pattern}</generator>}i,
-        'feed/'
-      )
-    end
-
-    # Attempts to find WordPress version from,
-    # the generator tag in the RDF feed source.
-    #
-    # @param [ URI ] target_uri
-    #
-    # @return [ String ] The version number
-    def find_from_rdf_generator(target_uri)
-      scan_url(
-        target_uri,
-        %r{<admin:generatorAgent rdf:resource="http://wordpress.org/\?v=#{version_pattern}" />}i,
-        'feed/rdf/'
-      )
-    end
-
-    # Attempts to find the WordPress version from,
-    # the generator tag in the Atom source.
-    #
-    # @param [ URI ] target_uri
-    #
-    # @return [ String ] The version number
-    def find_from_atom_generator(target_uri)
-      scan_url(
-        target_uri,
-        %r{<generator uri="http://wordpress.org/" version="#{version_pattern}">WordPress</generator>}i,
-        'feed/atom/'
-      )
-    end
-
-    def find_from_stylesheets_numbers(target_uri)
-      wp_versions = WpVersion.all
-      found       = {}
-      pattern     = /\bver=([0-9\.]+)/i
-
-      Nokogiri::HTML(Browser.get(target_uri.to_s).body).css('link,script').each do |tag|
-        %w(href src).each do |attribute|
-          attr_value = tag.attribute(attribute).to_s
-
-          next if attr_value.nil? || attr_value.empty?
-
-          uri = Addressable::URI.parse(attr_value)
-          next unless uri.query && uri.query.match(pattern)
-
-          version = Regexp.last_match[1].to_s
-
-          found[version] ||= 0
-          found[version] += 1
-        end
-      end
-
-      found.delete_if { |v, _| !wp_versions.include?(v) }
-
-      best_guess = found.sort_by(&:last).last
-      # best_guess[0]: version number, [1] numbers of occurences
-      best_guess && best_guess[1] > 1 ? best_guess[0] : nil
-    end
-
-    # Uses data/wp_versions.xml to try to identify a
-    # wordpress version.
-    #
-    # It does this by using client side file hashing
-    #
-    # /!\ Warning : this method might return false positive if the file used for fingerprinting is part of a theme (they can be updated)
-    #
-    # @param [ URI ] target_uri
-    # @param [ String ] wp_content_dir
-    # @param [ String ] wp_plugins_dir
-    # @param [ String ] versions_xml The path to the xml containing all versions
-    #
-    # @return [ String ] The version number
-    def find_from_advanced_fingerprinting(target_uri, wp_content_dir, wp_plugins_dir, versions_xml)
-      xml     = xml(versions_xml)
-
-      # This wp_item will take care of encoding the path
-      # and replace variables like $wp-content$ & $wp-plugins$
-      wp_item = WpItem.new(target_uri,
-                           wp_content_dir: wp_content_dir,
-                           wp_plugins_dir: wp_plugins_dir)
-
-      xml.xpath('//file').each do |node|
-        wp_item.path = node.attribute('src').text
-
-        response = Browser.get(wp_item.url)
-        md5sum = Digest::MD5.hexdigest(response.body)
-
-        node.search('hash').each do |hash|
-          if hash.attribute('md5').text == md5sum
-            return hash.search('version').text
-          end
-        end
-      end
-      nil
-    end
-
-    # Attempts to find the WordPress version from the readme.html file.
-    #
-    # @param [ URI ] target_uri
-    #
-    # @return [ String ] The version number
-    def find_from_readme(target_uri)
-      scan_url(
-        target_uri,
-        %r{<br />\sversion #{version_pattern}}i,
-        'readme.html'
-      )
-    end
-
-    # Attempts to find the WordPress version from the sitemap.xml file.
-    #
-    # @param [ URI ] target_uri
-    #
-    # @return [ String ] The version number
-    def find_from_sitemap_generator(target_uri)
-      scan_url(
-        target_uri,
-        %r{generator="wordpress/#{version_pattern}"}i,
-        'sitemap.xml'
-      )
-    end
-
-    # Attempts to find the WordPress version from the p-links-opml.php file.
-    #
-    # @param [ URI ] target_uri
-    #
-    # @return [ String ] The version number
-    def find_from_links_opml(target_uri)
-      scan_url(
-        target_uri,
-        %r{generator="wordpress/#{version_pattern}"}i,
-        'wp-links-opml.php'
-      )
-    end
-
-  end
-end
+# encoding: UTF-8
+
+class WpVersion < WpItem
+
+  module Findable
+
+    # Find the version of the blog designated from target_uri
+    #
+    # @param [ URI ] target_uri
+    # @param [ String ] wp_content_dir
+    # @param [ String ] wp_plugins_dir
+    #
+    # @return [ WpVersion ]
+    def find(target_uri, wp_content_dir, wp_plugins_dir, versions_xml)
+      methods.grep(/^find_from_/).each do |method|
+
+        if method === :find_from_advanced_fingerprinting
+          version = send(method, target_uri, wp_content_dir, wp_plugins_dir, versions_xml)
+        else
+          version = send(method, target_uri)
+        end
+
+        if version
+          return new(target_uri, number: version, found_from: method)
+        end
+      end
+      nil
+    end
+
+    # Used to check if the version is correct: must contain at least one dot.
+    #
+    # @return [ String ]
+    def version_pattern
+      '([^\r\n"\',]+\.[^\r\n"\',]+)'
+    end
+
+    protected
+
+    # Returns the first match of <pattern> in the body of the url
+    #
+    # @param [ URI ] target_uri
+    # @param [ Regex ] pattern
+    # @param [ String ] path
+    #
+    # @return [ String ]
+    def scan_url(target_uri, pattern, path = nil)
+      url = path ? target_uri.merge(path).to_s : target_uri.to_s
+      response = Browser.get_and_follow_location(url)
+
+      response.body[pattern, 1]
+    end
+
+    #
+    # DO NOT Change the order of the following methods
+    # unless you know what you are doing
+    # See WpVersion.find
+    #
+
+    # Attempts to find the wordpress version from,
+    # the generator meta tag in the html source.
+    #
+    # The meta tag can be removed however it seems,
+    # that it is reinstated on upgrade.
+    #
+    # @param [ URI ] target_uri
+    #
+    # @return [ String ] The version number
+    def find_from_meta_generator(target_uri)
+      scan_url(
+        target_uri,
+        %r{name="generator" content="wordpress #{version_pattern}.*"}i
+      )
+    end
+
+    # Attempts to find the WordPress version from,
+    # the generator tag in the RSS feed source.
+    #
+    # @param [ URI ] target_uri
+    #
+    # @return [ String ] The version number
+    def find_from_rss_generator(target_uri)
+      scan_url(
+        target_uri,
+        %r{<generator>http://wordpress.org/\?v=#{version_pattern}</generator>}i,
+        'feed/'
+      )
+    end
+
+    # Attempts to find WordPress version from,
+    # the generator tag in the RDF feed source.
+    #
+    # @param [ URI ] target_uri
+    #
+    # @return [ String ] The version number
+    def find_from_rdf_generator(target_uri)
+      scan_url(
+        target_uri,
+        %r{<admin:generatorAgent rdf:resource="http://wordpress.org/\?v=#{version_pattern}" />}i,
+        'feed/rdf/'
+      )
+    end
+
+    # Attempts to find the WordPress version from,
+    # the generator tag in the Atom source.
+    #
+    # @param [ URI ] target_uri
+    #
+    # @return [ String ] The version number
+    def find_from_atom_generator(target_uri)
+      scan_url(
+        target_uri,
+        %r{<generator uri="http://wordpress.org/" version="#{version_pattern}">WordPress</generator>}i,
+        'feed/atom/'
+      )
+    end
+
+    # Uses data/wp_versions.xml to try to identify a
+    # wordpress version.
+    #
+    # It does this by using client side file hashing
+    #
+    # /!\ Warning : this method might return false positive if the file used for fingerprinting is part of a theme (they can be updated)
+    #
+    # @param [ URI ] target_uri
+    # @param [ String ] wp_content_dir
+    # @param [ String ] wp_plugins_dir
+    # @param [ String ] versions_xml The path to the xml containing all versions
+    #
+    # @return [ String ] The version number
+    def find_from_advanced_fingerprinting(target_uri, wp_content_dir, wp_plugins_dir, versions_xml)
+      xml     = xml(versions_xml)
+
+      wp_item = WpItem.new(target_uri,
+                           wp_content_dir: wp_content_dir,
+                           wp_plugins_dir: wp_plugins_dir)
+
+      xml.xpath('//file').each do |node|
+        wp_item.path = node.attribute('src').text
+
+        response = Browser.get(wp_item.url)
+        md5sum = Digest::MD5.hexdigest(response.body)
+
+        node.search('hash').each do |hash|
+          if hash.attribute('md5').text == md5sum
+            return hash.search('version').text
+          end
+        end
+      end
+      nil
+    end
+
+    # Attempts to find the WordPress version from the readme.html file.
+    #
+    # @param [ URI ] target_uri
+    #
+    # @return [ String ] The version number
+    def find_from_readme(target_uri)
+      scan_url(
+        target_uri,
+        %r{<br />\sversion #{version_pattern}}i,
+        'readme.html'
+      )
+    end
+
+    # Attempts to find the WordPress version from the sitemap.xml file.
+    #
+    # @param [ URI ] target_uri
+    #
+    # @return [ String ] The version number
+    def find_from_sitemap_generator(target_uri)
+      scan_url(
+        target_uri,
+        %r{generator="wordpress/#{version_pattern}"}i,
+        'sitemap.xml'
+      )
+    end
+
+    # Attempts to find the WordPress version from the p-links-opml.php file.
+    #
+    # @param [ URI ] target_uri
+    #
+    # @return [ String ] The version number
+    def find_from_links_opml(target_uri)
+      scan_url(
+        target_uri,
+        %r{generator="wordpress/#{version_pattern}"}i,
+        'wp-links-opml.php'
+      )
+    end
+
+    def find_from_stylesheets_numbers(target_uri)
+      wp_versions = WpVersion.all
+      found       = {}
+      pattern     = /\bver=([0-9\.]+)/i
+
+      Nokogiri::HTML(Browser.get(target_uri.to_s).body).css('link,script').each do |tag|
+        %w(href src).each do |attribute|
+          attr_value = tag.attribute(attribute).to_s
+
+          next if attr_value.nil? || attr_value.empty?
+
+          uri = Addressable::URI.parse(attr_value)
+          next unless uri.query && uri.query.match(pattern)
+
+          version = Regexp.last_match[1].to_s
+
+          found[version] ||= 0
+          found[version] += 1
+        end
+      end
+
+      found.delete_if { |v, _| !wp_versions.include?(v) }
+
+      best_guess = found.sort_by(&:last).last
+      # best_guess[0]: version number, [1] numbers of occurences
+      best_guess && best_guess[1] > 1 ? best_guess[0] : nil
+    end
+  end
+end

lib/common/models/wp_version/output.rb

@@ -4,8 +4,16 @@ class WpVersion < WpItem
   module Output
 
     def output(verbose = false)
+      metadata = self.metadata(self.number)
+
       puts
-      puts info("WordPress version #{self.number} identified from #{self.found_from}")
+      if verbose
+        puts info("WordPress version #{self.number} identified from #{self.found_from}")
+        puts " | Released: #{metadata[:release_date]}"
+        puts " | Changelog: #{metadata[:changelog_url]}"
+      else
+        puts info("WordPress version #{self.number} identified from #{self.found_from} #{"(Released on #{metadata[:release_date]})" if metadata[:release_date]}")
+      end
 
       vulnerabilities = self.vulnerabilities
 

lib/common/models/wp_version/vulnerable.rb

@@ -1,25 +0,0 @@
-# encoding: UTF-8
-
-class WpVersion < WpItem
-  module Vulnerable
-
-    # @return [ String ] The path to the file containing vulnerabilities
-    def vulns_file
-      unless @vulns_file
-        @vulns_file = WP_VULNS_FILE
-      end
-      @vulns_file
-    end
-
-    # @return [ String ]
-    def identifier
-      @number
-    end  
-
-    # @return [ String ]
-    # def vulns_xpath
-    #   "//wordpress[@version='#{@number}']/vulnerability"
-    # end
-
-  end
-end

lib/common/version_compare.rb

@@ -11,8 +11,8 @@ class VersionCompare
   # @return [ Boolean ]
   def self.lesser_or_equal?(version1, version2)
     # Prepend a '0' if the version starts with a '.'
-    version1 = "0#{version1}" if version1 && version1[0,1] == '.'
-    version2 = "0#{version2}" if version2 && version2[0,1] == '.'
+    version1 = prepend_zero(version1)
+    version2 = prepend_zero(version2)
 
     return true if (version1 == version2)
     # Both versions must be set
@@ -27,4 +27,36 @@ class VersionCompare
     end
     return false
   end
+
+  # Compares two version strings. Returns true if version1 < version2
+  # and false otherwise
+  #
+  # @param [ String ] version1
+  # @param [ String ] version2
+  #
+  # @return [ Boolean ]
+  def self.lesser?(version1, version2)
+    # Prepend a '0' if the version starts with a '.'
+    version1 = prepend_zero(version1)
+    version2 = prepend_zero(version2)
+
+    return false if (version1 == version2)
+    # Both versions must be set
+    return false unless (version1 and version2)
+    return false if (version1.empty? or version2.empty?)
+    begin
+      return true if (Gem::Version.new(version1) < Gem::Version.new(version2))
+    rescue ArgumentError => e
+      # Example: ArgumentError: Malformed version number string a
+      return false if e.message =~ /Malformed version number string/
+      raise
+    end
+    return false
+  end
+
+  # @return [ String ]
+  def self.prepend_zero(version)
+    return nil if version.nil?
+    version[0,1] == '.' ? "0#{version}" : version
+  end
 end

lib/environment.rb

@@ -3,8 +3,9 @@
 require 'rubygems'
 
 version = RUBY_VERSION.dup
-if Gem::Version.create(version) < Gem::Version.create(1.9)
-  puts "Ruby >= 1.9 required to run wpscan (You have #{version})"
+
+if Gem::Version.create(version) < Gem::Version.create(MIN_RUBY_VERSION)
+  puts "Ruby >= #{MIN_RUBY_VERSION} required to run wpscan (You have #{version})"
   exit(1)
 end
 
@@ -29,9 +30,10 @@ begin
   require 'shellwords'
   require 'fileutils'
   require 'pathname'
+  require 'cgi'
   # Third party libs
   require 'typhoeus'
-  require 'json'
+  require 'yajl/json_gem'
   require 'nokogiri'
   require 'terminal-table'
   require 'ruby-progressbar'

lib/wpscan/web_site/robots_txt.rb

@@ -28,6 +28,7 @@ class WebSite
       if entries
         entries.flatten!
         entries.compact.sort!
+        entries.uniq!
         wordpress_path = @uri.path
         RobotsTxt.known_dirs.each do |d|
           entries.delete(d)

lib/wpscan/wp_target.rb

@@ -28,8 +28,13 @@ class WpTarget < WebSite
     @wp_content_dir = options[:wp_content_dir]
     @wp_plugins_dir = options[:wp_plugins_dir]
     @multisite      = nil
+    @vhost = options[:vhost]
 
     Browser.instance.referer = url
+    if @vhost
+      Browser.instance.vhost = @vhost
+    end
+
   end
 
   # check if the target website is
@@ -44,11 +49,7 @@ class WpTarget < WebSite
     fail "The target is responding with a 403, this might be due to a WAF or a plugin.\n" \
           'You should try to supply a valid user-agent via the --user-agent option or use the --random-agent option' if response.code == 403
 
-    if wp_content_dir
-      dir = wp_content_dir
-    else
-      dir = 'wp-content'
-    end
+    dir = wp_content_dir ? wp_content_dir : 'wp-content'
 
     if response.body =~ /["'][^"']*\/#{Regexp.escape(dir)}\/[^"']*["']/i
       wordpress = true
@@ -134,6 +135,11 @@ class WpTarget < WebSite
     @uri.merge("#{wp_content_dir}/uploads/").to_s
   end
 
+  # @return [ String ]
+  def includes_dir_url
+    @uri.merge("wp-includes/").to_s
+  end
+
   # Script for replacing strings in wordpress databases
   # reveals database credentials after hitting submit
   # http://interconnectit.com/124/search-and-replace-for-wordpress-databases/
@@ -152,4 +158,8 @@ class WpTarget < WebSite
   def upload_directory_listing_enabled?
     directory_listing_enabled?(upload_dir_url)
   end
+
+  def include_directory_listing_enabled?
+    directory_listing_enabled?(includes_dir_url)
+  end
 end

lib/wpscan/wp_target/wp_config_backup.rb

@@ -14,7 +14,7 @@ class WpTarget < WebSite
       queue_count = 0
 
       backups.each do |file|
-        file_url = @uri.merge(URI.escape(file)).to_s
+        file_url = @uri.merge(url_encode(file)).to_s
         request = browser.forge_request(file_url)
 
         request.on_complete do |response|
@@ -40,7 +40,7 @@ class WpTarget < WebSite
     # @return [ Array ]
     def self.config_backup_files
       %w{
-        wp-config.php~ #wp-config.php# wp-config.php.save .wp-config.php.swp wp-config.php.swp wp-config.php.swo 
+        wp-config.php~ #wp-config.php# wp-config.php.save .wp-config.php.swp wp-config.php.swp wp-config.php.swo
         wp-config.php_bak wp-config.bak wp-config.php.bak wp-config.save wp-config.old wp-config.php.old
         wp-config.php.orig wp-config.orig wp-config.php.original wp-config.original wp-config.txt
       } # thanks to Feross.org for these

lib/wpscan/wp_target/wp_full_path_disclosure.rb

@@ -2,24 +2,21 @@
 
 class WpTarget < WebSite
   module WpFullPathDisclosure
-
     # Check for Full Path Disclosure (FPD)
     #
     # @return [ Boolean ]
     def has_full_path_disclosure?
-      response = Browser.get(full_path_disclosure_url)
-      response.body[%r{Fatal error}i] ? true : false
+      Browser.get(full_path_disclosure_url).body[%r/Fatal error/i] ? true : false
     end
 
     def full_path_disclosure_data
       return nil unless has_full_path_disclosure?
-      Browser.get(full_path_disclosure_url).body[%r{<b>([^<]+\.php)</b>}, 1]
+      Browser.get(full_path_disclosure_url).body[/Fatal error:.+? in (.+?) on/i, 1]
     end
 
     # @return [ String ]
     def full_path_disclosure_url
       @uri.merge('wp-includes/rss-functions.php').to_s
     end
-
   end
 end

lib/wpscan/wp_target/wp_must_use_plugins.rb

@@ -2,14 +2,13 @@
 
 class WpTarget < WebSite
   module WpMustUsePlugins
-
     # Checks to see if the must use plugin folder exists
     #
     # @return [ Boolean ]
     def has_must_use_plugins?
       response = Browser.get(must_use_url)
 
-      if response && WpTarget.valid_response_codes.include?(response.code)
+      if response && [200, 401, 403].include?(response.code)
         hash = WebSite.page_hash(response)
         return true if hash != error_404_hash && hash != homepage_hash
       end
@@ -21,6 +20,5 @@ class WpTarget < WebSite
     def must_use_url
       @uri.merge("#{wp_content_dir}/mu-plugins/").to_s
     end
-
   end
 end

lib/wpscan/wpscan_helper.rb

@@ -62,7 +62,7 @@ def help
   puts
   puts 'Some values are settable in a config file, see the example.conf.json'
   puts
-  puts '--update                            Update to the database to the latest version.'
+  puts '--update                            Update the database to the latest version.'
   puts '--url       | -u <target url>       The WordPress URL/domain to scan.'
   puts '--force     | -f                    Forces WPScan to not check if the remote site is running WordPress.'
   puts '--enumerate | -e [option(s)]        Enumeration.'
@@ -105,6 +105,7 @@ def help
   puts '--request-timeout <request-timeout> Request Timeout.'
   puts '--connect-timeout <connect-timeout> Connect Timeout.'
   puts '--max-threads     <max-threads>     Maximum Threads.'
+  puts '--throttle        <milliseconds>    Milliseconds to wait before doing another web request. If used, the --threads should be set to 1.'
   puts '--help     | -h                     This help screen.'
   puts '--verbose  | -v                     Verbose output.'
   puts '--version                           Output the current version and exit.'
@@ -118,8 +119,14 @@ down                 = 0
 @total_requests_done = 0
 
 Typhoeus.on_complete do |response|
+  next if response.cached?
+
   down += 1 if response.code == 0
   @total_requests_done += 1
 
   fail 'The target seems to be down' if down >= 30
+
+  next unless Browser.instance.throttle > 0
+
+  sleep(Browser.instance.throttle)
 end

lib/wpscan/wpscan_options.rb

@@ -1,7 +1,6 @@
 # encoding: UTF-8
 
 class WpscanOptions
-
   ACCESSOR_OPTIONS = [
     :batch,
     :enumerate_plugins,
@@ -19,6 +18,7 @@ class WpscanOptions
     :proxy_auth,
     :threads,
     :url,
+    :vhost,
     :wordlist,
     :force,
     :update,
@@ -42,7 +42,8 @@ class WpscanOptions
     :request_timeout,
     :connect_timeout,
     :max_threads,
-    :no_banner
+    :no_banner,
+    :throttle
   ]
 
   attr_accessor *ACCESSOR_OPTIONS
@@ -61,6 +62,10 @@ class WpscanOptions
     @url = URI.parse(add_http_protocol(url)).to_s
   end
 
+  def vhost=(vhost)
+    @vhost = vhost
+  end
+
   def threads=(threads)
     @threads = threads.is_a?(Integer) ? threads : threads.to_i
   end
@@ -246,6 +251,7 @@ class WpscanOptions
   def self.get_opt_long
     GetoptLong.new(
       ['--url', '-u', GetoptLong::REQUIRED_ARGUMENT],
+      ['--vhost',GetoptLong::OPTIONAL_ARGUMENT],
       ['--enumerate', '-e', GetoptLong::OPTIONAL_ARGUMENT],
       ['--username', '-U', GetoptLong::REQUIRED_ARGUMENT],
       ['--usernames', GetoptLong::REQUIRED_ARGUMENT],
@@ -275,7 +281,8 @@ class WpscanOptions
       ['--no-color', GetoptLong::NO_ARGUMENT],
       ['--cookie', GetoptLong::REQUIRED_ARGUMENT],
       ['--log', GetoptLong::NO_ARGUMENT],
-      ['--no-banner', GetoptLong::NO_ARGUMENT]
+      ['--no-banner', GetoptLong::NO_ARGUMENT],
+      ['--throttle', GetoptLong::REQUIRED_ARGUMENT]
     )
   end
 

spec/lib/common/collections/wp_plugins_spec.rb

@@ -11,7 +11,7 @@ describe WpPlugins do
     let(:expected) do
       {
         request_params:                   { cache_ttl: 0, followlocation: true },
-        vulns_file:                       PLUGINS_VULNS_FILE,
+        vulns_file:                       PLUGINS_FILE,
         targets_items_from_file:          [ WpPlugin.new(uri, name: 'plugin1'),
                                             WpPlugin.new(uri, name:'plugin-2'),
                                             WpPlugin.new(uri, name: 'mr-smith')],

spec/lib/common/collections/wp_themes_spec.rb

@@ -13,7 +13,7 @@ describe WpThemes do
     let(:expected) do
       {
         request_params:                  { cache_ttl: 0, followlocation: true },
-        vulns_file:                      THEMES_VULNS_FILE,
+        vulns_file:                      THEMES_FILE,
         targets_items_from_file:         [ WpTheme.new(uri, name: '3colours'),
                                            WpTheme.new(uri, name:'42k'),
                                            WpTheme.new(uri, name: 'a-ri')],

spec/lib/common/collections/wp_timthumbs/detectable_spec.rb

@@ -26,10 +26,10 @@ describe 'WpTimthumbs::Detectable' do
 
   def expected_targets_from_theme(theme_name)
     expected = []
-    %w{
+    %w(
       timthumb.php lib/timthumb.php inc/timthumb.php includes/timthumb.php
       scripts/timthumb.php tools/timthumb.php functions/timthumb.php
-    }.each do |file|
+    ).each do |file|
       path = "$wp-content$/themes/#{theme_name}/#{file}"
       expected << WpTimthumb.new(uri, path: path)
     end
@@ -46,7 +46,7 @@ describe 'WpTimthumbs::Detectable' do
     after do
       targets = subject.send(:targets_items_from_file, file, wp_target)
 
-      expect(targets.map { |t| t.url }).to eq @expected.map { |t| t.url }
+      expect(targets.map(&:url)).to eq @expected.map(&:url)
     end
 
     context 'when an empty file' do
@@ -71,7 +71,7 @@ describe 'WpTimthumbs::Detectable' do
       theme   = 'hello-world'
       targets = subject.send(:theme_timthumbs, theme, wp_target)
 
-      expect(targets.map { |t| t.url }).to eq expected_targets_from_theme(theme).map { |t| t.url }
+      expect(targets.map(&:url)).to eq expected_targets_from_theme(theme).map(&:url)
     end
   end
 
@@ -81,7 +81,7 @@ describe 'WpTimthumbs::Detectable' do
     after do
       targets = subject.send(:targets_items, wp_target, options)
 
-      expect(targets.map { |t| t.url }).to eq @expected.sort.map { |t| t.url }
+      expect(targets.map(&:url)).to match_array(@expected.map(&:url))
     end
 
     context 'when no :theme_name' do
@@ -101,7 +101,7 @@ describe 'WpTimthumbs::Detectable' do
     end
 
     context 'when :theme_name' do
-      let(:theme)   { 'theme-name'}
+      let(:theme) { 'theme-name' }
 
       context 'when no :file' do
         let(:options) { { theme_name: theme } }

spec/lib/common/models/wp_item_spec.rb

@@ -11,11 +11,11 @@ describe WpItem do
   end
   it_behaves_like 'WpItem::Versionable'
   it_behaves_like 'WpItem::Vulnerable' do
-    let(:vulns_file)     { MODELS_FIXTURES + '/wp_item/vulnerable/items_vulns.json' }
+    let(:db_file)       { MODELS_FIXTURES + '/wp_item/vulnerable/items_vulns.json' }
     let(:identifier)    { 'neo' }
     let(:expected_refs)  { {
         'id'  => [2993],
-        'url' => ['Ref 1,Ref 2'],
+        'url' => ['Ref 1', 'Ref 2'],
         'cve' => ['2011-001'],
         'secunia' => ['secunia'],
         'osvdb' => ['osvdb'],
@@ -105,11 +105,6 @@ describe WpItem do
         @expected = 'plugins/readme.txt'
       end
     end
-
-    it 'also encodes chars' do
-      @path     = 'some dir with spaces'
-      @expected = 'some%20dir%20with%20spaces'
-    end
   end
 
   describe '#uri' do

spec/lib/common/models/wp_plugin_spec.rb

@@ -5,11 +5,11 @@ require 'spec_helper'
 describe WpPlugin do
   it_behaves_like 'WpPlugin::Vulnerable'
   it_behaves_like 'WpItem::Vulnerable' do
-    let(:options)        { { name: 'white-rabbit' } }
-    let(:vulns_file)     { MODELS_FIXTURES + '/wp_plugin/vulnerable/plugins_vulns.json' }
+    let(:options) { { name: 'white-rabbit' } }
+    let(:db_file) { MODELS_FIXTURES + '/wp_plugin/vulnerable/plugins.json' }
     let(:expected_refs)  { {
         'id'  => [2993],
-        'url' => ['Ref 1,Ref 2'],
+        'url' => ['Ref 1', 'Ref 2'],
         'cve' => ['2011-001'],
         'secunia' => ['secunia'],
         'osvdb' => ['osvdb'],

spec/lib/common/models/wp_theme_spec.rb

@@ -7,10 +7,10 @@ describe WpTheme do
   it_behaves_like 'WpTheme::Vulnerable'
   it_behaves_like 'WpItem::Vulnerable' do
     let(:options)        { { name: 'the-oracle' } }
-    let(:vulns_file)     { MODELS_FIXTURES + '/wp_theme/vulnerable/themes_vulns.json' }
+    let(:db_file)     { MODELS_FIXTURES + '/wp_theme/vulnerable/themes_vulns.json' }
     let(:expected_refs)  { {
         'id' => [2993],
-        'url' => ['Ref 1,Ref 2'],
+        'url' => ['Ref 1', 'Ref 2'],
         'cve' => ['2011-001'],
         'secunia' => ['secunia'],
         'osvdb' => ['osvdb'],

spec/lib/common/models/wp_version/findable_spec.rb

@@ -65,6 +65,11 @@ describe 'WpVersion::Findable' do
           @fixture  = '/3.5_minified.html'
           @expected = '3.5'
         end
+
+        it 'returns 3.5.1' do
+          @fixture  = '/3.5.1_mobile.html'
+          @expected = '3.5.1'
+        end
       end
 
     end

spec/lib/common/models/wp_version_spec.rb

@@ -4,20 +4,6 @@ require 'spec_helper'
 
 describe WpVersion do
   it_behaves_like 'WpVersion::Vulnerable'
-  it_behaves_like 'WpItem::Vulnerable' do
-    let(:options)        { { number: '3.2' } }
-    let(:vulns_file)     { MODELS_FIXTURES + '/wp_version/vulnerable/versions_vulns.json' }
-    let(:expected_refs)  { {
-        'id' => [2993],
-        'url' => ['Ref 1,Ref 2'],
-        'cve' => ['2011-001'],
-        'secunia' => ['secunia'],
-        'osvdb' => ['osvdb'],
-        'metasploit' => ['exploit/ex1'],
-        'exploitdb' => ['exploitdb']
-    } }
-    let(:expected_vulns) { Vulnerabilities.new << Vulnerability.new('Here I Am', 'SQLI', expected_refs) }
-  end
 
   subject(:wp_version) { WpVersion.new(uri, options) }
   let(:uri)            { URI.parse('http://example.com/') }

spec/lib/common/version_compare_spec.rb

@@ -121,4 +121,122 @@ describe 'VersionCompare' do
     end
 
   end
+
+  describe '::lesser?' do
+    context 'version checked is newer' do
+      after { expect(VersionCompare::lesser?(@version1, @version2)).to be_truthy }
+
+      it 'returns true' do
+        @version1 = '1.0'
+        @version2 = '2.0'
+      end
+
+      it 'returns true' do
+        @version1 = '1.0'
+        @version2 = '1.1'
+      end
+
+      it 'returns true' do
+        @version1 = '1.0a'
+        @version2 = '1.0b'
+      end
+
+      it 'returns true' do
+        @version1 = '1.0'
+        @version2 = '5000000'
+      end
+
+      it 'returns true' do
+        @version1 = '0'
+        @version2 = '1'
+      end
+
+      it 'returns true' do
+        @version1 = '0.4.2b'
+        @version2 = '2.3.3'
+      end
+
+      it 'returns true' do
+        @version1 = '.47'
+        @version2 = '.50.3'
+      end
+    end
+
+    context 'version checked is older' do
+      after { expect(VersionCompare::lesser?(@version1, @version2)).to be_falsey }
+
+      it 'returns false' do
+        @version1 = '1'
+        @version2 = '0'
+      end
+
+      it 'returns false' do
+        @version1 = '1.0'
+        @version2 = '0.5'
+      end
+
+      it 'returns false' do
+        @version1 = '500000'
+        @version2 = '1'
+      end
+
+      it 'returns false' do
+        @version1 = '1.6.3.7.3.4'
+        @version2 = '1.2.4.567.679.8.e'
+      end
+
+      it 'returns false' do
+        @version1 = '.47'
+        @version2 = '.46.3'
+      end
+    end
+
+    context 'version checked is the same' do
+      after { expect(VersionCompare::lesser?(@version1, @version2)).to be_falsey }
+
+      it 'returns true' do
+        @version1 = '1'
+        @version2 = '1'
+      end
+
+      it 'returns true' do
+        @version1 = 'a'
+        @version2 = 'a'
+      end
+
+    end
+
+    context 'version number causes Gem::Version new Exception' do
+      after { expect(VersionCompare::lesser?(@version1, @version2)).to be_falsey }
+
+      it 'returns false' do
+        @version1 = 'a'
+        @version2 = 'b'
+      end
+    end
+
+    context 'one version number is not set' do
+      after { expect(VersionCompare::lesser?(@version1, @version2)).to be_falsey }
+
+      it 'returns false (version2 nil)' do
+        @version1 = '1'
+        @version2 = nil
+      end
+
+      it 'returns false (version1 nil)' do
+        @version1 = nil
+        @version2 = '1'
+      end
+
+      it 'returns false (version2 empty)' do
+        @version1 = '1'
+        @version2 = ''
+      end
+
+      it 'returns false (version1 empty)' do
+        @version1 = ''
+        @version2 = '1'
+      end
+    end
+  end
 end

spec/samples/common/collections/wp_items/detectable/vulns.json

@@ -1,58 +1,64 @@
-[
-   {
-      "mr-smith":{
-         "vulnerabilities":[
-            {
-               "id":2989,
-               "title":"Administrator-exploitable blind SQLi in WordPress 1.0 - 3.8.1",
-               "references":"https://security.dxw.com/advisories/sqli-in-wordpress-3-6-1/,http://www.example.com",
-               "created_at":"2014-07-28T12:10:07.000Z",
-               "updated_at":"2014-07-28T12:43:41.000Z"
+{
+   "mr-smith": {
+      "vulnerabilities":[
+         {
+            "id":2989,
+            "title":"Administrator-exploitable blind SQLi in WordPress 1.0 - 3.8.1",
+            "references": {
+               "url": "https://security.dxw.com/advisories/sqli-in-wordpress-3-6-1/,http://www.example.com"
             },
-            {
-               "id":2990,
-               "title":"Potential Authentication Cookie Forgery",
-               "references":"https://labs.mwrinfosecurity.com/blog/2014/04/11/wordpress-auth-cookie-forgery/,https://github.com/WordPress/WordPress/commit/78a915e0e5927cf413aa6c2cef2fca3dc587f8be",
+            "created_at":"2014-07-28T12:10:07.000Z",
+            "updated_at":"2014-07-28T12:43:41.000Z"
+         },
+         {
+            "id":2990,
+            "title":"Potential Authentication Cookie Forgery",
+            "references": {
+               "url": "https://labs.mwrinfosecurity.com/blog/2014/04/11/wordpress-auth-cookie-forgery/,https://github.com/WordPress/WordPress/commit/78a915e0e5927cf413aa6c2cef2fca3dc587f8be",
                "osvdb":"105620",
-               "cve":"2014-0166",
-               "created_at":"2014-07-28T12:10:07.000Z",
-               "updated_at":"2014-07-28T12:10:07.000Z",
-               "fixed_in":"3.8.2"
+               "cve":"2014-0166"
             },
-            {
-               "id":2991,
-               "title":"Privilege escalation: contributors publishing posts",
-               "references":"https://github.com/wpscanteam/wpscan/wiki/CVE-2014-0165",
+            "created_at":"2014-07-28T12:10:07.000Z",
+            "updated_at":"2014-07-28T12:10:07.000Z",
+            "fixed_in":"3.8.2"
+         },
+         {
+            "id":2991,
+            "title":"Privilege escalation: contributors publishing posts",
+            "references": {
+               "url": "https://github.com/wpscanteam/wpscan/wiki/CVE-2014-0165",
                "osvdb":"105630",
-               "cve":"2014-0165",
-               "created_at":"2014-07-28T12:10:07.000Z",
-               "updated_at":"2014-07-28T12:10:07.000Z",
-               "fixed_in":"3.8.2"
+               "cve":"2014-0165"
             },
-            {
-               "id":2992,
-               "title":"Plupload Unspecified XSS",
+            "created_at":"2014-07-28T12:10:07.000Z",
+            "updated_at":"2014-07-28T12:10:07.000Z",
+            "fixed_in":"3.8.2"
+         },
+         {
+            "id":2992,
+            "title":"Plupload Unspecified XSS",
+            "references": {
                "osvdb":"105622",
-               "secunia":"57769",
-               "created_at":"2014-07-28T12:10:07.000Z",
-               "updated_at":"2014-07-28T12:10:07.000Z",
-               "fixed_in":"3.8.2"
-            }
-         ]
-      }
+               "secunia":"57769"
+            },
+            "created_at":"2014-07-28T12:10:07.000Z",
+            "updated_at":"2014-07-28T12:10:07.000Z",
+            "fixed_in":"3.8.2"
+         }
+      ]
    },
-   {
-      "neo":{
-         "vulnerabilities":[
-            {
-               "id":2993,
-               "title":"wp-admin/options-writing.php Cleartext Admin Credentials Disclosure",
-               "references":"http://seclists.org/fulldisclosure/2013/Dec/135",
-               "osvdb":"101101",
-               "created_at":"2014-07-28T12:10:07.000Z",
-               "updated_at":"2014-07-28T12:10:07.000Z"
-            }
-         ]
-      }
+   "neo": {
+      "vulnerabilities":[
+         {
+            "id":2993,
+            "title":"wp-admin/options-writing.php Cleartext Admin Credentials Disclosure",
+            "references": {
+               "url": "http://seclists.org/fulldisclosure/2013/Dec/135",
+               "osvdb":"101101"
+             },
+            "created_at":"2014-07-28T12:10:07.000Z",
+            "updated_at":"2014-07-28T12:10:07.000Z"
+         }
+      ]
    }
-]
+}

spec/samples/common/collections/wp_plugins/detectable/vulns.json

@@ -1,58 +1,64 @@
-[
-   {
-      "mr-smith":{
-         "vulnerabilities":[
-            {
-               "id":2989,
-               "title":"Administrator-exploitable blind SQLi in WordPress 1.0 - 3.8.1",
-               "references":"https://security.dxw.com/advisories/sqli-in-wordpress-3-6-1/,http://www.example.com",
-               "created_at":"2014-07-28T12:10:07.000Z",
-               "updated_at":"2014-07-28T12:43:41.000Z"
+{
+   "mr-smith": {
+      "vulnerabilities":[
+         {
+            "id":2989,
+            "title":"Administrator-exploitable blind SQLi in WordPress 1.0 - 3.8.1",
+            "references": {
+              "url": "https://security.dxw.com/advisories/sqli-in-wordpress-3-6-1/,http://www.example.com"
             },
-            {
-               "id":2990,
-               "title":"Potential Authentication Cookie Forgery",
-               "references":"https://labs.mwrinfosecurity.com/blog/2014/04/11/wordpress-auth-cookie-forgery/,https://github.com/WordPress/WordPress/commit/78a915e0e5927cf413aa6c2cef2fca3dc587f8be",
-               "osvdb":"105620",
-               "cve":"2014-0166",
-               "created_at":"2014-07-28T12:10:07.000Z",
-               "updated_at":"2014-07-28T12:10:07.000Z",
-               "fixed_in":"3.8.2"
+            "created_at":"2014-07-28T12:10:07.000Z",
+            "updated_at":"2014-07-28T12:43:41.000Z"
+         },
+         {
+            "id":2990,
+            "title":"Potential Authentication Cookie Forgery",
+            "references": {
+              "url": "https://labs.mwrinfosecurity.com/blog/2014/04/11/wordpress-auth-cookie-forgery/,https://github.com/WordPress/WordPress/commit/78a915e0e5927cf413aa6c2cef2fca3dc587f8be"
             },
-            {
-               "id":2991,
-               "title":"Privilege escalation: contributors publishing posts",
-               "references":"https://github.com/wpscanteam/wpscan/wiki/CVE-2014-0165",
+            "osvdb":"105620",
+            "cve":"2014-0166",
+            "created_at":"2014-07-28T12:10:07.000Z",
+            "updated_at":"2014-07-28T12:10:07.000Z",
+            "fixed_in":"3.8.2"
+         },
+         {
+            "id":2991,
+            "title":"Privilege escalation: contributors publishing posts",
+            "references": {
+               "url": "https://github.com/wpscanteam/wpscan/wiki/CVE-2014-0165",
                "osvdb":"105630",
-               "cve":"2014-0165",
-               "created_at":"2014-07-28T12:10:07.000Z",
-               "updated_at":"2014-07-28T12:10:07.000Z",
-               "fixed_in":"3.8.2"
+               "cve":"2014-0165"
             },
-            {
-               "id":2992,
-               "title":"Plupload Unspecified XSS",
+            "created_at":"2014-07-28T12:10:07.000Z",
+            "updated_at":"2014-07-28T12:10:07.000Z",
+            "fixed_in":"3.8.2"
+         },
+         {
+            "id":2992,
+            "title":"Plupload Unspecified XSS",
+            "references": {
                "osvdb":"105622",
-               "secunia":"57769",
-               "created_at":"2014-07-28T12:10:07.000Z",
-               "updated_at":"2014-07-28T12:10:07.000Z",
-               "fixed_in":"3.8.2"
-            }
-         ]
-      }
+               "secunia":"57769"
+             },
+            "created_at":"2014-07-28T12:10:07.000Z",
+            "updated_at":"2014-07-28T12:10:07.000Z",
+            "fixed_in":"3.8.2"
+         }
+      ]
    },
-   {
-      "neo":{
-         "vulnerabilities":[
-            {
-               "id":2993,
-               "title":"wp-admin/options-writing.php Cleartext Admin Credentials Disclosure",
-               "references":"http://seclists.org/fulldisclosure/2013/Dec/135",
-               "osvdb":"101101",
-               "created_at":"2014-07-28T12:10:07.000Z",
-               "updated_at":"2014-07-28T12:10:07.000Z"
-            }
-         ]
-      }
+   "neo": {
+      "vulnerabilities":[
+         {
+            "id":2993,
+            "title":"wp-admin/options-writing.php Cleartext Admin Credentials Disclosure",
+            "references": {
+               "url": "http://seclists.org/fulldisclosure/2013/Dec/135",
+                "osvdb":"101101"
+            },
+            "created_at":"2014-07-28T12:10:07.000Z",
+            "updated_at":"2014-07-28T12:10:07.000Z"
+         }
+      ]
    }
-]
+}

spec/samples/common/collections/wp_themes/detectable/vulns.json

@@ -1,58 +1,65 @@
-[
-   {
-      "shopperpress":{
-         "vulnerabilities":[
-            {
-               "id":2989,
-               "title":"Administrator-exploitable blind SQLi in WordPress 1.0 - 3.8.1",
-               "references":"https://security.dxw.com/advisories/sqli-in-wordpress-3-6-1/,http://www.example.com",
-               "created_at":"2014-07-28T12:10:07.000Z",
-               "updated_at":"2014-07-28T12:43:41.000Z"
+{
+   "shopperpress": {
+      "vulnerabilities":[
+         {
+            "id":2989,
+            "title":"Administrator-exploitable blind SQLi in WordPress 1.0 - 3.8.1",
+            "references": {
+              "url": "https://security.dxw.com/advisories/sqli-in-wordpress-3-6-1/,http://www.example.com"
             },
-            {
-               "id":2990,
-               "title":"Potential Authentication Cookie Forgery",
-               "references":"https://labs.mwrinfosecurity.com/blog/2014/04/11/wordpress-auth-cookie-forgery/,https://github.com/WordPress/WordPress/commit/78a915e0e5927cf413aa6c2cef2fca3dc587f8be",
-               "osvdb":"105620",
-               "cve":"2014-0166",
-               "created_at":"2014-07-28T12:10:07.000Z",
-               "updated_at":"2014-07-28T12:10:07.000Z",
-               "fixed_in":"3.8.2"
+            "created_at":"2014-07-28T12:10:07.000Z",
+            "updated_at":"2014-07-28T12:43:41.000Z"
+         },
+         {
+            "id":2990,
+            "title":"Potential Authentication Cookie Forgery",
+            "references": {
+               "url": "https://labs.mwrinfosecurity.com/blog/2014/04/11/wordpress-auth-cookie-forgery/,https://github.com/WordPress/WordPress/commit/78a915e0e5927cf413aa6c2cef2fca3dc587f8be",
+                "osvdb":"105620",
+                "cve":"2014-0166"
             },
-            {
-               "id":2991,
-               "title":"Privilege escalation: contributors publishing posts",
-               "references":"https://github.com/wpscanteam/wpscan/wiki/CVE-2014-0165",
-               "osvdb":"105630",
-               "cve":"2014-0165",
-               "created_at":"2014-07-28T12:10:07.000Z",
-               "updated_at":"2014-07-28T12:10:07.000Z",
-               "fixed_in":"3.8.2"
+            "created_at":"2014-07-28T12:10:07.000Z",
+            "updated_at":"2014-07-28T12:10:07.000Z",
+            "fixed_in":"3.8.2"
+         },
+         {
+            "id":2991,
+            "title":"Privilege escalation: contributors publishing posts",
+            "references": {
+               "url": "https://github.com/wpscanteam/wpscan/wiki/CVE-2014-0165",
+                "osvdb":"105630",
+                "cve":"2014-0165"
             },
-            {
-               "id":2992,
-               "title":"Plupload Unspecified XSS",
+            "created_at":"2014-07-28T12:10:07.000Z",
+            "updated_at":"2014-07-28T12:10:07.000Z",
+            "fixed_in":"3.8.2"
+         },
+         {
+            "id":2992,
+            "title":"Plupload Unspecified XSS",
+            "references": {
                "osvdb":"105622",
-               "secunia":"57769",
-               "created_at":"2014-07-28T12:10:07.000Z",
-               "updated_at":"2014-07-28T12:10:07.000Z",
-               "fixed_in":"3.8.2"
-            }
-         ]
-      }
+               "secunia":"57769"
+             },
+            "created_at":"2014-07-28T12:10:07.000Z",
+            "updated_at":"2014-07-28T12:10:07.000Z",
+            "fixed_in":"3.8.2"
+         }
+      ]
    },
-   {
-      "webfolio":{
-         "vulnerabilities":[
-            {
-               "id":2993,
-               "title":"wp-admin/options-writing.php Cleartext Admin Credentials Disclosure",
-               "references":"http://seclists.org/fulldisclosure/2013/Dec/135",
-               "osvdb":"101101",
-               "created_at":"2014-07-28T12:10:07.000Z",
-               "updated_at":"2014-07-28T12:10:07.000Z"
-            }
-         ]
-      }
+   "webfolio": {
+      "vulnerabilities":[
+         {
+            "id":2993,
+            "title":"wp-admin/options-writing.php Cleartext Admin Credentials Disclosure",
+            "references": {
+               "url": "http://seclists.org/fulldisclosure/2013/Dec/135",
+               "osvdb":"101101"
+            },
+            "created_at":"2014-07-28T12:10:07.000Z",
+            "updated_at":"2014-07-28T12:10:07.000Z"
+         }
+      ]
    }
-]
+}
+

spec/samples/common/models/vulnerability/json_item.json

@@ -1,12 +1,14 @@
 {
    "id": "3911",
    "title": "Vuln Title",
-   "url": "Ref 1,Ref 2",
-   "secunia": "secunia",
-   "osvdb": "osvdb",
-   "cve": "2011-001",
-   "metasploit": "exploit/ex1",
-   "exploitdb": "exploitdb",
+   "references":{
+      "url": "Ref 1,Ref 2",
+      "secunia": "secunia",
+      "osvdb": "osvdb",
+      "cve": "2011-001",
+      "metasploit": "exploit/ex1",
+      "exploitdb": "exploitdb"
+   },
    "created_at": "2014-07-28T12:10:45.000Z",
    "updated_at": "2014-07-28T12:10:45.000Z",
    "type": "CSRF",

spec/samples/common/models/wp_item/vulnerable/items_vulns.json

@@ -1,35 +1,35 @@
-[
-   {
-      "not-this-one":{
-         "vulnerabilities":[
-            {
-               "id":2989,
-               "title":"Administrator-exploitable blind SQLi in WordPress 1.0 - 3.8.1",
-               "url":"https://security.dxw.com/advisories/sqli-in-wordpress-3-6-1/,http://www.example.com",
-               "created_at":"2014-07-28T12:10:07.000Z",
-               "updated_at":"2014-07-28T12:43:41.000Z"
-            }
-         ]
-      }
+{
+   "not-this-one": {
+      "vulnerabilities":[
+         {
+            "id":2989,
+            "title":"Administrator-exploitable blind SQLi in WordPress 1.0 - 3.8.1",
+            "references": {
+              "url": ["https://security.dxw.com/advisories/sqli-in-wordpress-3-6-1/" ,"http://www.example.com"]
+            },
+            "created_at":"2014-07-28T12:10:07.000Z",
+            "updated_at":"2014-07-28T12:43:41.000Z"
+         }
+      ]
    },
-   {
-      "neo":{
-         "vulnerabilities":[
-            {
-               "id":2993,
-               "title":"I'm the one",
-               "url":"Ref 1,Ref 2",
-               "osvdb":"osvdb",
-               "cve":"2011-001",
-               "secunia":"secunia",
-               "metasploit":"exploit/ex1",
-               "exploitdb":"exploitdb",
-               "type":"XSS",
-               "fixed_in":"",
-               "created_at":"2014-07-28T12:10:07.000Z",
-               "updated_at":"2014-07-28T12:10:07.000Z"
-            }
-         ]
-      }
+   "neo": {
+      "vulnerabilities":[
+         {
+            "id":2993,
+            "title":"I'm the one",
+            "references": {
+               "url": ["Ref 1", "Ref 2"],
+               "osvdb": ["osvdb"],
+               "cve": ["2011-001"],
+               "secunia": ["secunia"],
+               "metasploit": ["exploit/ex1"],
+               "exploitdb": ["exploitdb"]
+            },
+            "type":"XSS",
+            "fixed_in":"",
+            "created_at":"2014-07-28T12:10:07.000Z",
+            "updated_at":"2014-07-28T12:10:07.000Z"
+         }
+      ]
    }
-]
+}

spec/samples/common/models/wp_plugin/vulnerable/plugins.json

@@ -0,0 +1,58 @@
+{
+    "mr-smith": {
+      "vulnerabilities":[
+         {
+            "id":2993,
+            "title":"I should not appear in the results",
+            "references": {
+               "url": ["Ref 1","Ref 2"],
+               "osvdb": ["osvdb"],
+               "cve": ["2011-001"],
+               "secunia": ["secunia"],
+               "metasploit": ["exploit/ex1"],
+               "exploitdb": ["exploitdb"]
+            },
+            "type":"XSS",
+            "fixed_in":"",
+            "created_at":"2014-07-28T12:10:07.000Z",
+            "updated_at":"2014-07-28T12:10:07.000Z"
+         },
+         {
+            "id":2989,
+            "title":"Neither do I",
+            "references": {
+               "url": ["Ref 1" ,"Ref 2"],
+               "osvdb": ["osvdb"],
+               "cve": ["2011-001"],
+               "secunia": ["secunia"],
+               "metasploit": ["exploit/ex1"],
+               "exploitdb": ["exploitdb"]
+            },
+            "type":"XSS",
+            "fixed_in":"",
+            "created_at":"2014-07-28T12:10:07.000Z",
+            "updated_at":"2014-07-28T12:10:07.000Z"
+         }
+         ]
+      },
+        "white-rabbit": {
+           "vulnerabilities": [
+        {
+           "id":2993,
+           "title":"Follow me!",
+           "references": {
+             "url": ["Ref 1", "Ref 2"],
+             "osvdb": ["osvdb"],
+             "cve": ["2011-001"],
+             "secunia": ["secunia"],
+             "metasploit": ["exploit/ex1"],
+             "exploitdb": ["exploitdb"]
+           },
+           "type":"REDIRECT",
+           "fixed_in":"",
+           "created_at":"2014-07-28T12:10:07.000Z",
+           "updated_at":"2014-07-28T12:10:07.000Z"
+        }
+     ]
+  }
+}

spec/samples/common/models/wp_plugin/vulnerable/plugins_vulns.json

@@ -1,56 +0,0 @@
-[
-   {
-      "mr-smith":{
-         "vulnerabilities":[
-            {
-               "id":2989,
-               "title":"I should not appear in the results",
-               "url":"Ref 1,Ref 2",
-               "osvdb":"osvdb",
-               "cve":"2011-001",
-               "secunia":"secunia",
-               "metasploit":"exploit/ex1",
-               "exploitdb":"exploitdb",
-               "type":"XSS",
-               "fixed_in":"",
-               "created_at":"2014-07-28T12:10:07.000Z",
-               "updated_at":"2014-07-28T12:10:07.000Z"
-            },
-            {
-               "id":2989,
-               "title":"Neither do I",
-               "url":"Ref 1,Ref 2",
-               "osvdb":"osvdb",
-               "cve":"2011-001",
-               "secunia":"secunia",
-               "metasploit":"exploit/ex1",
-               "exploitdb":"exploitdb",
-               "type":"XSS",
-               "fixed_in":"",
-               "created_at":"2014-07-28T12:10:07.000Z",
-               "updated_at":"2014-07-28T12:10:07.000Z"
-            }
-         ]
-      }
-   },
-   {
-      "white-rabbit":{
-         "vulnerabilities":[
-            {
-               "id":2993,
-               "title":"Follow me!",
-               "url":"Ref 1,Ref 2",
-               "osvdb":"osvdb",
-               "cve":"2011-001",
-               "secunia":"secunia",
-               "metasploit":"exploit/ex1",
-               "exploitdb":"exploitdb",
-               "type":"REDIRECT",
-               "fixed_in":"",
-               "created_at":"2014-07-28T12:10:07.000Z",
-               "updated_at":"2014-07-28T12:10:07.000Z"
-            }
-         ]
-      }
-   }
-]

spec/samples/common/models/wp_theme/vulnerable/themes_vulns.json

@@ -1,56 +1,59 @@
-[
-   {
-      "mr-smith":{
-         "vulnerabilities":[
-            {
-               "id":2989,
-               "title":"I should not appear in the results",
-               "url":"Ref 1,Ref 2",
-               "osvdb":"osvdb",
-               "cve":"2011-001",
-               "secunia":"secunia",
-               "metasploit":"exploit/ex1",
-               "exploitdb":"exploitdb",
-               "type":"XSS",
-               "fixed_in":"",
-               "created_at":"2014-07-28T12:10:07.000Z",
-               "updated_at":"2014-07-28T12:10:07.000Z"
+{
+   "mr-smith": {
+      "vulnerabilities":[
+         {
+            "id":2989,
+            "title":"I should not appear in the results",
+            "references": {
+               "url": ["Ref 1", "Ref 2"],
+               "osvdb": ["osvdb"],
+               "cve": ["2011-001"],
+               "secunia": ["secunia"],
+               "metasploit": ["exploit/ex1"],
+               "exploitdb": ["exploitdb"]
             },
-            {
-               "id":2989,
-               "title":"Neither do I",
-               "url":"Ref 1,Ref 2",
-               "osvdb":"osvdb",
-               "cve":"2011-001",
-               "secunia":"secunia",
-               "metasploit":"exploit/ex1",
-               "exploitdb":"exploitdb",
-               "type":"XSS",
-               "fixed_in":"",
-               "created_at":"2014-07-28T12:10:07.000Z",
-               "updated_at":"2014-07-28T12:10:07.000Z"
-            }
+            "type":"XSS",
+            "fixed_in":"",
+            "created_at":"2014-07-28T12:10:07.000Z",
+            "updated_at":"2014-07-28T12:10:07.000Z"
+         },
+         {
+            "id":2989,
+            "title":"Neither do I",
+            "references": {
+               "url": ["Ref 1", "Ref 2"],
+               "osvdb": ["osvdb"],
+               "cve": ["2011-001"],
+               "secunia": ["secunia"],
+               "metasploit": ["exploit/ex1"],
+               "exploitdb": ["exploitdb"]
+            },
+            "type":"XSS",
+            "fixed_in":"",
+            "created_at":"2014-07-28T12:10:07.000Z",
+            "updated_at":"2014-07-28T12:10:07.000Z"
+         }
          ]
-      }
-   },
-   {
-      "the-oracle":{
+      },
+      "the-oracle": {
          "vulnerabilities":[
             {
                "id":2993,
                "title":"I see you",
-               "url":"Ref 1,Ref 2",
-               "osvdb":"osvdb",
-               "cve":"2011-001",
-               "secunia":"secunia",
-               "metasploit":"exploit/ex1",
-               "exploitdb":"exploitdb",
+               "references": {
+                  "url": ["Ref 1", "Ref 2"],
+                  "osvdb": ["osvdb"],
+                  "cve": ["2011-001"],
+                  "secunia": ["secunia"],
+                  "metasploit": ["exploit/ex1"],
+                  "exploitdb": ["exploitdb"]
+               },
                "type":"FPD",
                "fixed_in":"",
                "created_at":"2014-07-28T12:10:07.000Z",
                "updated_at":"2014-07-28T12:10:07.000Z"
             }
          ]
-      }
    }
-]
+}
+

spec/samples/common/models/wp_version/findable/meta_generator/3.5.1_mobile.html

@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<html lang="en-US" prefix="og: http://ogp.me/ns#">
+<head>
+
+<meta charset="UTF-8" />
+
+<title>Test</title>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+<link rel="stylesheet" type="text/css" href="http://example.com/wp-content/themes/scrollider child/style.css" media="screen" />
+<link rel="stylesheet" type="text/css" media="print"
+href="http://example.com/wp-content/themes/scrollider child/print.css" />
+<link rel="pingback" href="http://example.com/xmlrpc.php" />
+
+<!-- This site is optimized with the Yoast WordPress SEO plugin v1.6.1 - https://yoast.com/wordpress/plugins/seo/ -->
+<link rel="canonical" href="http://example.com" />
+<link rel="next" href="http://example.com/page/2/" />
+<meta property="og:locale" content="en_US" />
+<meta property="og:type" content="website" />
+<meta property="og:title" content="Test" />
+<meta property="og:url" content="http://example.com" />
+<meta property="og:site_name" content="Test" />
+<script type="application/ld+json">{ "@context": "http://schema.org", "@type": "WebSite", "url": "http://example.com/", "potentialAction": { "@type": "SearchAction", "target": "http://example.com/?s={search_term}", "query-input": "required name=search_term" } }</script>
+<!-- / Yoast WordPress SEO plugin. -->
+
+<link rel="alternate" type="application/rss+xml" title="Test" href="http://www.example.com/feed" />
+<link rel="alternate" type="application/rss+xml" title="Test" href="http://example.com/comments/feed/" />
+<link rel='stylesheet' id='colorbox-theme3-css'  href='http://example.com/wp-content/plugins/ewsel-lightbox-for-galleries/colorbox/theme3/colorbox.css?ver=1.3.14' type='text/css' media='screen' />
+<link rel='stylesheet' id='woo-layout-css'  href='http://example.com/wp-content/themes/scrollider/css/layout.css?ver=3.5.1' type='text/css' media='all' />
+<link rel='stylesheet' id='woocommerce-css'  href='http://example.com/wp-content/themes/scrollider/css/woocommerce.css?ver=3.5.1' type='text/css' media='all' />
+<link rel='stylesheet' id='contact-form-7-css'  href='http://example.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=3.4.2' type='text/css' media='all' />
+<link rel='stylesheet' id='videogallery_css-css'  href='http://example.com/wp-content/plugins/contus-video-gallery/css/style.min.css?ver=3.5.1' type='text/css' media='all' />
+<link rel='stylesheet' id='SFSImainCss-css'  href='http://example.com/wp-content/plugins/ultimate-social-media-icons/css/sfsi-style.css?ver=3.5.1' type='text/css' media='all' />
+<link rel='stylesheet' id='SFSIJqueryCSS-css'  href='http://example.com/wp-content/plugins/ultimate-social-media-icons/css/jquery-ui-1.10.4/jquery-ui-min.css?ver=3.5.1' type='text/css' media='all' />
+<link rel='stylesheet' id='prettyPhoto-css'  href='http://example.com/wp-content/themes/scrollider/includes/css/prettyPhoto.css?ver=3.5.1' type='text/css' media='all' />
+<script type='text/javascript' src='http://example.com/wp-includes/js/jquery/jquery.js?ver=1.8.3'></script>
+<script type='text/javascript' src='http://example.com/wp-content/plugins/ewsel-lightbox-for-galleries/colorbox/jquery.colorbox-min.js?ver=1.3.14'></script>
+<script type='text/javascript' src='http://example.com/wp-content/plugins/contus-video-gallery/js/script.min.js?ver=3.5.1'></script>
+<script type='text/javascript'>
+/* <![CDATA[ */
+var ajax_object = {"ajax_url":"http:\/\/example.com\/wp-admin\/admin-ajax.php"};
+/* ]]> */
+</script>
+<script type='text/javascript' src='http://example.com/wp-content/plugins/ultimate-social-media-icons/js/custom.js?ver=3.5.1'></script>
+<script type='text/javascript' src='http://example.com/wp-content/themes/scrollider/includes/js/third-party.js?ver=3.5.1'></script>
+<script type='text/javascript' src='http://example.com/wp-content/themes/scrollider/includes/js/general.js?ver=3.5.1'></script>
+<script type='text/javascript'>
+/* <![CDATA[ */
+var woo_masonry_data = {"numberOfColumns":"3"};
+/* ]]> */
+</script>
+<script type='text/javascript' src='http://example.com/wp-content/themes/scrollider/includes/js/jquery.masonry.min.js?ver=3.5.1'></script>
+<script type='text/javascript' src='http://example.com/wp-content/themes/scrollider/includes/js/jquery.flexslider-min.js?ver=3.5.1'></script>
+<script type='text/javascript'>
+/* <![CDATA[ */
+var woo_localized_data = {"animation":"fade","controlsContainer":".controls-container","smoothHeight":"true","useCSS":"true","directionNav":"true","controlNav":"true","manualControls":".manual ol li","slideshow":"true","pauseOnHover":"false","slideshowSpeed":"3000","animationDuration":"0","touch":"false"};
+/* ]]> */
+</script>
+<script type='text/javascript' src='http://example.com/wp-content/themes/scrollider/includes/js/featured-slider.js?ver=1.2.5'></script>
+<script type='text/javascript' src='http://example.com/wp-content/plugins/vslider/js/vslider.js?ver=3.5.1'></script>
+<link rel="EditURI" type="application/rsd+xml" title="RSD" href="http://example.com/xmlrpc.php?rsd" />
+<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="http://example.com/wp-includes/wlwmanifest.xml" />
+<meta name="generator" content="WordPress 3.5.1, fitted with the WordPress Mobile Pack 1.2.5" />
+ <meta name="viewport" content="width=device-width, initial-scale=1"><meta property="og:image" content="http://example.com/wp-content/uploads/2015/07/test.jpg"><meta property="og:image:type" content=""><meta property="og:image:width" content="1000"><meta property="og:image:height" content="752">
+<!-- Theme version -->
+<meta name="generator" content="Scrollider Child 1.0.0" />
+<meta name="generator" content="Scrollider 1.2.13" />
+<meta name="generator" content="WooFramework 5.5.5" />

spec/samples/common/models/wp_version/vulnerable/versions_vulns.json

@@ -1,42 +1,42 @@
-[
-   {
-      "3.5":{
-         "vulnerabilities":[
-            {
-               "id":2989,
-               "title":"I should not appear in the results",
-               "url":"Ref 1,Ref 2",
-               "osvdb":"osvdb",
-               "cve":"2011-001",
-               "secunia":"secunia",
-               "metasploit":"exploit/ex1",
-               "exploitdb":"exploitdb",
-               "type":"XSS",
-               "fixed_in":"",
-               "created_at":"2014-07-28T12:10:07.000Z",
-               "updated_at":"2014-07-28T12:10:07.000Z"
-            }
-         ]
-      }
-   },
-   {
-      "3.2":{
-         "vulnerabilities":[
-            {
-               "id":2993,
-               "title":"Here I Am",
-               "url":"Ref 1,Ref 2",
-               "osvdb":"osvdb",
-               "cve":"2011-001",
-               "secunia":"secunia",
-               "metasploit":"exploit/ex1",
-               "exploitdb":"exploitdb",
-               "type":"SQLI",
-               "fixed_in":"",
-               "created_at":"2014-07-28T12:10:07.000Z",
-               "updated_at":"2014-07-28T12:10:07.000Z"
-            }
-         ]
-      }
+{
+   "3.5": {
+      "vulnerabilities":[
+         {
+            "id":2989,
+            "title":"I should not appear in the results",
+            "references": {
+               "url": ["Ref 1", "Ref 2"],
+               "osvdb": ["osvdb"],
+               "cve": ["2011-001"],
+               "secunia": ["secunia"],
+               "metasploit": ["exploit/ex1"],
+               "exploitdb": ["exploitdb"]
+               },
+            "type":"XSS",
+            "fixed_in":"",
+            "created_at":"2014-07-28T12:10:07.000Z",
+            "updated_at":"2014-07-28T12:10:07.000Z"
+         }
+      ]
+     },
+     "3.2": {
+      "vulnerabilities":[
+         {
+            "id":2993,
+            "title":"Here I Am",
+            "references": {
+               "url": ["Ref 1", "Ref 2"],
+               "osvdb": ["osvdb"],
+               "cve": ["2011-001"],
+               "secunia": ["secunia"],
+               "metasploit": ["exploit/ex1"],
+               "exploitdb": ["exploitdb"]
+            },
+            "type":"SQLI",
+            "fixed_in":"",
+            "created_at":"2014-07-28T12:10:07.000Z",
+            "updated_at":"2014-07-28T12:10:07.000Z"
+         }
+      ]
    }
-]
+}

spec/samples/wpscan/web_site/robots_txt/robots_duplicate_1.txt

@@ -0,0 +1,17 @@
+User-agent: *
+Disallow: /wp-admin/
+Disallow: /wp-admin/
+Disallow: /wp-admin/
+Disallow: /wp-admin/
+Disallow: /wp-includes/
+Disallow: /wordpress/admin/
+Disallow: /wordpress/wp-admin/
+Disallow: /wordpress/secret/
+Disallow: /wordpress/secret/
+Disallow: /wordpress/
+Disallow: /wordpress/secret/
+Disallow: /Wordpress/wp-admin/
+Disallow: /wp-admin/tralling-space/
+Allow: /asdf/
+
+Sitemap: http://10.0.0.0/sitemap.xml.gz

spec/samples/wpscan/web_site/robots_txt/robots_duplicate_2.txt

@@ -0,0 +1,9 @@
+User-agent: *
+Disallow: /wp-admin/
+Disallow: /wp-admin/
+Disallow: /wp-admin/
+Disallow: /wp-admin/
+Disallow: /wp-admin/
+Disallow: /wp-admin/
+
+Sitemap: http://10.0.0.0/sitemap.xml.gz

spec/shared_examples/web_site/robots_txt.rb

@@ -61,6 +61,24 @@ shared_examples 'WebSite::RobotsTxt' do
           http://example.localhost/asdf/
         )
       end
+
+      it 'removes duplicate entries from robots.txt test 1' do
+        @fixture = fixtures_dir + '/robots_txt/robots_duplicate_1.txt'
+        @expected = %w(
+          http://example.localhost/wordpress/
+          http://example.localhost/wordpress/admin/
+          http://example.localhost/wordpress/wp-admin/
+          http://example.localhost/wordpress/secret/
+          http://example.localhost/Wordpress/wp-admin/
+          http://example.localhost/wp-admin/tralling-space/
+          http://example.localhost/asdf/
+        )
+      end
+
+      it 'removes duplicate entries from robots.txt test 2' do
+        @fixture = fixtures_dir + '/robots_txt/robots_duplicate_2.txt'
+        @expected = nil
+      end
     end
 
     context 'installed in sub directory' do

spec/shared_examples/wp_item_vulnerable.rb

@@ -3,8 +3,8 @@
 shared_examples 'WpItem::Vulnerable' do
 
   # 2 variables have to be set in the described class or subject:
-  #   let(:vulns_file)     { }
-  #   let(:expected_vulns) { } The expected Vulnerabilities when using vulns_file and vulns_xpath
+  #   let(:db_file)     { }
+  #   let(:expected_vulns) { } The expected Vulnerabilities when using db_file and vulns_xpath
   #
   # 1 variable is optional, used if supplied, otherwise subject.vulns_xpath is used
   #   let(:vulns_xpath)    { }
@@ -18,7 +18,7 @@ shared_examples 'WpItem::Vulnerable' do
     end
 
     after do
-      subject.vulns_file  = @vulns_file
+      subject.db_file    = @db_file
       subject.identifier = identifier if defined?(identifier)
 
       result = subject.vulnerabilities
@@ -26,16 +26,16 @@ shared_examples 'WpItem::Vulnerable' do
       expect(result).to eq @expected
     end
 
-    context 'when the vulns_file is empty' do
+    context 'when the db_file is empty' do
       it 'returns an empty Vulnerabilities' do
-        @vulns_file = empty_file
-        @expected   = Vulnerabilities.new
+        @db_file  = empty_file
+        @expected = Vulnerabilities.new
       end
     end
 
     it 'returns the expected vulnerabilities' do
-      @vulns_file = vulns_file
-      @expected   = expected_vulns
+      @db_file   = db_file
+      @expected  = expected_vulns
     end
   end
 

spec/shared_examples/wp_items_detectable.rb

@@ -39,68 +39,8 @@ shared_examples 'WpItems::Detectable' do
     end
   end
 
-  describe '::targets_items_from_file' do
-    after do
-      results = subject.send(:targets_items_from_file, file, wp_target, item_class, vulns_file)
-
-      expect(results.map { |i| i.name }).to eq @expected.map { |i| i.name }
-
-      unless results.empty?
-        results.each do |item|
-          expect(item).to be_a item_class
-        end
-      end
-    end
-
-    # should raise error.
-    # context 'when an empty file' do
-    #   let(:file) { empty_file }
-
-    #   it 'returns an empty Array' do
-    #     @expected = []
-    #   end
-    # end
-
-    context 'when a file' do
-      let(:file) { targets_items_file }
-
-      it 'returns the expected Array of WpItem' do
-        @expected = expected[:targets_items_from_file]
-      end
-    end
-  end
-
-  describe '::vulnerable_targets_items' do
-    after do
-      results = subject.send(:vulnerable_targets_items, wp_target, item_class, vulns_file)
-
-      expect(results.map { |i| i.name }).to eq @expected.map { |i| i.name }
-
-      unless results.empty?
-        results.each do |item|
-          expect(item).to be_a item_class
-        end
-      end
-    end
-
-    # should raise error.
-    # context 'when an empty file' do
-    #   let(:file) { empty_file }
-
-    #   it 'returns an empty Array' do
-    #     @expected = []
-    #   end
-    # end
-
-    context 'when a file' do
-      it 'returns the expected Array of WpItem' do
-        @expected = expected[:vulnerable_targets_items]
-      end
-    end
-  end
-
   describe '::targets_items' do
-    let(:options) { {} }
+    let(:options) { { type: :all } }
 
     after do
       if @expected
@@ -110,29 +50,13 @@ shared_examples 'WpItems::Detectable' do
       end
     end
 
-    context 'when :only_vulnerable' do
-      let(:options) { { only_vulnerable: true } }
+    context 'when :type = :vulnerable' do
+      let(:options) { { type: :vulnerable } }
 
       it 'returns the expected Array of WpItem' do
         @expected = expected[:vulnerable_targets_items]
       end
     end
-
-    context 'when not :only_vulnerable' do
-      context 'when no :file' do
-        it 'raises an error' do
-          expect { subject.send(:targets_items, wp_target, options) }.to raise_error('A file must be supplied')
-        end
-      end
-
-      context 'when :file' do
-        let(:options) { { file: targets_items_file } }
-
-        it 'returns the expected Array of WpItem' do
-          @expected = (expected[:targets_items_from_file] + expected[:vulnerable_targets_items]).uniq {|t| t.name }
-        end
-      end
-    end
   end
 
   describe '::passive_detection' do
@@ -176,8 +100,8 @@ shared_examples 'WpItems::Detectable' do
       expect(result.sort.map { |i| i.name }).to eq @expected.sort.map { |i| i.name }
     end
 
-    context 'when :only_vulnerable' do
-      let(:options) { { only_vulnerable: true } }
+    context 'when :type = :vulnerable' do
+      let(:options) { { type: :vulnerable } }
       let(:targets) { expected[:vulnerable_targets_items] }
 
       it 'only checks and return vulnerable targets' do
@@ -207,7 +131,7 @@ shared_examples 'WpItems::Detectable' do
       end
     end
 
-    context 'when no :only_vulnerable' do
+    context 'when no :type = :vulnerable' do
       let(:targets) { (expected[:vulnerable_targets_items] + expected[:targets_items_from_file]).uniq { |t| t.name } }
 
       it 'checks all targets, and merge the results with passive_detection' do

spec/shared_examples/wp_plugin_vulnerable.rb

@@ -2,25 +2,25 @@
 
 shared_examples 'WpPlugin::Vulnerable' do
 
-  describe '#vulns_file' do
-    after { expect(subject.vulns_file).to eq @expected }
+  describe '#db_file' do
+    after { expect(subject.db_file).to eq @expected }
 
-    context 'when :vulns_file is no set' do
+    context 'when :db_file is no set' do
       it 'returns the default one' do
-        @expected = PLUGINS_VULNS_FILE
+        @expected = PLUGINS_FILE
       end
     end
 
-    context 'when the :vulns_file is already set' do
+    context 'when the :db_file is already set' do
       it 'returns it' do
-        @expected          = 'test.json'
-        subject.vulns_file = @expected
+        @expected       = 'test.json'
+        subject.db_file = @expected
       end
     end
   end
 
   describe '#identifier' do
-    its(:identifier) { is_expected.to eq 'plugin-name' }
+    its(:identifier) { should eq 'plugin-name' }
   end
 
 end

spec/shared_examples/wp_target/wp_config_backup.rb

@@ -10,7 +10,7 @@ shared_examples 'WpTarget::WpConfigBackup' do
     # set all @config_backup_files to point to a 404
     before :each do
       config_backup_files.each do |backup_file|
-        file_url = wp_target.uri.merge(URI.escape(backup_file)).to_s
+        file_url = wp_target.uri.merge(url_encode(backup_file)).to_s
 
         stub_request(:get, file_url).to_return(status: 404)
       end
@@ -24,7 +24,7 @@ shared_examples 'WpTarget::WpConfigBackup' do
       expected = []
 
       config_backup_files.sample(1).each do |backup_file|
-        file_url = wp_target.uri.merge(URI.escape(backup_file)).to_s
+        file_url = wp_target.uri.merge(url_encode(backup_file)).to_s
         expected << file_url
 
         stub_request_to_fixture(url: file_url, fixture: fixtures_dir + '/wp-config.php')
@@ -40,7 +40,7 @@ shared_examples 'WpTarget::WpConfigBackup' do
       expected = []
 
       config_backup_files.sample(2).each do |backup_file|
-        file_url = wp_target.uri.merge(URI.escape(backup_file)).to_s
+        file_url = wp_target.uri.merge(url_encode(backup_file)).to_s
         expected << file_url
 
         stub_request_to_fixture(url: file_url, fixture: fixtures_dir + '/wp-config.php')

spec/shared_examples/wp_theme_vulnerable.rb

@@ -2,25 +2,25 @@
 
 shared_examples 'WpTheme::Vulnerable' do
 
-  describe '#vulns_file' do
-    after { expect(subject.vulns_file).to eq @expected }
+  describe '#db_file' do
+    after { expect(subject.db_file).to eq @expected }
 
-    context 'when :vulns_file is not set' do
+    context 'when :db_file is not set' do
       it 'returns the default one' do
-        @expected = THEMES_VULNS_FILE
+        @expected = THEMES_FILE
       end
     end
 
-    context 'when the :vulns_file is already set' do
+    context 'when the :db_file is already set' do
       it 'returns it' do
-        @expected          = 'test.json'
-        subject.vulns_file = @expected
+        @expected       = 'test.json'
+        subject.db_file = @expected
       end
     end
   end
 
   describe '#identifier' do
-    its(:identifier) { is_expected.to eq 'theme-name' }
+    its(:identifier) { should eq 'theme-name' }
   end
 
 end

spec/shared_examples/wp_user/existable.rb

@@ -29,6 +29,13 @@ shared_examples 'WpUser::Existable' do
         @expected = nil
       end
     end
+
+    context 'when no author given' do
+      it 'returns nil' do
+        @text     = '<a href="http://wp.lab/author/" class="btn btn-default">See Posts</a>'
+        @expected = nil
+      end
+    end
   end
 
   describe '::login_from_body' do

spec/shared_examples/wp_version_vulnerable.rb

@@ -2,25 +2,25 @@
 
 shared_examples 'WpVersion::Vulnerable' do
 
-  describe '#vulns_file' do
-    after { expect(subject.vulns_file).to eq @expected }
+  describe '#db_file' do
+    after { expect(subject.db_file).to eq @expected }
 
-    context 'when :vulns_file is no set' do
+    context 'when :db_file is no set' do
       it 'returns the default one' do
-        @expected = WP_VULNS_FILE
+        @expected = WORDPRESSES_FILE
       end
     end
 
-    context 'when the :vulns_file is already set' do
+    context 'when the :db_file is already set' do
       it 'returns it' do
-        @expected          = 'test.json'
-        subject.vulns_file = @expected
+        @expected       = 'test.json'
+        subject.db_file = @expected
       end
     end
   end
 
   describe '#identifier' do
-    its(:identifier) { is_expected.to eq '1.2' }
+    its(:identifier) { should eq '1.2' }
   end
 
 end

wpscan.rb

@@ -62,7 +62,7 @@ def main
         exit(1)
       else
         if missing_db_file?
-          puts critical('You can not run a scan without any databases.') 
+          puts critical('You can not run a scan without any databases.')
           exit(1)
         end
       end
@@ -82,6 +82,10 @@ def main
 
     wp_target = WpTarget.new(wpscan_options.url, wpscan_options.to_h)
 
+    if wp_target.wordpress_hosted?
+      raise 'We do not support scanning *.wordpress.com hosted blogs'
+    end
+
     # Remote website up?
     unless wp_target.online?
       raise "The WordPress URL supplied '#{wp_target.uri}' seems to be down."
@@ -133,7 +137,7 @@ def main
     # Remote website is wordpress?
     unless wpscan_options.force
       unless wp_target.wordpress?
-        raise critical('The remote website is up, but does not seem to be running WordPress.')
+        raise 'The remote website is up, but does not seem to be running WordPress.'
       end
     end
 
@@ -152,15 +156,11 @@ def main
 
     # Output runtime data
     start_time   = Time.now
-    start_memory = get_memory_usage
+    start_memory = get_memory_usage unless windows?
     puts info("URL: #{wp_target.url}")
     puts info("Started: #{start_time.asctime}")
     puts
 
-    if wp_target.wordpress_hosted?
-      puts critical('We do not support scanning *.wordpress.com hosted blogs')
-    end
-
     if wp_target.has_robots?
       puts info("robots.txt available under: '#{wp_target.robots_url}'")
 
@@ -221,6 +221,10 @@ def main
       puts warning("Upload directory has directory listing enabled: #{wp_target.upload_dir_url}")
     end
 
+    if wp_target.include_directory_listing_enabled?
+      puts warning("Includes directory has directory listing enabled: #{wp_target.includes_dir_url}")
+    end
+
     enum_options = {
       show_progression: true,
       exclude_content: wpscan_options.exclude_content_based
@@ -273,15 +277,29 @@ def main
     # Enumerate the installed plugins
     if wpscan_options.enumerate_plugins or wpscan_options.enumerate_only_vulnerable_plugins or wpscan_options.enumerate_all_plugins
       puts
-      puts info("Enumerating installed plugins #{'(only vulnerable ones)' if wpscan_options.enumerate_only_vulnerable_plugins} ...")
+      if wpscan_options.enumerate_only_vulnerable_plugins
+        puts info('Enumerating installed plugins (only ones with known vulnerabilities) ...')
+        plugin_enumeration_type = :vulnerable
+      end
+
+      if wpscan_options.enumerate_plugins
+        puts info('Enumerating installed plugins (only ones marked as popular) ...')
+        plugin_enumeration_type = :popular
+      end
+
+      if wpscan_options.enumerate_all_plugins
+        puts info('Enumerating all plugins (may take a while and use a lot of system resources) ...')
+        plugin_enumeration_type = :all
+      end
       puts
 
       wp_plugins = WpPlugins.aggressive_detection(wp_target,
         enum_options.merge(
-          file: wpscan_options.enumerate_all_plugins ? PLUGINS_FULL_FILE : PLUGINS_FILE,
-          only_vulnerable: wpscan_options.enumerate_only_vulnerable_plugins || false
+          file: PLUGINS_FILE,
+          type: plugin_enumeration_type
         )
       )
+
       puts
       if !wp_plugins.empty?
         puts info("We found #{wp_plugins.size} plugins:")
@@ -295,13 +313,26 @@ def main
     # Enumerate installed themes
     if wpscan_options.enumerate_themes or wpscan_options.enumerate_only_vulnerable_themes or wpscan_options.enumerate_all_themes
       puts
-      puts info("Enumerating installed themes #{'(only vulnerable ones)' if wpscan_options.enumerate_only_vulnerable_themes} ...")
+      if wpscan_options.enumerate_only_vulnerable_themes
+        puts info('Enumerating installed themes (only ones with known vulnerabilities) ...')
+        theme_enumeration_type = :vulnerable
+      end
+
+      if wpscan_options.enumerate_themes
+        puts info('Enumerating installed themes (only ones marked as popular) ...')
+        theme_enumeration_type = :popular
+      end
+
+      if wpscan_options.enumerate_all_themes
+        puts info('Enumerating all themes (may take a while and use a lot of system resources) ...')
+        theme_enumeration_type = :all
+      end
       puts
 
       wp_themes = WpThemes.aggressive_detection(wp_target,
         enum_options.merge(
-          file: wpscan_options.enumerate_all_themes ? THEMES_FULL_FILE : THEMES_FILE,
-          only_vulnerable: wpscan_options.enumerate_only_vulnerable_themes || false
+          file: THEMES_FILE,
+          type: theme_enumeration_type
         )
       )
       puts
@@ -413,12 +444,12 @@ def main
 
     stop_time   = Time.now
     elapsed     = stop_time - start_time
-    used_memory = get_memory_usage - start_memory
+    used_memory = get_memory_usage - start_memory unless windows?
 
     puts
     puts info("Finished: #{stop_time.asctime}")
     puts info("Requests Done: #{@total_requests_done}")
-    puts info("Memory used: #{used_memory.bytes_to_human}")
+    puts info("Memory used: #{used_memory.bytes_to_human}") unless windows?
     puts info("Elapsed time: #{Time.at(elapsed).utc.strftime('%H:%M:%S')}")
 
   rescue Interrupt