Bump docker/build-push-action from 4 to 5

Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 4 to 5.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v4...v5)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

.codeclimate.yml

@@ -0,0 +1,7 @@
+version: "2"
+# https://docs.codeclimate.com/docs/default-analysis-configuration#sample-codeclimateyml
+checks:
+  method-complexity:
+    enabled: true
+    config:
+      threshold: 15

.dockerignore

@@ -1,21 +1,17 @@
-.*
-bin/
-dev/
-spec/
-*.md
-Dockerfile
-
-## TEMP
+git/
+bundle/
 .idea/
 .yardoc/
-bundle/
 cache/
 coverage/
-git/
+spec/
+.*
 **/*.md
+*.md
+!README.md
+Dockerfile
 **/*.orig
 *.orig
-CREDITS
-data.zip
-DISCLAIMER.txt
-example.conf.json
+bin/wpscan-*
+.wpscan/
+.github/

.github/CONTRIBUTING.md

@@ -0,0 +1,5 @@
+# Contributing to WPScan
+
+## Licensing
+
+By submitting code contributions to the WPScan development team via Github Pull Requests, or any other method, it is understood that the contributor is offering the WPScan company (company number 	83421476900012), which is registered in France, the unlimited, non-exclusive right to reuse, modify, and relicense the code.

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,38 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+Before submitting an issue, please make sure you fully read any potential error messages output and did some research on your own.
+
+### Subject of the issue
+Describe your issue here.
+
+### Your environment
+* Version of WPScan:
+* Version of Ruby:
+* Operating System (OS):
+
+### Steps to reproduce
+Tell us how to reproduce this issue.
+
+### Expected behavior
+Tell us what should happen.
+
+### Actual behavior
+Tell us what happens instead.
+
+### What have you already tried
+Tell us what you have already tried to do to fix the issue you are having.
+
+Things you have tried (where relevant):
+
+* Update WPScan to the latest version [ ]
+* Update Ruby to the latest version [ ]
+* Ensure you can reach the target site using cURL [ ]
+* Proxied WPScan through a HTTP proxy to view the raw traffic [ ]
+* Ensure you are using a supported Operating System (Linux and macOS) [ ]

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/other-issue.md

@@ -0,0 +1,10 @@
+---
+name: Other Issue
+about: Create a report which is not a related to a Bug or Feature
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+Before submitting an issue, please make sure you fully read any potential error messages output and did some research on your own.

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,3 @@
+## Licensing
+
+By submitting code contributions to the WPScan development team via Github Pull Requests, or any other method, it is understood that the contributor is offering the WPScan company (company number 	83421476900012), which is registered in France, the unlimited, non-exclusive right to reuse, modify, and relicense the code.

.github/dependabot.yml

@@ -0,0 +1,17 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "bundler"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      # Check for updates to GitHub Actions every weekday
+      interval: "daily"

.github/workflows/build.yml

@@ -0,0 +1,42 @@
+name: Build
+
+on: [push, pull_request]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        ruby: [2.7, '3.0', 3.1]
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set up Ruby ${{ matrix.ruby }}
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+
+    - name: Install GEMs
+      run: |
+        gem install bundler
+        bundle config force_ruby_platform true
+        bundle config path vendor/bundle
+        bundle install --jobs 4 --retry 3
+
+    - name: rubocop
+      run: |
+        bundle exec rubocop
+
+    - name: rspec
+      run: |
+        bundle exec rspec
+
+    - name: Coveralls
+      uses: coverallsapp/github-action@master
+      continue-on-error: true
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/docker.yml

@@ -0,0 +1,56 @@
+name: Build Docker Images
+
+on:
+  push:
+    branches:
+      - master
+  release:
+    types: [published]
+  schedule:
+    - cron: "0 7 * * *"
+
+jobs:
+  images:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: checkout sources
+        uses: actions/checkout@v4
+
+      - name: Set tag to latest
+        if: (github.event_name == 'push' && github.ref == 'refs/heads/master') || github.event_name == 'schedule'
+        run: |
+          echo "DOCKER_TAG=latest" >> $GITHUB_ENV
+
+      - name: Set tag to release name
+        if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags/')
+        run: |
+          echo "DOCKER_TAG=${{ github.event.release.tag_name }}" >> $GITHUB_ENV
+
+      - name: Check if DOCKER_TAG is set
+        if: env.DOCKER_TAG == ''
+        run: |
+          echo DOCKER_TAG is not set!
+          exit 1
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        id: buildx
+        with:
+          install: true
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2.2.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          platforms: linux/amd64,linux/arm/v7,linux/arm64
+          push: true
+          tags: wpscanteam/wpscan:${{ env.DOCKER_TAG }}

.github/workflows/gempush.yml

@@ -0,0 +1,40 @@
+name: Ruby Gem
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  build:
+    name: Build + Publish
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Ruby 2.6
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.6
+
+    #- name: Publish to GPR
+    #  run: |
+    #    mkdir -p $HOME/.gem
+    #    touch $HOME/.gem/credentials
+    #    chmod 0600 $HOME/.gem/credentials
+    #    printf -- "---\n:github: Bearer ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials
+    #    gem build *.gemspec
+    #    gem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem
+    #  env:
+    #    GEM_HOST_API_KEY: ${{secrets.GITHUB_TOKEN}}
+    #    OWNER: wpscanteam
+
+    - name: Publish to RubyGems
+      run: |
+        mkdir -p $HOME/.gem
+        touch $HOME/.gem/credentials
+        chmod 0600 $HOME/.gem/credentials
+        printf -- "---\n:rubygems_api_key: ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials
+        gem build *.gemspec
+        gem push *.gem
+      env:
+        GEM_HOST_API_KEY: ${{secrets.RUBYGEMS_AUTH_TOKEN}}

.gitignore

@@ -1,21 +1,26 @@
-# WPScan (If not using ~/.wpscan/)
-cache/
-data/
-log.txt
-output.txt
-
-# WPScan (Deployment)
-debug.log
-rspec_results.html
-wordlist.txt
-
-# OS/IDE Rubbish
-coverage/
-.yardoc/
-.idea/
-*.sublime-*
-.*.swp
-.ash_history
+*.gem
+*.rbc
 .bundle
+.config
+coverage
+pkg
+rdoc
+Gemfile.lock
+
+# YARD artifacts
+.yardoc
+_yardoc
+doc/
+.wpscan/
+
+.ash_history
 .DS_Store
 .DS_Store?
+.idea/
+
+# Old files from v2
+cache/
+data/
+
+# Profiling reports
+bin/memprof*.report

.rspec

@@ -1,2 +1,2 @@
+--require spec_helper
 --color
---fail-fast

.rubocop.yml

@@ -0,0 +1,42 @@
+require: rubocop-performance
+AllCops:
+  NewCops: enable
+  SuggestExtensions: false
+  TargetRubyVersion: 2.7
+  Exclude:
+  - '*.gemspec'
+  - 'vendor/**/*'
+Layout/LineLength:
+  Max: 120
+Lint/ConstantDefinitionInBlock:
+  Enabled: false
+Lint/MissingSuper:
+  Enabled: false
+Lint/UriEscapeUnescape:
+  Enabled: false
+Metrics/AbcSize:
+  Max: 27
+Metrics/BlockLength:
+  Exclude:
+  - 'spec/**/*'
+Metrics/ClassLength:
+  Max: 150
+  Exclude:
+  - 'app/controllers/enumeration/cli_options.rb'
+Metrics/CyclomaticComplexity:
+  Max: 10
+Metrics/MethodLength:
+  Max: 20
+  Exclude:
+  - 'app/controllers/enumeration/cli_options.rb'
+Metrics/PerceivedComplexity:
+  Max: 11
+Style/ClassVars:
+  Enabled: false
+Style/Documentation:
+  Enabled: false
+Style/FormatStringToken:
+  Enabled: false
+Style/NumericPredicate:
+  Exclude:
+  - 'app/controllers/vuln_api.rb'

.ruby-gemset

@@ -1 +1 @@
-wpscan
+wpscanv3

.ruby-version

@@ -1 +1 @@
-2.5.1
+3.0.2

.simplecov

@@ -1,8 +1,19 @@
-SimpleCov.start do
-  add_filter "/spec/"
-  add_filter "_helper.rb"
-  add_filter "environment.rb"
-  add_filter "_plugin.rb"
-  add_filter "hacks.rb"
-  add_filter "output.rb"
+# frozen_string_literal: true
+
+if ENV['GITHUB_ACTION']
+  require 'simplecov-lcov'
+
+  SimpleCov::Formatter::LcovFormatter.config do |c|
+    c.single_report_path = 'coverage/lcov.info'
+    c.report_with_single_file = true
+  end
+
+  SimpleCov.formatter = SimpleCov::Formatter::LcovFormatter
+end
+
+SimpleCov.start do
+  enable_coverage :branch # Only supported for Ruby >= 2.5
+
+  add_filter '/spec/'
+  add_filter 'helper'
 end

.travis.yml

@@ -1,36 +0,0 @@
-language: ruby
-sudo: false
-cache: bundler
-rvm:
-  - 2.1.9
-  - 2.2.0
-  - 2.2.1
-  - 2.2.2
-  - 2.2.3
-  - 2.2.4
-  - 2.3.0
-  - 2.3.1
-  - 2.3.2
-  - 2.3.3
-  - 2.4.1
-  - 2.4.2
-  - 2.5.0
-  - 2.5.1
-  - ruby-head
-before_install:
-  - "env"
-  - "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
-  - "gem install bundler"
-  - "gem regenerate_binstubs"
-  - "bundle --version"
-before_script:
-  - "unzip -o $TRAVIS_BUILD_DIR/data.zip -d $HOME/.wpscan/"
-script:
-  - "bundle exec rspec"
-notifications:
-  email:
-    - team@wpscan.org
-# do not build gh-pages branch
-branches:
-  except:
-    - gh-pages

CHANGELOG.md

@@ -1,587 +0,0 @@
-# Changelog
-## Master
-[Work in progress](https://github.com/wpscanteam/wpscan/compare/2.9.4...master)
-
-## Version 2.9.4
-Released: 2018-06-15
-
-* Updated dependencies and required ruby version
-* Improved CLI output
-* Only show readme.html output when wp <= 4.8 #1127
-* Cleanup README.md
-* Fix bug "undefined method 'identifier' for nil:NilClass" #1149
-* Since WP 4.7 readme.html only shows major version #1152
-* Add checks for humans.txt and security.text (Thank you @g0tmi1k!)
-* Add offline database update support (Thank you @g0tmi1k!)
-* Check for API access and /wp-json/'s users output (Thank you @g0tmi1k!)
-* Add RSS author information (Thank you @g0tmi1k!)
-* Check HTTP status of each value in /robots.txt (Thank you @g0tmi1k!)
-* Follow any redirections (e.g. http -> https) (Thank you @g0tmi1k!)
-* Lots of other enhancements by @g0tmi1k & WPScan Team
-* Database export file enumeration.
-
-WPScan Database Statistics:
-* Total tracked wordpresses: 319
-* Total tracked plugins: 74896
-* Total tracked themes: 16666
-* Total vulnerable wordpresses: 305
-* Total vulnerable plugins: 1645
-* Total vulnerable themes: 286
-* Total wordpress vulnerabilities: 8327
-* Total plugin vulnerabilities: 2603
-* Total theme vulnerabilities: 352
-
-## Version 2.9.3
-Released: 2017-07-19
-
-* Updated dependencies and required ruby version
-* Made some changes so wpscan works in ruby 2.4
-* Added a Gemfile.lock to lock all dependencies
-* You can now pass a wordlist from stdin via "--wordlist -"
-* Improved version detection regexes
-* Added an optional paramter to --log to specify a filename
-
-WPScan Database Statistics:
-* Total tracked wordpresses: 251
-* Total tracked plugins: 68818
-* Total tracked themes: 15132
-* Total vulnerable wordpresses: 243
-* Total vulnerable plugins: 1527
-* Total vulnerable themes: 280
-* Total wordpress vulnerabilities: 5263
-* Total plugin vulnerabilities: 2406
-* Total theme vulnerabilities: 349
-
-## Version 2.9.2
-Released: 2016-11-15
-
-* Fixed error when detecting plugins with UTF-8 characters
-* Use all possible finders to verify a detected version
-* Fix error when detecting a WordPress version not in our database
-* Added some additional clarification on error messages
-* Upgrade terminal-table gem
-* Add --cache-dir option
-* Add --disable-tls-checks options
-* Improve/add additional plugin passive detections
-* Remove scripts when calculating page hashes
-* Many other small bug fixes.
-
-WPScan Database Statistics:
-* Total tracked wordpresses: 194
-* Total tracked plugins: 63703
-* Total tracked themes: 13835
-* Total vulnerable wordpresses: 177
-* Total vulnerable plugins: 1382
-* Total vulnerable themes: 379
-* Total wordpress vulnerabilities: 2617
-* Total plugin vulnerabilities: 2190
-* Total theme vulnerabilities: 452
-
-## Version 2.9.1
-Released: 2016-05-06
-
-* Update to Ruby 2.3.1, drop older ruby support
-* New data file location
-* Added experimental Windows support
-* Display WordPress metadata on the detected version
-* Several small fixes
-
-WPScan Database Statistics:
-* Total vulnerable versions: 156
-* Total vulnerable plugins:  1324
-* Total vulnerable themes:   376
-* Total version vulnerabilities: 1998
-* Total plugin vulnerabilities:  2057
-* Total theme vulnerabilities:   449
-
-## Version 2.9
-Released: 2015-10-15
-
-New
-* GZIP Encoding in updater
-* Adds --throttle option to throttle requests
-* Uses new API and local database file structure
-* Adds last updated and latest version to plugins and themes
-
-Removed
-* ArchAssault from README
-* APIv1 local databases
-
-General core
-* Update to Ruby 2.2.3
-* Use yajl-ruby as JSON parser
-* New dependancy for Ubuntu 14.04 (libgmp-dev)
-* Use Travis container based infra and caching
-
-Fixed issues
-* Fix #835 - Readme requests to wp root dir
-* Fix #836 - Critical icon output twice when the site is not running WP
-* Fix #839 - Terminal-table dependency is broken
-* Fix #841 - error: undefined method `cells' for #<Array:0x000000029cc2f8>
-* Fix #852 - GZIP Encoding in updater
-* Fix #853 - APIv2 integration
-* Fix #858 - Detection FP
-* Fix #873 - false positive "site has Must Use Plugins"
-
-WPScan Database Statistics:
-* Total vulnerable versions: 132
-* Total vulnerable plugins:  1170
-* Total vulnerable themes:   368
-* Total version vulnerabilities: 1476
-* Total plugin vulnerabilities:  1913
-* Total theme vulnerabilities:   450
-
-## Version 2.8
-Released: 2015-06-22
-
-New
-* Warn the user to update his DB files
-* Added last db update to --version option (see #815)
-* Add db checksum to verbose logging during update
-* Option to hide banner
-* Continue if user chooses not to update + db exists
-* Don't update if user chooses default + no DBs exist
-* Updates request timeout values to realistic ones (and in seconds)
-
-Removed
-* Removed `Time.parse('2000-01-01')` expedient
-* Removed unnecessary 'return' and '()'
-* Removed debug output
-* Removed wpstools
-
-General core
-* Update to Ruby 2.2.2
-* Switch to mitre
-* Install bundler gem README
-* Switch from gnutls to openssl
-
-Fixed issues
-* Fix #789 - Add blackarch to readme
-* Fix #790 - Consider the target down after 30 requests timed out requests instead of 10
-* Fix #791 - Rogue character causing the scan of non-wordpress site to crash
-* Fix #792 - Adds the HttpError exception
-* Fix #795 - Remove GHOST warning
-* Fix #796 - Do not swallow exit code
-* Fix #797 - Increases the timeout values
-* Fix #801 - Forces UTF-8 encoding when enumerating usernames
-* Fix #803 - Increases default connect-timeout to 10s
-* Fix #804 - Updates the Theme detection pattern
-* Fix #816 - Ignores potential non version chars in theme version detection
-* Fix #819 - Removes potential spaces in robots.txt entries
-
-WPScan Database Statistics:
-* Total vulnerable versions: 98
-* Total vulnerable plugins:  1076
-* Total vulnerable themes:   361
-* Total version vulnerabilities: 1104
-* Total plugin vulnerabilities:  1763
-* Total theme vulnerabilities:   443
-
-## Version 2.7
-Released: 2015-03-16
-
-New
-* Detects version in release date format
-* Copyrights updated
-* WP version detection from stylesheets
-* New license
-* Global HTTP request counter
-* Add security-protection plugin detection
-* Add GHOST warning if XMLRPC enabled
-* Update databases from wpvulndb.com
-* Enumerate usernames from WP <= 3.0 (thanks berotti3)
-
-Removed
-* README.txt
-
-General core
-* Update to Ruby 2.2.1
-* Update to Ruby 2.2.0
-* Add addressable gem
-* Update Typhoeus gem to 0.7.0
-* IDN support: encode non-ascii domain names (thanks dctabuyz)
-* Improve page hash calculation (thanks dctabuyz)
-* Version detection regex improved
-
-Fixed issues
-* Fix #745 - Plugin version pattern in readme.txt file not detected
-* Fix #746 - Add a global counter for all active requests to server.
-* Fix #747 - Add 'security-protection' plugin to wp_login_protection module
-* Fix #753 - undefined method `round' for "10":String for request or connect timeouts
-* Fix #760 - typhoeus issue (infinite loop)
-
-WPScan Database Statistics:
-* Total vulnerable versions: 89
-* Total vulnerable plugins:  953
-* Total vulnerable themes:   329
-* Total version vulnerabilities: 1070
-* Total plugin vulnerabilities:  1451
-* Total theme vulnerabilities:   378
-
-## Version 2.6
-Released: 2014-12-19
-
-New
-* Updates the readmes to reflect the new --usernames option
-* Improves plugin/theme version detection by looking at the "Version:"
-* Solution to avoid mandatory blank newline at the end of the wordlist
-* Add check for valid credentials
-* Add Sucuri sponsor to banner
-* Add protocol to sucuri url in banner
-* Add response code to proxy error output
-* Add a statement about mandatory newlines at the end of list
-* Give warning if default username 'admin' is still used
-* License amendment to make it more clear about value added usage
-
-Removed
-* remove malwares
-* remove malware folder
-* Removes the theme version check from the readme, unrealistic scenario
-
-General core
-* Update to Ruby 2.1.5 and travis
-* Prevent parent theme infinite loop
-* Fixes the progressbar being overriden by next brute forcing attempts
-
-Fixed issues
-* Fix UTF-8 encode on security db file download
-* Fix #703 - Disable logging by default. Implement log option.
-* Fix #705 - Installation instructions for Ubuntu < 14.04 apparently incomplete
-* Fix #717 - Expand on readme.html finding output
-* Fix #716 - Adds the --version in the help
-* Fix #715 - Add new updating info to docs
-* Fix #727 - WpItems detection: Perform the passive check and filter only vulnerable results at the end if required
-* Fix #737 - Adds some readme files to check for plugin versions
-* Fix #739 - Adds the --usernames option
-
-WPScan Database Statistics:
-* Total vulnerable versions: 88
-* Total vulnerable plugins: 901
-* Total vulnerable themes: 313
-* Total version vulnerabilities: 1050
-* Total plugin vulnerabilities: 1355
-* Total theme vulnerabilities: 349
-
-## Version 2.5.1
-Released: 2014-09-29
-
-Fixes reference URL to WPVDB
-
-## Version 2.5
-Released: 2014-09-26 (@ BruCON 2014)
-
-New
-* Exit program after --update
-* Detect directory listing in upload folder
-* Be more verbose when no version can be detected
-* Added detection for Yoast Wordpress SEO plugin
-* Also ensure to not process empty Location headers
-* Ensures a nil location is not processed when enumerating usernames
-* Fix #626 - Detect 'Must_Use_Plugins'
-* better username extraction
-* Add a --cookie option. Ref #485
-* Add a --no-color option
-* Output: Give 'Fixed in' an informational tag
-* Added ArchAssault distro - WPScan comes pre-installed with this distro
-* Layout changes with new colors
-
-Removed
-* Removes the source code updaters
-* Removes the ListGenerator plugin from WPStools
-* Removes all files from data/
-
-General core
-* Update docs to reflect new updating logic
-* Little output change and coloring
-* Adds a missing verbose output
-* Re-build redirection url if begin with slash '/'
-* Fixes the remove_conditional_comments function
-* Ensures to give a string to Typhoeus
-* Fix wpstools check-vuln-ref-urls
-* Fix rspecs for new json
-* Only output if different from style_url
-* Add exception so 'ruby wpscan.rb http://domain.com' is detected
-* Added make to Debian installation, which is needed in minimal installation.
-* Add build-essentials requirement to Ubuntu > 14.04
-* Updated installation instr. for GNU/Linux Debian.
-* Changes VersionCompare#is_newer_or_same? by lesser_or_equal?
-* Fixes the location of the robots.txt check
-* Updates the recommended ruby version
-* Rspec 3.0 support
-* Adds ruby 2.1.2 to Travis
-* Updated ruby-progressbar to 1.5.0
-
-WordPress Fingerprints
-* Adds WP 4.0 fingerprints
-* Adds WP 3.9.2, 3.8.4 & 3.7.4 fingerprints - Ref #652
-* Adds 3.9.1 fingerprints
-
-Fixed issues
-* Fix #689 - Adds config file to check
-* Fix #694 - Output Arrays
-* Fix #693 - Adds pathname require statement
-* Fix #657 - generate method
-* Fix #685 - Potenial fix for 'marshal data too short' error
-* Fix #686 - Adds specs for relative URI in Location headers
-* Fix #435 - Update license
-* Fix #674 - Improves the Plugins & Themes passive detection
-* Fix #673 - Problem with the output
-* Fix #661 - Don't hash directories named like a file
-* Fix #653 - Fix for infinite loop in wpstools
-* Fix #625 - Only parse styles when needed
-* Fix #481 - Fix for Jetpack plugin false positive
-* Fix #480 - Properly removes the colour sequence from log
-* Fix #472 - WPScan stops after redirection if not WordPress website
-* Fix #464 - Readmes updated to reflect recent changes about the config file & batch mode
-
-Vulnerabilities
-* geoplaces4 also uses name GeoPlaces4beta
-* Added metasploit module's
-* Added some timthumb detections
-
-WPScan Database Statistics:
-* Total vulnerable versions: 87
-* Total vulnerable plugins: 854
-* Total vulnerable themes: 303
-* Total version vulnerabilities: 752
-* Total plugin vulnerabilities: 1351
-* Total theme vulnerabilities: 345
-
-## Version 2.4
-Released: 2014-04-17
-
-New
-* '--batch' switch option added - Fix #454
-* Add random-agent
-* Added more CLI options
-* Switch over to nist - Fix #301
-* New choice added when a redirection is detected - Fix #438
-
-Removed
-* Removed 'Total WordPress Sites in the World' counter from stats
-* Old wpscan repo links removed - Fix #440
-* Fingerprinting Dev script removed
-* Useless code removed
-
-General core
-* Rspecs update
-* Forcing Travis notify the team
-* Ruby 2.1.1 added to Travis
-* Equal output layout for interaction questions
-* Only output error trace if verbose if enabled
-* Memory improvements during wp-items enumerations
-* Fixed broken link checker, fixed some broken links
-* Couple more 404s fixed
-* Themes & Plugins list updated
-
-WordPress Fingerprints
-* WP 3.8.2 & 3.7.2 Fingerprints added - Fix #448
-* WP 3.8.3 & 3.7.3 fingerprints
-* WP 3.9 fingerprints
-
-Fixed issues
-* Fix #380 - Redirects in WP 3.6-3.0
-* Fix #413 - Check the version of the Timthumbs files found
-* Fix #429 - Error WpScan Cache Browser
-* Fix #431 - Version number comparison between '2.3.3' and '0.42b'
-* Fix #439 - Detect if the target goes down during the scan
-* Fix #451 - Do not rely only on files in wp-content for fingerprinting
-* Fix #453 - Documentation or inplemention of option parameters
-* Fix #455 - Fails with a message if the target returns a 403 during the wordpress check
-
-Vulnerabilities
-* Update WordPress Vulnerabilities
-* Fixed some duplicate vulnerabilities
-
-WPScan Database Statistics:
-* Total vulnerable versions: 79; 1 is new
-* Total vulnerable plugins: 748; 55 are new
-* Total vulnerable themes: 292; 41 are new
-* Total version vulnerabilities: 617; 326 are new
-* Total plugin vulnerabilities: 1162; 146 are new
-* Total theme vulnerabilities: 330; 47 are new
-
-## Version 2.3
-Released: 2014-02-11
-
-New
-* Brute forcing over https!
-* Detect and output parent theme!
-* Complete fingerprint script & hash search
-* New spell checker!
-* Added database modification dates in status report
-* Added 'Total WordPress Sites in the World' statistics
-* Added separator between Name and Version in Item
-* Added a "Work in progress" URL in the CHANGELOG
-
-Removed
-* Removed "Exiting!" sentence
-* Removed Backtrack Linux. Not maintained anymore.
-
-General core
-* Ruby 2.1.0 added to Travis
-* Updated the version of WebMock required
-* Better string concatenation in code (improves speed)
-* Some modifications in the output of an item
-* Output cosmetics
-* rspec-mocks version constraint released
-* Tabs replaced by spaces
-* Rspecs update
-* Indent code cleanup
-* Themes & Plugins lists regenerated
-
-Vulnerabilities
-* Update WordPress Vulnerabilities
-* Disabled some fake reported vulnerabilities
-* Fixed some duplicate vulnerabilities
-
-WPScan Database Statistics:
-* Total vulnerable versions: 78; 2 are new
-* Total vulnerable plugins: 693; 83 are new
-* Total vulnerable themes: 251; 55 are new
-* Total version vulnerabilities: 291 17 are new
-* Total plugin vulnerabilities: 1016; 236 are new
-* Total theme vulnerabilities: 283; 79 are new
-
-WordPress Fingerprints
-* Better fingerprints
-* WP 3.8.1 Fingerprinting
-* WP 3.8 Fingerprinting
-
-Fixed issues
-* Fix #404 - Brute forcing issue over https
-* Fix #398 - Removed a fake vuln in WP Super Cache
-* Fix #393 - sudo added to the bundle install cmd for Mac OSX
-* Fix #228, #327 - Infinite loop when self-redirect
-* Fix #201 - Incorrect Paramter Parsing when no url was supplied
-
-## Version 2.2
-Released: 2013-11-12
-
-New
-* Output the vulnerability fix if available
-* Added 'WordPress Version Vulnerability' statistics
-* Added Kali Linux on the list of pre-installed Linux distributions
-* Added hosted wordpress detection. See issue #343.
-* Add detection for all-in-one-seo-pack
-* Use less memory when brute forcing with a large wordlist
-* Memory Usage output
-* Added cve tag to xml file
-* Add documentation to readme
-* Add --version switch
-* Parse robots.txt
-* Show twitter usernames
-* Clean logfile on wpstools too
-* Added pingback header
-* Request_timeout and connect_timeout implemented
-* Output interesting http-headers
-* Kali Linux detection
-* Ensure that brute forcing results are output even if an error occurs or the user exits
-* Added debug output
-* Fixed Version compare for issue #179
-* Added ruby-progressbar version to Gemfile
-* Use the redirect_to parameter on bruteforce
-* Readded "junk removal" from usernames before output
-* Add license file
-* Output the timthumb version if found
-* New enumeration system
-* More error details for XSD checks
-* Added default wp-content dir detection, see Issue #141.
-* Added checks for well formed xml
-
-Changed
-* Trying a fix for Kali Linux
-* Make a seperator between plugin name and vulnerability name
-* It's WordPress, not Wordpress
-* Changed wordpress.com scanning error to warning. See issue #343.
-* Make output lines consistent
-* Replace packetstormsecurity.org to packetstormsecurity.com
-* Same URL syntax for all Packet Storm Security URL's
-* Packet Storm Security URL's don't need the 'friendly part' of the URL. So it can be neglected.
-* Use online documentation
-* User prompt on same line
-* Don't skip passwords that start with a hash. This is fairly common (see RockYou list for example).
-* Updated Fedora install instructions as per Issue #92
-* Slight update to security plugin warning. Issue #212.
-* Ruby-progressbar Gemfile version bump
-* Fix error with the -U option (undefined method 'merge' for #WpTarget:)
-* Banner artwork
-* Fix hacks.rb conflict
-* Handle when there are 2 headers of the same name
-* Releasing the Typhoeus version constraint
-* Amended Arch Linux install instructions. See issue #183.
-
-Updated
-* Plugins & Themes updated
-* Update README.md
-* Updated documentation
-
-Removed
-* Removed 'smileys' in output messages
-* Removed 'for WordPress' and 'plugin' in title strings.
-* Removed reference
-* Removed useless code
-* Removed duplicate vulnerabilities
-
-General core
-* Code cleaning
-* Fix typo's
-* Clean up rspecs
-* Themes & Plugins lists regenerated
-* Rspecs update
-* Code Factoring
-* Added checks for old ruby. Otherwise there will be syntax errors
-
-Vulnerabilities
-* Update WordPress Vulnerabilities
-* Update timthumb due to Secunia #54801
-* Added WP vuln: 3.4 - 3.5.1 wp-admin/users.php FPD
-
-WPScan Database Statistics:
-* Total vulnerable versions: 76; 4 are new
-* Total vulnerable plugins: 610; 201 are new
-* Total vulnerable themes: 196; 47 are new
-* Total version vulnerabilities: 274; 53 are new
-* Total plugin vulnerabilities: 780; 286 are new
-* Total theme vulnerabilities: 204; 52 are new
-
-Add WP Fingerprints
-* WP 3.7.1 Fingerprinting
-* WP 3.7 Fingerprinting
-* Ref #280 WP 3.6.1 fingerprint
-* Added WP 3.6 advanced fingerprint hash. See Issue #255.
-* Updated MD5 hash of WP 3.6 detection. See Issue #277.
-* WP 3.5.2 Fingerprint
-* Bug Fix : Wp 3.5 & 3.5.1 not detected from advanced fingerprinting.
-
-Fixed issues
-* Fix #249 - [ERROR] "\xF1" on US-ASCII
-* Fix #275 - [ERROR] "\xC3" on US-ASCII
-* Fix #271 - Further Instructions added to the Mac Install
-* Fix #266 - passive detection regex
-* Fix #265 - remove base64 images before passive detection
-* Fix #262 - [ERROR] bad component(expected absolute path component)
-* Fix #260 - Fixes Travis Fail, due to rspec-mock v2.14.3
-* Fix #208 - Fixed vulnerable plugins still appear in the results
-* Fix #245 - all theme enumeration error
-* Fix #241 - Cant convert array to string
-* Fix #232 - Crash while enumerating usernames
-* Fix #223 - New wordpress urls for most popular plugins & themes
-* Fix #177 - Passive Cache plugins detection (no spec)
-* Fix #169 - False reports
-* Fix #182 - Remove the progress-bar static length (120), and let it to automatic
-* Fix #181 - Don't exit if no usernames found during a simple enumeration (but exit if a brute force is asked)
-* Fix #200 - Log file not recording the list of username retireved
-* Fix #164 - README.txt detection
-* Fix #166 - ListGenerator using the old Browser#get method for full generation
-* Fix #153 - Disable error trace when it's from the main script
-* Fix #163 - in the proper way
-* Fix #144 - Use cookie jar to prevent infinite redirections loop
-* Fix #158 - Add the solution to 'no such file to load -- rubygems' in the README
-* Fix #152 - invalid ssl_certificate - response code 0
-* Fix #147 - can't modify frozen string
-* Fix #140 - xml_rpc_url in the body
-* Fix #153 - No error trace when 'No argument supplied'
-
-## Version 2.1
-Released 2013-3-4

DISCLAIMER.md

@@ -1,2 +0,0 @@
-WPScan is not responsible for misuse or for any damage that you may cause!
-You agree that you use this software at your own risk.

Dockerfile

@@ -1,37 +1,41 @@
-FROM ruby:2.5-alpine
-LABEL maintainer="WPScan Team <team@wpscan.org>"
+FROM ruby:3.0.2-alpine AS builder
+LABEL maintainer="WPScan Team <contact@wpscan.com>"
 
-ARG BUNDLER_ARGS="--jobs=8 --without test"
+RUN echo "install: --no-document --no-post-install-message\nupdate: --no-document --no-post-install-message" > /etc/gemrc
+
+COPY . /wpscan
+
+RUN apk add --no-cache git libcurl ruby-dev libffi-dev make gcc musl-dev zlib-dev procps sqlite-dev && \
+  bundle config force_ruby_platform true && \
+  bundle config disable_version_check 'true' && \
+  bundle config without "test development" && \
+  bundle config path.system 'true' && \
+  bundle install --gemfile=/wpscan/Gemfile --jobs=8
+
+WORKDIR /wpscan
+RUN rake install --trace
+
+# needed so non superusers can read gems
+RUN chmod -R a+r /usr/local/bundle
+
+
+FROM ruby:3.0.2-alpine
+LABEL maintainer="WPScan Team <contact@wpscan.com>"
+LABEL org.opencontainers.image.source https://github.com/wpscanteam/wpscan
 
-# Add a new user
 RUN adduser -h /wpscan -g WPScan -D wpscan
 
-# Setup gems
-RUN echo "gem: --no-ri --no-rdoc" > /etc/gemrc
+COPY --from=builder /usr/local/bundle /usr/local/bundle
 
-COPY Gemfile /wpscan
-COPY Gemfile.lock /wpscan
-
-# Runtime dependencies
-RUN apk add --no-cache libcurl procps && \
-  # build dependencies
-  apk add --no-cache --virtual build-deps alpine-sdk ruby-dev libffi-dev zlib-dev && \
-  bundle install --system --gemfile=/wpscan/Gemfile $BUNDLER_ARGS && \
-  apk del --no-cache build-deps
-
-# Copy over data & set permissions
-COPY . /wpscan
 RUN chown -R wpscan:wpscan /wpscan
 
-# Switch directory
+# runtime dependencies
+RUN apk add --no-cache libcurl procps sqlite-libs
+
 WORKDIR /wpscan
 
-# Switch users
 USER wpscan
 
-# Update WPScan
-RUN /wpscan/wpscan.rb --update --verbose --no-color
+RUN /usr/local/bundle/bin/wpscan --update --verbose
 
-# Run WPScan
-ENTRYPOINT ["/wpscan/wpscan.rb"]
-CMD ["--help"]
+ENTRYPOINT ["/usr/local/bundle/bin/wpscan"]

Gemfile

@@ -1,16 +1,6 @@
+# frozen_string_literal: true
+
 source 'https://rubygems.org'
+gemspec
 
-gem 'addressable', '>=2.5.0'
-gem 'nokogiri', '>=1.7.0.1'
-gem 'ruby-progressbar', '>=1.8.1'
-gem 'rubyzip', '>=1.2.1'
-gem 'terminal-table', '>=1.6.0'
-gem 'typhoeus', '>=1.1.2'
-gem 'yajl-ruby', '>=1.3.0' # Better JSON parser regarding memory usage
-
-group :test do
-  gem 'webmock', '>=2.3.2'
-  gem 'simplecov', '>=0.13.0'
-  gem 'rspec', '>=3.5.0'
-  gem 'rspec-its', '>=1.2.0'
-end
+# gem 'cms_scanner', branch: 'xxx', git: 'https://github.com/wpscanteam/CMSScanner.git'

Gemfile.lock

@@ -1,71 +0,0 @@
-GEM
-  remote: https://rubygems.org/
-  specs:
-    addressable (2.5.2)
-      public_suffix (>= 2.0.2, < 4.0)
-    crack (0.4.3)
-      safe_yaml (~> 1.0.0)
-    diff-lcs (1.3)
-    docile (1.3.1)
-    ethon (0.11.0)
-      ffi (>= 1.3.0)
-    ffi (1.9.25)
-    hashdiff (0.3.7)
-    json (2.1.0)
-    mini_portile2 (2.3.0)
-    nokogiri (1.8.4)
-      mini_portile2 (~> 2.3.0)
-    public_suffix (3.0.2)
-    rspec (3.7.0)
-      rspec-core (~> 3.7.0)
-      rspec-expectations (~> 3.7.0)
-      rspec-mocks (~> 3.7.0)
-    rspec-core (3.7.1)
-      rspec-support (~> 3.7.0)
-    rspec-expectations (3.7.0)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.7.0)
-    rspec-its (1.2.0)
-      rspec-core (>= 3.0.0)
-      rspec-expectations (>= 3.0.0)
-    rspec-mocks (3.7.0)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.7.0)
-    rspec-support (3.7.1)
-    ruby-progressbar (1.9.0)
-    rubyzip (1.2.1)
-    safe_yaml (1.0.4)
-    simplecov (0.16.1)
-      docile (~> 1.1)
-      json (>= 1.8, < 3)
-      simplecov-html (~> 0.10.0)
-    simplecov-html (0.10.2)
-    terminal-table (1.8.0)
-      unicode-display_width (~> 1.1, >= 1.1.1)
-    typhoeus (1.3.0)
-      ethon (>= 0.9.0)
-    unicode-display_width (1.4.0)
-    webmock (3.4.2)
-      addressable (>= 2.3.6)
-      crack (>= 0.3.2)
-      hashdiff
-    yajl-ruby (1.4.0)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  addressable (>= 2.5.0)
-  nokogiri (>= 1.7.0.1)
-  rspec (>= 3.5.0)
-  rspec-its (>= 1.2.0)
-  ruby-progressbar (>= 1.8.1)
-  rubyzip (>= 1.2.1)
-  simplecov (>= 0.13.0)
-  terminal-table (>= 1.6.0)
-  typhoeus (>= 1.1.2)
-  webmock (>= 2.3.2)
-  yajl-ruby (>= 1.3.0)
-
-BUNDLED WITH
-   1.16.3

LICENSE

@@ -1,14 +1,14 @@
 WPScan Public Source License
 
-The WPScan software (henceforth referred to simply as "WPScan") is dual-licensed - Copyright 2011-2018 WPScan Team.
+The WPScan software (henceforth referred to simply as "WPScan") is dual-licensed - Copyright 2011-2019 WPScan Team.
 
 Cases that include commercialization of WPScan require a commercial, non-free license. Otherwise, WPScan can be used without charge under the terms set out below.
 
 1. Definitions
 
-1.1 “License” means this document.
-1.2 “Contributor” means each individual or legal entity that creates, contributes to the creation of, or owns WPScan.
-1.3 “WPScan Team” means WPScan’s core developers.
+1.1 "License" means this document.
+1.2 "Contributor" means each individual or legal entity that creates, contributes to the creation of, or owns WPScan.
+1.3 "WPScan Team" means WPScan’s core developers.
 
 2. Commercialization
 
@@ -27,9 +27,7 @@ Example cases which do not require a commercial license, and thus fall under the
  - Using WPScan to test your own systems.
  - Any non-commercial use of WPScan.
 
-If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - team@wpscan.org.
-
-We may grant commercial licenses at no monetary cost at our own discretion if the commercial usage is deemed by the WPScan Team to significantly benefit WPScan.
+If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - contact@wpscan.com.
 
 Free-use Terms and Conditions;
 
@@ -59,7 +57,7 @@ WPScan is provided under an AS-IS basis and without any support, updates or main
 
 8. Disclaimer of Warranty
 
-WPScan is provided under this License on an “as is” basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the WPScan is free of defects, merchantable, fit for a particular purpose or non-infringing.
+WPScan is provided under this License on an "as is" basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the WPScan is free of defects, merchantable, fit for a particular purpose or non-infringing.
 
 9. Limitation of Liability
 

README.md

@@ -1,17 +1,165 @@
-![alt text](https://raw.githubusercontent.com/wpscanteam/wpscan/gh-pages/wpscan_logo_407x80.png "WPScan - WordPress Security Scanner")
+<p align="center">
+  <a href="https://wpscan.com/">
+    <img src="https://raw.githubusercontent.com/wpscanteam/wpscan/gh-pages/images/wpscan_logo.png" alt="WPScan logo">
+  </a>
+</p>
 
-[![Build Status](https://travis-ci.org/wpscanteam/wpscan.svg?branch=master)](https://travis-ci.org/wpscanteam/wpscan)
-[![Code Climate](https://img.shields.io/codeclimate/github/wpscanteam/wpscan.svg)](https://codeclimate.com/github/wpscanteam/wpscan)
-[![Docker Pulls](https://img.shields.io/docker/pulls/wpscanteam/wpscan.svg)](https://hub.docker.com/r/wpscanteam/wpscan/)
-[![Patreon Donate](https://img.shields.io/badge/patreon-donate-green.svg)](https://www.patreon.com/wpscan)
+<h3 align="center">WPScan</h3>
 
-![alt text](https://wpscan.org/images/tty.gif "WPScan Screen Recording")
+<p align="center">
+  WordPress Security Scanner
+  <br>
+  <br>
+  <a href="https://wpscan.com/" title="homepage" target="_blank">WPScan WordPress Vulnerability Database</a> - <a href="https://wordpress.org/plugins/wpscan/" title="wordpress security plugin" target="_blank">WordPress Security Plugin</a>
+</p>
+
+<p align="center">
+  <a href="https://badge.fury.io/rb/wpscan" target="_blank"><img src="https://badge.fury.io/rb/wpscan.svg"></a>
+  <a href="https://hub.docker.com/r/wpscanteam/wpscan/" target="_blank"><img src="https://img.shields.io/docker/pulls/wpscanteam/wpscan.svg"></a>
+  <a href="https://github.com/wpscanteam/wpscan/actions?query=workflow%3ABuild" target="_blank"><img src="https://github.com/wpscanteam/wpscan/workflows/Build/badge.svg"></a>
+  <a href="https://codeclimate.com/github/wpscanteam/wpscan" target="_blank"><img src="https://codeclimate.com/github/wpscanteam/wpscan/badges/gpa.svg"></a>
+</p>
+
+# INSTALL
+
+## Prerequisites
+
+- (Optional but highly recommended: [RVM](https://rvm.io/rvm/install))
+- Ruby >= 2.7 - Recommended: latest
+- Curl >= 7.72  - Recommended: latest
+  - The 7.29 has a segfault
+  - The < 7.72 could result in `Stream error in the HTTP/2 framing layer` in some cases
+- RubyGems      - Recommended: latest
+- Nokogiri might require packages to be installed via your package manager depending on your OS, see https://nokogiri.org/tutorials/installing_nokogiri.html
+
+### In a Pentesting distribution
+
+When using a pentesting distubution (such as Kali Linux), it is recommended to install/update wpscan via the package manager if available.
+
+### In macOSX via Homebrew
+
+`brew install wpscanteam/tap/wpscan`
+
+### From RubyGems
+
+```shell
+gem install wpscan
+```
+
+On MacOSX, if a ```Gem::FilePermissionError``` is raised due to the Apple's System Integrity Protection (SIP), either install RVM and install wpscan again, or run ```sudo gem install -n /usr/local/bin wpscan``` (see [#1286](https://github.com/wpscanteam/wpscan/issues/1286))
+
+# Updating
+
+You can update the local database by using ```wpscan --update```
+
+Updating WPScan itself is either done via ```gem update wpscan``` or the packages manager (this is quite important for distributions such as in Kali Linux: ```apt-get update && apt-get upgrade```) depending on how WPScan was (pre)installed
+
+# Docker
+
+Pull the repo with ```docker pull wpscanteam/wpscan```
+
+Enumerating usernames
+
+```shell
+docker run -it --rm wpscanteam/wpscan --url https://target.tld/ --enumerate u
+```
+
+Enumerating a range of usernames
+
+```shell
+docker run -it --rm wpscanteam/wpscan --url https://target.tld/ --enumerate u1-100
+```
+
+** replace u1-100 with a range of your choice.
+
+# Usage
+
+Full user documentation can be found here; https://github.com/wpscanteam/wpscan/wiki/WPScan-User-Documentation
+
+```wpscan --url blog.tld``` This will scan the blog using default options with a good compromise between speed and accuracy. For example, the plugins will be checked passively but their version with a mixed detection mode (passively + aggressively). Potential config backup files will also be checked, along with other interesting findings.
+
+If a more stealthy approach is required, then ```wpscan --stealthy --url blog.tld``` can be used.
+As a result, when using the ```--enumerate``` option, don't forget to set the ```--plugins-detection``` accordingly, as its default is 'passive'.
+
+For more options, open a terminal and type ```wpscan --help``` (if you built wpscan from the source, you should type the command outside of the git repo)
+
+The DB is located at ~/.wpscan/db
+
+## Optional: WordPress Vulnerability Database API
+
+The WPScan CLI tool uses the [WordPress Vulnerability Database API](https://wpscan.com/api) to retrieve WordPress vulnerability data in real time. For WPScan to retrieve the vulnerability data an API token must be supplied via the `--api-token` option, or via a configuration file, as discussed below. An API token can be obtained by registering an account on [WPScan.com](https://wpscan.com/register).
+
+Up to **25** API requests per day are given free of charge, that should be suitable to scan most WordPress websites at least once per day. When the daily 25 API requests are exhausted, WPScan will continue to work as normal but without any vulnerability data.
+
+### How many API requests do you need?
+
+- Our WordPress scanner makes one API request for the WordPress version, one request per installed plugin and one request per installed theme.
+- On average, a WordPress website has 22 installed plugins.
+
+## Load CLI options from file/s
+
+WPScan can load all options (including the --url) from configuration files, the following locations are checked (order: first to last):
+
+- ~/.wpscan/scan.json
+- ~/.wpscan/scan.yml
+- pwd/.wpscan/scan.json
+- pwd/.wpscan/scan.yml
+
+If those files exist, options from the `cli_options` key will be loaded and overridden if found twice.
+
+e.g:
+
+~/.wpscan/scan.yml:
+
+```yml
+cli_options:
+  proxy: 'http://127.0.0.1:8080'
+  verbose: true
+```
+
+pwd/.wpscan/scan.yml:
+
+```yml
+cli_options:
+  proxy: 'socks5://127.0.0.1:9090'
+  url: 'http://target.tld'
+```
+
+Running ```wpscan``` in the current directory (pwd), is the same as ```wpscan -v --proxy socks5://127.0.0.1:9090 --url http://target.tld```
+
+## Save API Token in a file
+
+The feature mentioned above is useful to keep the API Token in a config file and not have to supply it via the CLI each time. To do so, create the ~/.wpscan/scan.yml file containing the below:
+
+```yml
+cli_options:
+  api_token: 'YOUR_API_TOKEN'
+```
+
+## Load API Token From ENV (since v3.7.10)
+
+The API Token will be automatically loaded from the ENV variable `WPSCAN_API_TOKEN` if present. If the `--api-token` CLI option is also provided, the value from the CLI will be used.
+
+
+## Enumerating usernames
+
+```shell
+wpscan --url https://target.tld/ --enumerate u
+```
+
+Enumerating a range of usernames
+
+```shell
+wpscan --url https://target.tld/ --enumerate u1-100
+```
+
+** replace u1-100 with a range of your choice.
 
 # LICENSE
 
 ## WPScan Public Source License
 
-The WPScan software (henceforth referred to simply as "WPScan") is dual-licensed - Copyright 2011-2018 WPScan Team.
+The WPScan software (henceforth referred to simply as "WPScan") is dual-licensed - Copyright 2011-2019 WPScan Team.
 
 Cases that include commercialization of WPScan require a commercial, non-free license. Otherwise, WPScan can be used without charge under the terms set out below.
 
@@ -21,7 +169,7 @@ Cases that include commercialization of WPScan require a commercial, non-free li
 
 1.2 "Contributor" means each individual or legal entity that creates, contributes to the creation of, or owns WPScan.
 
-1.3 "WPScan Team" means WPScan’s core developers, an updated list of whom can be found within the CREDITS file.
+1.3 "WPScan Team" means WPScan’s core developers.
 
 ### 2. Commercialization
 
@@ -29,20 +177,18 @@ A commercial use is one intended for commercial advantage or monetary compensati
 
 Example cases of commercialization are:
 
- - Using WPScan to provide commercial managed/Software-as-a-Service services.
- - Distributing WPScan as a commercial product or as part of one.
- - Using WPScan as a value added service/product.
+- Using WPScan to provide commercial managed/Software-as-a-Service services.
+- Distributing WPScan as a commercial product or as part of one.
+- Using WPScan as a value added service/product.
 
 Example cases which do not require a commercial license, and thus fall under the terms set out below, include (but are not limited to):
 
- - Penetration testers (or penetration testing organizations) using WPScan as part of their assessment toolkit.
- - Penetration Testing Linux Distributions including but not limited to Kali Linux, SamuraiWTF, BackBox Linux.
- - Using WPScan to test your own systems.
- - Any non-commercial use of WPScan.
+- Penetration testers (or penetration testing organizations) using WPScan as part of their assessment toolkit.
+- Penetration Testing Linux Distributions including but not limited to Kali Linux, SamuraiWTF, BackBox Linux.
+- Using WPScan to test your own systems.
+- Any non-commercial use of WPScan.
 
-If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - team@wpscan.org.
-
-We may grant commercial licenses at no monetary cost at our own discretion if the commercial usage is deemed by the WPScan Team to significantly benefit WPScan.
+If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - contact@wpscan.com.
 
 Free-use Terms and Conditions;
 
@@ -50,9 +196,9 @@ Free-use Terms and Conditions;
 
 Redistribution is permitted under the following conditions:
 
- - Unmodified License is provided with WPScan.
- - Unmodified Copyright notices are provided with WPScan.
- - Does not conflict with the commercialization clause.
+- Unmodified License is provided with WPScan.
+- Unmodified Copyright notices are provided with WPScan.
+- Does not conflict with the commercialization clause.
 
 ### 4. Copying
 
@@ -85,234 +231,3 @@ Running WPScan against websites without prior mutual consent may be illegal in y
 ### 11. Trademark
 
 The "wpscan" term is a registered trademark. This License does not grant the use of the "wpscan" trademark or the use of the WPScan logo.
-
-# INSTALL
-
-WPScan comes pre-installed on the following Linux distributions:
-
-- [BackBox Linux](http://www.backbox.org/)
-- [Kali Linux](http://www.kali.org/)
-- [Pentoo](http://www.pentoo.ch/)
-- [SamuraiWTF](http://samurai.inguardians.com/)
-- [BlackArch](http://blackarch.org/)
-
-On macOS WPScan is packaged by [Homebrew](https://brew.sh/) as [`wpscan`](http://braumeister.org/formula/wpscan).
-
-Windows is not supported
-
-We suggest you use our official Docker image from https://hub.docker.com/r/wpscanteam/wpscan/ to avoid installation problems.
-
-# DOCKER
-## Install Docker
-[https://docs.docker.com/engine/installation/](https://docs.docker.com/engine/installation/)
-
-## Get the image
-Pull the repo with `docker pull wpscanteam/wpscan`
-
-## Start WPScan
-
-```
-docker run -it --rm wpscanteam/wpscan -u https://yourblog.com [options]
-```
-
-For the available Options, please see https://github.com/wpscanteam/wpscan#wpscan-arguments
-
-If you run the git version of wpscan we included some binstubs in ./bin for easier start of wpscan.
-
-## Examples
-
-Mount a local wordlist to the docker container and start a bruteforce attack for user admin
-
-```
-docker run -it --rm -v ~/wordlists:/wordlists wpscanteam/wpscan --url https://yourblog.com --wordlist /wordlists/crackstation.txt --username admin
-```
-
-(This mounts the host directory `~/wordlists` to the container in the path `/wordlists`)
-
-Use logfile option
-```
-# the file must exist prior to starting the container, otherwise docker will create a directory with the filename
-touch ~/FILENAME
-docker run -it --rm -v ~/FILENAME:/wpscan/output.txt wpscanteam/wpscan --url https://yourblog.com --log /wpscan/output.txt
-```
-
-Published on https://hub.docker.com/r/wpscanteam/wpscan/
-
-# Manual install
-
-## Prerequisites
-
-- Ruby >= 2.1.9 - Recommended: 2.5.1
-- Curl >= 7.21  - Recommended: latest - FYI the 7.29 has a segfault
-- RubyGems      - Recommended: latest
-- Git
-
-### Installing dependencies on Ubuntu
-
-    sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev zlib1g-dev
-
-### Installing dependencies on Debian
-
-    sudo apt-get install gcc git ruby ruby-dev libcurl4-openssl-dev make zlib1g-dev
-
-### Installing dependencies on Fedora
-
-    sudo dnf install gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch rpm-build
-
-### Installing dependencies on Arch Linux
-
-    pacman -Syu ruby
-    pacman -Syu libyaml
-
-### Installing dependencies on macOS
-
-Apple Xcode, Command Line Tools and the libffi are needed (to be able to install the FFI gem), See [http://stackoverflow.com/questions/17775115/cant-setup-ruby-environment-installing-fii-gem-error](http://stackoverflow.com/questions/17775115/cant-setup-ruby-environment-installing-fii-gem-error)
-
-## Installing with RVM (recommended when doing a manual install)
-
-If you are using GNOME Terminal, there are some steps required before executing the commands. See here for more information:
-https://rvm.io/integration/gnome-terminal#integrating-rvm-with-gnome-terminal
-
-    # Install all prerequisites for your OS (look above)
-    cd ~
-    curl -sSL https://rvm.io/mpapis.asc | gpg --import -
-    curl -sSL https://get.rvm.io | bash -s stable
-    source ~/.rvm/scripts/rvm
-    echo "source ~/.rvm/scripts/rvm" >> ~/.bashrc
-    rvm install 2.5.1
-    rvm use 2.5.1 --default
-    echo "gem: --no-ri --no-rdoc" > ~/.gemrc
-    git clone https://github.com/wpscanteam/wpscan.git
-    cd wpscan
-    gem install bundler
-    bundle install --without test
-
-## Installing manually (not recommended)
-
-    git clone https://github.com/wpscanteam/wpscan.git
-    cd wpscan
-    sudo gem install bundler && bundle install --without test
-
-# KNOWN ISSUES
-
-  - no such file to load -- rubygems
-
-      ```update-alternatives --config ruby```
-
-      And select your ruby version
-
-      See [https://github.com/wpscanteam/wpscan/issues/148](https://github.com/wpscanteam/wpscan/issues/148)
-
-# WPSCAN ARGUMENTS
-
-    --update                            Update the database to the latest version.
-    --url       | -u <target url>       The WordPress URL/domain to scan.
-    --force     | -f                    Forces WPScan to not check if the remote site is running WordPress.
-    --enumerate | -e [option(s)]        Enumeration.
-      option :
-        u        usernames from id 1 to 10
-        u[10-20] usernames from id 10 to 20 (you must write [] chars)
-        p        plugins
-        vp       only vulnerable plugins
-        ap       all plugins (can take a long time)
-        tt       timthumbs
-        t        themes
-        vt       only vulnerable themes
-        at       all themes (can take a long time)
-      Multiple values are allowed : "-e tt,p" will enumerate timthumbs and plugins
-      If no option is supplied, the default is "vt,tt,u,vp"
-
-    --exclude-content-based "<regexp or string>"
-                                        Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied.
-                                        You do not need to provide the regexp delimiters, but you must write the quotes (simple or double).
-    --config-file  | -c <config file>   Use the specified config file, see the example.conf.json.
-    --user-agent   | -a <User-Agent>    Use the specified User-Agent.
-    --cookie <string>                   String to read cookies from.
-    --random-agent | -r                 Use a random User-Agent.
-    --follow-redirection                If the target url has a redirection, it will be followed without asking if you wanted to do so or not
-    --batch                             Never ask for user input, use the default behaviour.
-    --no-color                          Do not use colors in the output.
-    --log [filename]                    Creates a log.txt file with WPScan's output if no filename is supplied. Otherwise the filename is used for logging.
-    --no-banner                         Prevents the WPScan banner from being displayed.
-    --disable-accept-header             Prevents WPScan sending the Accept HTTP header.
-    --disable-referer                   Prevents setting the Referer header.
-    --disable-tls-checks                Disables SSL/TLS certificate verification.
-    --wp-content-dir <wp content dir>   WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specify it.
-                                        Subdirectories are allowed.
-    --wp-plugins-dir <wp plugins dir>   Same thing than --wp-content-dir but for the plugins directory.
-                                        If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed
-    --proxy <[protocol://]host:port>    Supply a proxy. HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported.
-                                        If no protocol is given (format host:port), HTTP will be used.
-    --proxy-auth <username:password>    Supply the proxy login credentials.
-    --basic-auth <username:password>    Set the HTTP Basic authentication.
-    --wordlist | -w <wordlist>          Supply a wordlist for the password brute forcer.
-                                        If the "-" option is supplied, the wordlist is expected via STDIN.
-    --username | -U <username>          Only brute force the supplied username.
-    --usernames     <path-to-file>      Only brute force the usernames from the file.
-    --cache-dir       <cache-directory> Set the cache directory.
-    --cache-ttl       <cache-ttl>       Typhoeus cache TTL.
-    --request-timeout <request-timeout> Request Timeout.
-    --connect-timeout <connect-timeout> Connect Timeout.
-    --threads  | -t <number of threads> The number of threads to use when multi-threading requests.
-    --throttle        <milliseconds>    Milliseconds to wait before doing another web request. If used, the --threads should be set to 1.
-    --help     | -h                     This help screen.
-    --verbose  | -v                     Verbose output.
-    --version                           Output the current version and exit.
-
-# WPSCAN EXAMPLES
-
-Do 'non-intrusive' checks...
-
-```ruby wpscan.rb --url www.example.com```
-
-Do wordlist password brute force on enumerated users using 50 threads...
-
-```ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50```
-
-Do wordlist password brute force on enumerated users using STDIN as the wordlist...
-
-```crunch 5 13 -f charset.lst mixalpha | ruby wpscan.rb --url www.example.com --wordlist -```
-
-Do wordlist password brute force on the 'admin' username only...
-
-```ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin```
-
-Enumerate installed plugins...
-
-```ruby wpscan.rb --url www.example.com --enumerate p```
-
-Run all enumeration tools...
-
-```ruby wpscan.rb --url www.example.com --enumerate```
-
-Use custom content directory...
-
-```ruby wpscan.rb -u www.example.com --wp-content-dir custom-content```
-
-Update WPScan's databases...
-
-```ruby wpscan.rb --update```
-
-Debug output...
-
-```ruby wpscan.rb --url www.example.com --debug-output 2>debug.log```
-
-# PROJECT HOME
-
-[http://www.wpscan.org](http://www.wpscan.org)
-
-# VULNERABILITY DATABASE
-
-[https://wpvulndb.com](https://wpvulndb.com)
-
-# GIT REPOSITORY
-
-[https://github.com/wpscanteam/wpscan](https://github.com/wpscanteam/wpscan)
-
-# ISSUES
-
-[https://github.com/wpscanteam/wpscan/issues](https://github.com/wpscanteam/wpscan/issues)
-
-# DEVELOPER DOCUMENTATION
-
-[http://rdoc.info/github/wpscanteam/wpscan/frames](http://rdoc.info/github/wpscanteam/wpscan/frames)

Rakefile

@@ -0,0 +1,28 @@
+# rubocop:disable all
+
+require 'bundler/gem_tasks'
+
+exec = []
+
+begin
+  require 'rubocop/rake_task'
+
+  RuboCop::RakeTask.new
+
+  exec << :rubocop
+rescue LoadError
+end
+
+begin
+  require 'rspec/core/rake_task'
+
+  RSpec::Core::RakeTask.new(:spec) { |t| t.rspec_opts = %w{--tag ~slow} }
+
+  exec << :spec
+rescue LoadError
+end
+
+# Run rubocop & rspec before the build (only if installed)
+task build: exec
+
+# rubocop:enable all

app/app.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+require_relative 'models'
+require_relative 'finders'
+require_relative 'controllers'

app/controllers.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+require_relative 'controllers/core'
+require_relative 'controllers/vuln_api'
+require_relative 'controllers/custom_directories'
+require_relative 'controllers/wp_version'
+require_relative 'controllers/main_theme'
+require_relative 'controllers/enumeration'
+require_relative 'controllers/password_attack'
+require_relative 'controllers/aliases'

app/controllers/aliases.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Controller
+    # Controller to add the aliases in the CLI
+    class Aliases < CMSScanner::Controller::Base
+      def cli_options
+        [
+          OptAlias.new(['--stealthy'],
+                       alias_for: '--random-user-agent --detection-mode passive --plugins-version-detection passive')
+        ]
+      end
+    end
+  end
+end

app/controllers/core.rb

@@ -0,0 +1,109 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Controller
+    # Specific Core controller to include WordPress checks
+    class Core < CMSScanner::Controller::Core
+      # @return [ Array<OptParseValidator::Opt> ]
+      def cli_options
+        [OptURL.new(['--url URL', 'The URL of the blog to scan'],
+                    required_unless: %i[update help hh version], default_protocol: 'http')] +
+          super.drop(2) + # delete the --url and --force from CMSScanner
+          [
+            OptChoice.new(['--server SERVER', 'Force the supplied server module to be loaded'],
+                          choices: %w[apache iis nginx],
+                          normalize: %i[downcase to_sym],
+                          advanced: true),
+            OptBoolean.new(['--force', 'Do not check if the target is running WordPress or returns a 403']),
+            OptBoolean.new(['--[no-]update', 'Whether or not to update the Database'])
+          ]
+      end
+
+      # @return [ DB::Updater ]
+      def local_db
+        @local_db ||= DB::Updater.new(DB_DIR)
+      end
+
+      # @return [ Boolean ]
+      def update_db_required?
+        if local_db.missing_files?
+          raise Error::MissingDatabaseFile if ParsedCli.update == false
+
+          return true
+        end
+
+        return ParsedCli.update unless ParsedCli.update.nil?
+
+        return false unless user_interaction? && local_db.outdated?
+
+        output('@notice', msg: 'It seems like you have not updated the database for some time.')
+        print '[?] Do you want to update now? [Y]es [N]o, default: [N]'
+
+        /^y/i.match?(Readline.readline)
+      end
+
+      def update_db
+        output('db_update_started')
+        output('db_update_finished', updated: local_db.update, verbose: ParsedCli.verbose)
+
+        exit(0) unless ParsedCli.url
+      end
+
+      def before_scan
+        @last_update = local_db.last_update
+
+        maybe_output_banner_help_and_version # From CMSScanner
+
+        update_db if update_db_required?
+        setup_cache
+        check_target_availability
+        load_server_module
+        check_wordpress_state
+      rescue Error::NotWordPress => e
+        target.maybe_add_cookies
+        raise e unless target.wordpress?(ParsedCli.detection_mode)
+      end
+
+      # Raises errors if the target is hosted on wordpress.com or is not running WordPress
+      # Also check if the homepage_url is still the install url
+      def check_wordpress_state
+        raise Error::WordPressHosted if target.wordpress_hosted?
+
+        if %r{/wp-admin/install.php$}i.match?(Addressable::URI.parse(target.homepage_url).path)
+
+          output('not_fully_configured', url: target.homepage_url)
+
+          exit(WPScan::ExitCode::VULNERABLE)
+        end
+
+        raise Error::NotWordPress unless target.wordpress?(ParsedCli.detection_mode) || ParsedCli.force
+      end
+
+      # Loads the related server module in the target
+      # and includes it in the WpItem class which will be needed
+      # to check if directory listing is enabled etc
+      #
+      # @return [ Symbol ] The server module loaded
+      def load_server_module
+        server = target.server || :Apache # Tries to auto detect the server
+
+        # Force a specific server module to be loaded if supplied
+        case ParsedCli.server
+        when :apache
+          server = :Apache
+        when :iis
+          server = :IIS
+        when :nginx
+          server = :Nginx
+        end
+
+        mod = CMSScanner::Target::Server.const_get(server)
+
+        target.extend mod
+        Model::WpItem.include mod
+
+        server
+      end
+    end
+  end
+end

app/controllers/custom_directories.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Controller
+    # Controller to ensure that the wp-content and wp-plugins
+    # directories are found
+    class CustomDirectories < CMSScanner::Controller::Base
+      def cli_options
+        [
+          OptString.new(['--wp-content-dir DIR',
+                         'The wp-content directory if custom or not detected, such as "wp-content"']),
+          OptString.new(['--wp-plugins-dir DIR',
+                         'The plugins directory if custom or not detected, such as "wp-content/plugins"'])
+        ]
+      end
+
+      def before_scan
+        target.content_dir = ParsedCli.wp_content_dir if ParsedCli.wp_content_dir
+        target.plugins_dir = ParsedCli.wp_plugins_dir if ParsedCli.wp_plugins_dir
+
+        raise Error::WpContentDirNotDetected unless target.content_dir
+      end
+    end
+  end
+end

app/controllers/enumeration.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require_relative 'enumeration/cli_options'
+require_relative 'enumeration/enum_methods'
+
+module WPScan
+  module Controller
+    # Enumeration Controller
+    class Enumeration < CMSScanner::Controller::Base
+      def run
+        enum = ParsedCli.enumerate || {}
+
+        enum_plugins if enum_plugins?(enum)
+        enum_themes  if enum_themes?(enum)
+
+        %i[timthumbs config_backups db_exports medias].each do |key|
+          send("enum_#{key}".to_sym) if enum.key?(key)
+        end
+
+        enum_users if enum_users?(enum)
+      end
+    end
+  end
+end

app/controllers/enumeration/cli_options.rb

@@ -0,0 +1,184 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Controller
+    # Enumeration CLI Options
+    class Enumeration < CMSScanner::Controller::Base
+      def cli_options
+        cli_enum_choices + cli_plugins_opts + cli_themes_opts +
+          cli_timthumbs_opts + cli_config_backups_opts + cli_db_exports_opts +
+          cli_medias_opts + cli_users_opts
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_enum_choices
+        [
+          OptMultiChoices.new(
+            ['-e', '--enumerate [OPTS]', 'Enumeration Process'],
+            choices: {
+              vp: OptBoolean.new(['--vulnerable-plugins']),
+              ap: OptBoolean.new(['--all-plugins']),
+              p: OptBoolean.new(['--popular-plugins']),
+              vt: OptBoolean.new(['--vulnerable-themes']),
+              at: OptBoolean.new(['--all-themes']),
+              t: OptBoolean.new(['--popular-themes']),
+              tt: OptBoolean.new(['--timthumbs']),
+              cb: OptBoolean.new(['--config-backups']),
+              dbe: OptBoolean.new(['--db-exports']),
+              u: OptIntegerRange.new(['--users', 'User IDs range. e.g: u1-5'], value_if_empty: '1-10'),
+              m: OptIntegerRange.new(['--medias',
+                                      'Media IDs range. e.g m1-15',
+                                      'Note: Permalink setting must be set to "Plain" for those to be detected'],
+                                     value_if_empty: '1-100')
+            },
+            value_if_empty: 'vp,vt,tt,cb,dbe,u,m',
+            incompatible: [%i[vp ap p], %i[vt at t]],
+            default: { all_plugins: true, config_backups: true }
+          ),
+          OptRegexp.new(
+            [
+              '--exclude-content-based REGEXP_OR_STRING',
+              'Exclude all responses matching the Regexp (case insensitive) during parts of the enumeration.',
+              'Both the headers and body are checked. Regexp delimiters are not required.'
+            ], options: Regexp::IGNORECASE
+          )
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_plugins_opts
+        [
+          OptSmartList.new(['--plugins-list LIST', 'List of plugins to enumerate'], advanced: true),
+          OptChoice.new(
+            ['--plugins-detection MODE',
+             'Use the supplied mode to enumerate Plugins.'],
+            choices: %w[mixed passive aggressive], normalize: :to_sym, default: :passive
+          ),
+          OptBoolean.new(
+            ['--plugins-version-all',
+             'Check all the plugins version locations according to the choosen mode (--detection-mode, ' \
+             '--plugins-detection and --plugins-version-detection)'],
+            advanced: true
+          ),
+          OptChoice.new(
+            ['--plugins-version-detection MODE',
+             'Use the supplied mode to check plugins\' versions.'],
+            choices: %w[mixed passive aggressive], normalize: :to_sym, default: :mixed
+          ),
+          OptInteger.new(
+            ['--plugins-threshold THRESHOLD',
+             'Raise an error when the number of detected plugins via known locations reaches the threshold. ' \
+             'Set to 0 to ignore the threshold.'], default: 100, advanced: true
+          )
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_themes_opts
+        [
+          OptSmartList.new(['--themes-list LIST', 'List of themes to enumerate'], advanced: true),
+          OptChoice.new(
+            ['--themes-detection MODE',
+             'Use the supplied mode to enumerate Themes, instead of the global (--detection-mode) mode.'],
+            choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true
+          ),
+          OptBoolean.new(
+            ['--themes-version-all',
+             'Check all the themes version locations according to the choosen mode (--detection-mode, ' \
+             '--themes-detection and --themes-version-detection)'],
+            advanced: true
+          ),
+          OptChoice.new(
+            ['--themes-version-detection MODE',
+             'Use the supplied mode to check themes versions instead of the --detection-mode ' \
+             'or --themes-detection modes.'],
+            choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true
+          ),
+          OptInteger.new(
+            ['--themes-threshold THRESHOLD',
+             'Raise an error when the number of detected themes via known locations reaches the threshold. ' \
+             'Set to 0 to ignore the threshold.'], default: 20, advanced: true
+          )
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_timthumbs_opts
+        [
+          OptFilePath.new(
+            ['--timthumbs-list FILE-PATH', 'List of timthumbs\' location to use'],
+            exists: true, default: DB_DIR.join('timthumbs-v3.txt').to_s, advanced: true
+          ),
+          OptChoice.new(
+            ['--timthumbs-detection MODE',
+             'Use the supplied mode to enumerate Timthumbs, instead of the global (--detection-mode) mode.'],
+            choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true
+          )
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_config_backups_opts
+        [
+          OptFilePath.new(
+            ['--config-backups-list FILE-PATH', 'List of config backups\' filenames to use'],
+            exists: true, default: DB_DIR.join('config_backups.txt').to_s, advanced: true
+          ),
+          OptChoice.new(
+            ['--config-backups-detection MODE',
+             'Use the supplied mode to enumerate Config Backups, instead of the global (--detection-mode) mode.'],
+            choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true
+          )
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_db_exports_opts
+        [
+          OptFilePath.new(
+            ['--db-exports-list FILE-PATH', 'List of DB exports\' paths to use'],
+            exists: true, default: DB_DIR.join('db_exports.txt').to_s, advanced: true
+          ),
+          OptChoice.new(
+            ['--db-exports-detection MODE',
+             'Use the supplied mode to enumerate DB Exports, instead of the global (--detection-mode) mode.'],
+            choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true
+          )
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_medias_opts
+        [
+          OptChoice.new(
+            ['--medias-detection MODE',
+             'Use the supplied mode to enumerate Medias, instead of the global (--detection-mode) mode.'],
+            choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true
+          )
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_users_opts
+        [
+          OptSmartList.new(
+            ['--users-list LIST',
+             'List of users to check during the users enumeration from the Login Error Messages'],
+            advanced: true
+          ),
+          OptChoice.new(
+            ['--users-detection MODE',
+             'Use the supplied mode to enumerate Users, instead of the global (--detection-mode) mode.'],
+            choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true
+          ),
+          OptRegexp.new(
+            [
+              '--exclude-usernames REGEXP_OR_STRING',
+              'Exclude usernames matching the Regexp/string (case insensitive). Regexp delimiters are not required.'
+            ], options: Regexp::IGNORECASE
+          )
+        ]
+      end
+    end
+  end
+end

app/controllers/enumeration/enum_methods.rb

@@ -0,0 +1,207 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Controller
+    # Enumeration Methods
+    class Enumeration < CMSScanner::Controller::Base
+      # @param [ String ] type (plugins or themes)
+      # @param [ Symbol ] detection_mode
+      #
+      # @return [ String ] The related enumration message depending on the ParsedCli and type supplied
+      def enum_message(type, detection_mode)
+        return unless %w[plugins themes].include?(type)
+
+        details = if ParsedCli.enumerate[:"vulnerable_#{type}"]
+                    'Vulnerable'
+                  elsif ParsedCli.enumerate[:"all_#{type}"]
+                    'All'
+                  else
+                    'Most Popular'
+                  end
+
+        "Enumerating #{details} #{type.capitalize} #{enum_detection_message(detection_mode)}"
+      end
+
+      # @param [ Symbol ] detection_mode
+      #
+      # @return [ String ]
+      def enum_detection_message(detection_mode)
+        detection_method = if detection_mode == :mixed
+                             'Passive and Aggressive'
+                           else
+                             detection_mode.to_s.capitalize
+                           end
+
+        "(via #{detection_method} Methods)"
+      end
+
+      # @param [ String ] type (plugins, themes etc)
+      #
+      # @return [ Hash ]
+      def default_opts(type)
+        mode = ParsedCli.options[:"#{type}_detection"] || ParsedCli.detection_mode
+
+        {
+          mode: mode,
+          exclude_content: ParsedCli.exclude_content_based,
+          show_progression: user_interaction?,
+          version_detection: {
+            mode: ParsedCli.options[:"#{type}_version_detection"] || mode,
+            confidence_threshold: ParsedCli.options[:"#{type}_version_all"] ? 0 : 100
+          }
+        }
+      end
+
+      # @param [ Hash ] opts
+      #
+      # @return [ Boolean ] Wether or not to enumerate the plugins
+      def enum_plugins?(opts)
+        opts[:popular_plugins] || opts[:all_plugins] || opts[:vulnerable_plugins]
+      end
+
+      def enum_plugins
+        opts = default_opts('plugins').merge(
+          list: plugins_list_from_opts(ParsedCli.options),
+          threshold: ParsedCli.plugins_threshold,
+          sort: true
+        )
+
+        output('@info', msg: enum_message('plugins', opts[:mode])) if user_interaction?
+        # Enumerate the plugins & find their versions to avoid doing that when #version
+        # is called in the view
+        plugins = target.plugins(opts)
+
+        if user_interaction? && !plugins.empty?
+          output('@info',
+                 msg: "Checking Plugin Versions #{enum_detection_message(opts[:version_detection][:mode])}")
+        end
+
+        plugins.each(&:version)
+
+        plugins.select!(&:vulnerable?) if ParsedCli.enumerate[:vulnerable_plugins]
+
+        output('plugins', plugins: plugins)
+      end
+
+      # @param [ Hash ] opts
+      #
+      # @return [ Array<String> ] The plugins list associated to the cli options
+      def plugins_list_from_opts(opts)
+        # List file provided by the user via the cli
+        return opts[:plugins_list] if opts[:plugins_list]
+
+        if opts[:enumerate][:all_plugins]
+          DB::Plugins.all_slugs
+        elsif opts[:enumerate][:popular_plugins]
+          DB::Plugins.popular_slugs
+        else
+          DB::Plugins.vulnerable_slugs
+        end
+      end
+
+      # @param [ Hash ] opts
+      #
+      # @return [ Boolean ] Wether or not to enumerate the themes
+      def enum_themes?(opts)
+        opts[:popular_themes] || opts[:all_themes] || opts[:vulnerable_themes]
+      end
+
+      def enum_themes
+        opts = default_opts('themes').merge(
+          list: themes_list_from_opts(ParsedCli.options),
+          threshold: ParsedCli.themes_threshold,
+          sort: true
+        )
+
+        output('@info', msg: enum_message('themes', opts[:mode])) if user_interaction?
+        # Enumerate the themes & find their versions to avoid doing that when #version
+        # is called in the view
+        themes = target.themes(opts)
+
+        if user_interaction? && !themes.empty?
+          output('@info',
+                 msg: "Checking Theme Versions #{enum_detection_message(opts[:version_detection][:mode])}")
+        end
+
+        themes.each(&:version)
+
+        themes.select!(&:vulnerable?) if ParsedCli.enumerate[:vulnerable_themes]
+
+        output('themes', themes: themes)
+      end
+
+      # @param [ Hash ] opts
+      #
+      # @return [ Array<String> ] The themes list associated to the cli options
+      def themes_list_from_opts(opts)
+        # List file provided by the user via the cli
+        return opts[:themes_list] if opts[:themes_list]
+
+        if opts[:enumerate][:all_themes]
+          DB::Themes.all_slugs
+        elsif opts[:enumerate][:popular_themes]
+          DB::Themes.popular_slugs
+        else
+          DB::Themes.vulnerable_slugs
+        end
+      end
+
+      def enum_timthumbs
+        opts = default_opts('timthumbs').merge(list: ParsedCli.timthumbs_list)
+
+        output('@info', msg: "Enumerating Timthumbs #{enum_detection_message(opts[:mode])}") if user_interaction?
+        output('timthumbs', timthumbs: target.timthumbs(opts))
+      end
+
+      def enum_config_backups
+        opts = default_opts('config_backups').merge(list: ParsedCli.config_backups_list)
+
+        output('@info', msg: "Enumerating Config Backups #{enum_detection_message(opts[:mode])}") if user_interaction?
+        output('config_backups', config_backups: target.config_backups(opts))
+      end
+
+      def enum_db_exports
+        opts = default_opts('db_exports').merge(list: ParsedCli.db_exports_list)
+
+        output('@info', msg: "Enumerating DB Exports #{enum_detection_message(opts[:mode])}") if user_interaction?
+        output('db_exports', db_exports: target.db_exports(opts))
+      end
+
+      def enum_medias
+        opts = default_opts('medias').merge(range: ParsedCli.enumerate[:medias])
+
+        if user_interaction?
+          output('@info',
+                 msg: "Enumerating Medias #{enum_detection_message(opts[:mode])} "\
+                      '(Permalink setting must be set to "Plain" for those to be detected)')
+        end
+
+        output('medias', medias: target.medias(opts))
+      end
+
+      # @param [ Hash ] opts
+      #
+      # @return [ Boolean ] Wether or not to enumerate the users
+      def enum_users?(opts)
+        opts[:users] || (ParsedCli.passwords && !ParsedCli.username && !ParsedCli.usernames)
+      end
+
+      def enum_users
+        opts = default_opts('users').merge(
+          range: enum_users_range,
+          list: ParsedCli.users_list
+        )
+
+        output('@info', msg: "Enumerating Users #{enum_detection_message(opts[:mode])}") if user_interaction?
+        output('users', users: target.users(opts))
+      end
+
+      # @return [ Range ] The user ids range to enumerate
+      # If the --enumerate is used, the default value is handled by the Option
+      # However, when using --passwords alone, the default has to be set by the code below
+      def enum_users_range
+        ParsedCli.enumerate[:users] || cli_enum_choices[0].choices[:u].validate(nil)
+      end
+    end
+  end
+end

app/controllers/main_theme.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Controller
+    # Main Theme Controller
+    class MainTheme < CMSScanner::Controller::Base
+      def cli_options
+        [
+          OptChoice.new(
+            ['--main-theme-detection MODE',
+             'Use the supplied mode for the Main theme detection, instead of the global (--detection-mode) mode.'],
+            choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true
+          )
+        ]
+      end
+
+      def run
+        output(
+          'theme',
+          theme: target.main_theme(
+            mode: ParsedCli.main_theme_detection || ParsedCli.detection_mode
+          ),
+          verbose: ParsedCli.verbose
+        )
+      end
+    end
+  end
+end

app/controllers/password_attack.rb

@@ -0,0 +1,129 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Controller
+    # Password Attack Controller
+    class PasswordAttack < CMSScanner::Controller::Base
+      def cli_options
+        [
+          OptFilePath.new(
+            ['--passwords FILE-PATH', '-P',
+             'List of passwords to use during the password attack.',
+             'If no --username/s option supplied, user enumeration will be run.'],
+            exists: true
+          ),
+          OptSmartList.new(['--usernames LIST', '-U', 'List of usernames to use during the password attack.']),
+          OptInteger.new(['--multicall-max-passwords MAX_PWD',
+                          'Maximum number of passwords to send by request with XMLRPC multicall'],
+                         default: 500),
+          OptChoice.new(['--password-attack ATTACK',
+                         'Force the supplied attack to be used rather than automatically determining one.',
+                         'Multicall will only work against WP < 4.4'],
+                        choices: %w[wp-login xmlrpc xmlrpc-multicall],
+                        normalize: %i[downcase underscore to_sym]),
+          OptString.new(['--login-uri URI', 'The URI of the login page if different from /wp-login.php'])
+        ]
+      end
+
+      def attack_opts
+        @attack_opts ||= {
+          show_progression: user_interaction?,
+          multicall_max_passwords: ParsedCli.multicall_max_passwords
+        }
+      end
+
+      def run
+        return unless ParsedCli.passwords
+
+        begin
+          found = []
+
+          if user_interaction?
+            output('@info',
+                   msg: "Performing password attack on #{attacker.titleize} against #{users.size} user/s")
+          end
+
+          attacker.attack(users, ParsedCli.passwords, attack_opts) do |user|
+            found << user
+
+            attacker.progress_bar.log("[SUCCESS] - #{user.username} / #{user.password}")
+          end
+        rescue Error::NoLoginInterfaceDetected => e
+          # TODO: Maybe output that in JSON as well.
+          output('@notice', msg: e.to_s) if user_interaction?
+        ensure
+          output('users', users: found)
+        end
+      end
+
+      # @return [ CMSScanner::Finders::Finder ] The finder used to perform the attack
+      def attacker
+        @attacker ||= attacker_from_cli_options || attacker_from_automatic_detection
+      end
+
+      # @return [ Model::XMLRPC ]
+      def xmlrpc
+        @xmlrpc ||= target.xmlrpc
+      end
+
+      # @return [ CMSScanner::Finders::Finder ]
+      def attacker_from_cli_options
+        return unless ParsedCli.password_attack
+
+        case ParsedCli.password_attack
+        when :wp_login
+          raise Error::NoLoginInterfaceDetected unless target.login_url
+
+          Finders::Passwords::WpLogin.new(target)
+        when :xmlrpc
+          raise Error::XMLRPCNotDetected unless xmlrpc
+
+          Finders::Passwords::XMLRPC.new(xmlrpc)
+        when :xmlrpc_multicall
+          raise Error::XMLRPCNotDetected unless xmlrpc
+
+          Finders::Passwords::XMLRPCMulticall.new(xmlrpc)
+        end
+      end
+
+      # @return [ Boolean ]
+      def xmlrpc_get_users_blogs_enabled?
+        if xmlrpc&.enabled? &&
+           xmlrpc.available_methods.include?('wp.getUsersBlogs') &&
+           !xmlrpc.method_call('wp.getUsersBlogs', [SecureRandom.hex[0, 6], SecureRandom.hex[0, 4]])
+                  .run.body.match?(/>\s*405\s*</)
+
+          true
+        else
+          false
+        end
+      end
+
+      # @return [ CMSScanner::Finders::Finder ]
+      def attacker_from_automatic_detection
+        if xmlrpc_get_users_blogs_enabled?
+          wp_version = target.wp_version
+
+          if wp_version && wp_version < '4.4'
+            Finders::Passwords::XMLRPCMulticall.new(xmlrpc)
+          else
+            Finders::Passwords::XMLRPC.new(xmlrpc)
+          end
+        elsif target.login_url
+          Finders::Passwords::WpLogin.new(target)
+        else
+          raise Error::NoLoginInterfaceDetected
+        end
+      end
+
+      # @return [ Array<Users> ] The users to brute force
+      def users
+        return target.users unless ParsedCli.usernames
+
+        ParsedCli.usernames.reduce([]) do |acc, elem|
+          acc << Model::User.new(elem.chomp)
+        end
+      end
+    end
+  end
+end

app/controllers/vuln_api.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Controller
+    # Controller to handle the API token
+    class VulnApi < CMSScanner::Controller::Base
+      ENV_KEY = 'WPSCAN_API_TOKEN'
+
+      def cli_options
+        [
+          OptString.new(
+            ['--api-token TOKEN',
+             'The WPScan API Token to display vulnerability data, available at https://wpscan.com/profile']
+          )
+        ]
+      end
+
+      def before_scan
+        return unless ParsedCli.api_token || ENV.key?(ENV_KEY)
+
+        DB::VulnApi.token = ParsedCli.api_token || ENV[ENV_KEY]
+
+        api_status = DB::VulnApi.status
+
+        raise Error::InvalidApiToken if api_status['status'] == 'forbidden'
+        raise Error::ApiLimitReached if api_status['requests_remaining'] == 0
+        raise api_status['http_error'] if api_status['http_error']
+      end
+
+      def after_scan
+        output('status', status: DB::VulnApi.status, api_requests: WPScan.api_requests)
+      end
+    end
+  end
+end

app/controllers/wp_version.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Controller
+    # Wp Version Controller
+    class WpVersion < CMSScanner::Controller::Base
+      def cli_options
+        [
+          OptBoolean.new(['--wp-version-all', 'Check all the version locations'], advanced: true),
+          OptChoice.new(
+            ['--wp-version-detection MODE',
+             'Use the supplied mode for the WordPress version detection, ' \
+             'instead of the global (--detection-mode) mode.'],
+            choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true
+          )
+        ]
+      end
+
+      def before_scan
+        DB::DynamicFinders::Wordpress.create_versions_finders
+      end
+
+      def run
+        output(
+          'version',
+          version: target.wp_version(
+            mode: ParsedCli.wp_version_detection || ParsedCli.detection_mode,
+            confidence_threshold: ParsedCli.wp_version_all ? 0 : 100,
+            show_progression: user_interaction?
+          )
+        )
+      end
+    end
+  end
+end

app/finders.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require_relative 'finders/interesting_findings'
+require_relative 'finders/wp_items'
+require_relative 'finders/wp_version'
+require_relative 'finders/main_theme'
+require_relative 'finders/timthumb_version'
+require_relative 'finders/timthumbs'
+require_relative 'finders/config_backups'
+require_relative 'finders/db_exports'
+require_relative 'finders/medias'
+require_relative 'finders/users'
+require_relative 'finders/plugins'
+require_relative 'finders/plugin_version'
+require_relative 'finders/theme_version'
+require_relative 'finders/themes'
+require_relative 'finders/passwords'

app/finders/config_backups.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require_relative 'config_backups/known_filenames'
+
+module WPScan
+  module Finders
+    module ConfigBackups
+      # Config Backup Finder
+      class Base
+        include CMSScanner::Finders::SameTypeFinder
+
+        # @param [ WPScan::Target ] target
+        def initialize(target)
+          finders << ConfigBackups::KnownFilenames.new(target)
+        end
+      end
+    end
+  end
+end

app/finders/config_backups/known_filenames.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module ConfigBackups
+      # Config Backup finder
+      class KnownFilenames < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::Enumerator
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list
+        # @option opts [ Boolean ] :show_progression
+        #
+        # @return [ Array<ConfigBackup> ]
+        def aggressive(opts = {})
+          found = []
+
+          enumerate(potential_urls(opts), opts.merge(check_full_response: 200)) do |res|
+            next unless res.body =~ /define/i && res.body !~ /<\s?html/i
+
+            found << Model::ConfigBackup.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100)
+          end
+
+          found
+        end
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list Mandatory
+        #
+        # @return [ Hash ]
+        def potential_urls(opts = {})
+          urls = {}
+
+          File.open(opts[:list]).each_with_index do |file, index|
+            urls[target.url(file.chomp)] = index
+          end
+
+          urls
+        end
+
+        def create_progress_bar(opts = {})
+          super(opts.merge(title: ' Checking Config Backups -'))
+        end
+      end
+    end
+  end
+end

app/finders/db_exports.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require_relative 'db_exports/known_locations'
+
+module WPScan
+  module Finders
+    module DbExports
+      # DB Exports Finder
+      class Base
+        include CMSScanner::Finders::SameTypeFinder
+
+        # @param [ WPScan::Target ] target
+        def initialize(target)
+          finders << DbExports::KnownLocations.new(target)
+        end
+      end
+    end
+  end
+end

app/finders/db_exports/known_locations.rb

@@ -0,0 +1,99 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module DbExports
+      # DB Exports finder
+      class KnownLocations < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::Enumerator
+
+        SQL_PATTERN = /(?:DROP|(?:UN)?LOCK|CREATE|ALTER) (?:TABLE|DATABASE)|INSERT INTO/.freeze
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list
+        # @option opts [ Boolean ] :show_progression
+        #
+        # @return [ Array<DBExport> ]
+        def aggressive(opts = {})
+          found = []
+
+          enumerate(potential_urls(opts), opts.merge(check_full_response: 200)) do |res|
+            if res.effective_url.end_with?('.zip')
+              next unless %r{\Aapplication/zip}i.match?(res.headers['Content-Type'])
+            else
+              next unless SQL_PATTERN.match?(res.body)
+            end
+
+            found << Model::DbExport.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100)
+          end
+
+          found
+        end
+
+        def full_request_params
+          @full_request_params ||= { headers: { 'Range' => 'bytes=0-3000' } }
+        end
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list Mandatory
+        #
+        # @return [ Hash ]
+        def potential_urls(opts = {})
+          urls = {}
+          index = 0
+
+          File.open(opts[:list]).each do |path|
+            path.chomp!
+
+            if path.include?('{domain_name}')
+              urls[target.url(path.gsub('{domain_name}', domain_name))] = index
+
+              if domain_name != domain_name_with_sub
+                urls[target.url(path.gsub('{domain_name}', domain_name_with_sub))] = index + 1
+
+                index += 1
+              end
+            else
+              urls[target.url(path)] = index
+            end
+
+            index += 1
+          end
+
+          urls
+        end
+
+        def domain_name
+          @domain_name ||= if Resolv::AddressRegex.match?(target.uri.host)
+                             target.uri.host
+                           else
+                             (PublicSuffix.domain(target.uri.host) || target.uri.host)[/(^[\w|-]+)/, 1]
+                           end
+        end
+
+        def domain_name_with_sub
+          @domain_name_with_sub ||=
+            if Resolv::AddressRegex.match?(target.uri.host)
+              target.uri.host
+            else
+              parsed = PublicSuffix.parse(target.uri.host)
+
+              if parsed.subdomain
+                parsed.subdomain.gsub(".#{parsed.tld}", '')
+              elsif parsed.domain
+                parsed.domain.gsub(".#{parsed.tld}", '')
+              else
+                target.uri.host
+              end
+            end
+        rescue PublicSuffix::DomainNotAllowed
+          @domain_name_with_sub = target.uri.host
+        end
+
+        def create_progress_bar(opts = {})
+          super(opts.merge(title: ' Checking DB Exports -'))
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require_relative 'interesting_findings/readme'
+require_relative 'interesting_findings/wp_cron'
+require_relative 'interesting_findings/multisite'
+require_relative 'interesting_findings/debug_log'
+require_relative 'interesting_findings/backup_db'
+require_relative 'interesting_findings/mu_plugins'
+require_relative 'interesting_findings/php_disabled'
+require_relative 'interesting_findings/registration'
+require_relative 'interesting_findings/tmm_db_migrate'
+require_relative 'interesting_findings/upload_sql_dump'
+require_relative 'interesting_findings/full_path_disclosure'
+require_relative 'interesting_findings/duplicator_installer_log'
+require_relative 'interesting_findings/upload_directory_listing'
+require_relative 'interesting_findings/emergency_pwd_reset_script'
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # Interesting Files Finder
+      class Base < CMSScanner::Finders::InterestingFindings::Base
+        # @param [ WPScan::Target ] target
+        def initialize(target)
+          super(target)
+
+          %w[
+            Readme DebugLog FullPathDisclosure BackupDB DuplicatorInstallerLog
+            Multisite MuPlugins Registration UploadDirectoryListing TmmDbMigrate
+            UploadSQLDump EmergencyPwdResetScript WPCron PHPDisabled
+          ].each do |f|
+            finders << InterestingFindings.const_get(f).new(target)
+          end
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/backup_db.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # BackupDB finder
+      class BackupDB < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'wp-content/backup-db/'
+          res  = target.head_and_get(path, [200, 403])
+
+          return unless [200, 403].include?(res.code) && !target.homepage_or_404?(res)
+
+          Model::BackupDB.new(
+            target.url(path),
+            confidence: 70,
+            found_by: DIRECT_ACCESS,
+            interesting_entries: target.directory_listing_entries(path)
+          )
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/debug_log.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # debug.log finder
+      class DebugLog < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'wp-content/debug.log'
+
+          return unless target.debug_log?(path)
+
+          Model::DebugLog.new(target.url(path), confidence: 100, found_by: DIRECT_ACCESS)
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/duplicator_installer_log.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # DuplicatorInstallerLog finder
+      class DuplicatorInstallerLog < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'installer-log.txt'
+
+          return unless /DUPLICATOR(-|\s)?(PRO|LITE)?:? INSTALL-LOG/i.match?(target.head_and_get(path).body)
+
+          Model::DuplicatorInstallerLog.new(target.url(path), confidence: 100, found_by: DIRECT_ACCESS)
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/emergency_pwd_reset_script.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # Emergency Password Reset Script finder
+      class EmergencyPwdResetScript < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'emergency.php'
+          res  = target.head_and_get(path)
+
+          return unless res.code == 200 && !target.homepage_or_404?(res)
+
+          Model::EmergencyPwdResetScript.new(
+            target.url(path),
+            confidence: /password/i.match?(res.body) ? 100 : 40,
+            found_by: DIRECT_ACCESS
+          )
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/full_path_disclosure.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # Full Path Disclosure finder
+      class FullPathDisclosure < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path        = 'wp-includes/rss-functions.php'
+          fpd_entries = target.full_path_disclosure_entries(path)
+
+          return if fpd_entries.empty?
+
+          Model::FullPathDisclosure.new(
+            target.url(path),
+            confidence: 100,
+            found_by: DIRECT_ACCESS,
+            interesting_entries: fpd_entries
+          )
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/mu_plugins.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # Must Use Plugins Directory checker
+      class MuPlugins < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def passive(_opts = {})
+          pattern = %r{#{target.content_dir}/mu-plugins/}i
+
+          target.in_scope_uris(target.homepage_res, '(//@href|//@src)[contains(., "mu-plugins")]') do |uri|
+            next unless uri.path&.match?(pattern)
+
+            url = target.url('wp-content/mu-plugins/')
+
+            target.mu_plugins = true
+
+            return Model::MuPlugins.new(url, confidence: 70, found_by: 'URLs In Homepage (Passive Detection)')
+          end
+          nil
+        end
+
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          url = target.url('wp-content/mu-plugins/')
+          res = Browser.get_and_follow_location(url)
+
+          return unless [200, 401, 403].include?(res.code)
+          return if target.homepage_or_404?(res)
+
+          target.mu_plugins = true
+
+          Model::MuPlugins.new(url, confidence: 80, found_by: DIRECT_ACCESS)
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/multisite.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # Multisite checker
+      class Multisite < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          url      = target.url('wp-signup.php')
+          res      = Browser.get(url)
+          location = res.headers_hash['location']
+
+          return unless [200, 302].include?(res.code)
+          return if res.code == 302 && location&.include?('wp-login.php?action=register')
+          return unless res.code == 200 || (res.code == 302 && location&.include?('wp-signup.php'))
+
+          target.multisite = true
+
+          Model::Multisite.new(url, confidence: 100, found_by: DIRECT_ACCESS)
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/php_disabled.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # See https://github.com/wpscanteam/wpscan/issues/1593
+      class PHPDisabled < CMSScanner::Finders::Finder
+        PATTERN = /\$wp_version =/.freeze
+
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'wp-includes/version.php'
+
+          return unless PATTERN.match?(target.head_and_get(path).body)
+
+          Model::PHPDisabled.new(target.url(path), confidence: 100, found_by: DIRECT_ACCESS)
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/readme.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # Readme.html finder
+      class Readme < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          potential_files.each do |path|
+            res = target.head_and_get(path)
+
+            next unless res.code == 200 && res.body =~ /wordpress/i
+
+            return Model::Readme.new(target.url(path), confidence: 100, found_by: DIRECT_ACCESS)
+          end
+
+          nil
+        end
+
+        # @retun [ Array<String> ] The list of potential readme files
+        def potential_files
+          %w[readme.html olvasdel.html lisenssi.html liesmich.html]
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/registration.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # Registration Enabled checker
+      class Registration < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def passive(_opts = {})
+          # Maybe check in the homepage if there is the registration url ?
+        end
+
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          res = Browser.get_and_follow_location(target.registration_url)
+
+          return unless res.code == 200
+          return if res.html.css('form#setupform').empty? &&
+                    res.html.css('form#registerform').empty?
+
+          target.registration_enabled = true
+
+          Model::Registration.new(res.effective_url, confidence: 100, found_by: DIRECT_ACCESS)
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/tmm_db_migrate.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # Tmm DB Migrate finder
+      class TmmDbMigrate < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'wp-content/uploads/tmm_db_migrate/tmm_db_migrate.zip'
+          url  = target.url(path)
+          res  = browser.forge_request(url, target.head_or_get_request_params).run
+
+          return unless res.code == 200 && res.headers['Content-Type'] =~ %r{\Aapplication/zip}i
+
+          Model::TmmDbMigrate.new(url, confidence: 100, found_by: DIRECT_ACCESS)
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/upload_directory_listing.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # UploadDirectoryListing finder
+      class UploadDirectoryListing < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'wp-content/uploads/'
+
+          return unless target.directory_listing?(path)
+
+          url = target.url(path)
+
+          Model::UploadDirectoryListing.new(url, confidence: 100, found_by: DIRECT_ACCESS)
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/upload_sql_dump.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # UploadSQLDump finder
+      class UploadSQLDump < CMSScanner::Finders::Finder
+        SQL_PATTERN = /(?:DROP|CREATE|(?:UN)?LOCK) TABLE|INSERT INTO/.freeze
+
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'wp-content/uploads/dump.sql'
+          res  = target.head_and_get(path, [200], get: { headers: { 'Range' => 'bytes=0-3000' } })
+
+          return unless SQL_PATTERN.match?(res.body)
+
+          Model::UploadSQLDump.new(target.url(path), confidence: 100, found_by: DIRECT_ACCESS)
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/wp_cron.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # wp-cron.php finder
+      class WPCron < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          res = Browser.get(wp_cron_url)
+
+          return unless res.code == 200
+
+          Model::WPCron.new(wp_cron_url, confidence: 60, found_by: DIRECT_ACCESS)
+        end
+
+        def wp_cron_url
+          @wp_cron_url ||= target.url('wp-cron.php')
+        end
+      end
+    end
+  end
+end

app/finders/main_theme.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require_relative 'main_theme/css_style_in_homepage'
+require_relative 'main_theme/css_style_in_404_page'
+require_relative 'main_theme/woo_framework_meta_generator'
+require_relative 'main_theme/urls_in_homepage'
+require_relative 'main_theme/urls_in_404_page'
+
+module WPScan
+  module Finders
+    module MainTheme
+      # Main Theme Finder
+      class Base
+        include CMSScanner::Finders::UniqueFinder
+
+        # @param [ WPScan::Target ] target
+        def initialize(target)
+          finders <<
+            MainTheme::CssStyleInHomepage.new(target) <<
+            MainTheme::CssStyleIn404Page.new(target) <<
+            MainTheme::WooFrameworkMetaGenerator.new(target) <<
+            MainTheme::UrlsInHomepage.new(target) <<
+            MainTheme::UrlsIn404Page.new(target)
+        end
+      end
+    end
+  end
+end

app/finders/main_theme/css_style_in_404_page.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module MainTheme
+      # From the CSS style in the 404 page
+      class CssStyleIn404Page < CssStyleInHomepage
+        def passive(opts = {})
+          passive_from_css_href(target.error_404_res, opts) || passive_from_style_code(target.error_404_res, opts)
+        end
+      end
+    end
+  end
+end

app/finders/main_theme/css_style_in_homepage.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module MainTheme
+      # From the CSS style in the homepage
+      class CssStyleInHomepage < CMSScanner::Finders::Finder
+        include Finders::WpItems::UrlsInPage # To have the item_code_pattern method available here
+
+        def create_theme(slug, style_url, opts)
+          Model::Theme.new(
+            slug,
+            target,
+            opts.merge(found_by: found_by, confidence: 70, style_url: style_url)
+          )
+        end
+
+        def passive(opts = {})
+          passive_from_css_href(target.homepage_res, opts) || passive_from_style_code(target.homepage_res, opts)
+        end
+
+        def passive_from_css_href(res, opts)
+          target.in_scope_uris(res, '//link/@href[contains(., "style.css")]') do |uri|
+            next unless uri.path =~ %r{/themes/([^/]+)/style.css\z}i
+
+            return create_theme(Regexp.last_match[1], uri.to_s, opts)
+          end
+          nil
+        end
+
+        def passive_from_style_code(res, opts)
+          res.html.css('style').each do |tag|
+            code = tag.text.to_s
+            next if code.empty?
+
+            next unless code =~ %r{#{item_code_pattern('themes')}\\?/style\.css[^"'( ]*}i
+
+            return create_theme(Regexp.last_match[1], Regexp.last_match[0].strip, opts)
+          end
+          nil
+        end
+      end
+    end
+  end
+end

app/finders/main_theme/urls_in_404_page.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module MainTheme
+      # URLs In 404 Page Finder
+      class UrlsIn404Page < UrlsInHomepage
+        # @return [ Typhoeus::Response ]
+        def page_res
+          @page_res ||= target.error_404_res
+        end
+      end
+    end
+  end
+end

app/finders/main_theme/urls_in_homepage.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module MainTheme
+      # URLs In Homepage Finder
+      class UrlsInHomepage < CMSScanner::Finders::Finder
+        include WpItems::UrlsInPage
+
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<Theme> ]
+        def passive(opts = {})
+          found = []
+
+          slugs = items_from_links('themes', uniq: false) + items_from_codes('themes', uniq: false)
+
+          slugs.each_with_object(Hash.new(0)) { |slug, counts| counts[slug] += 1 }.each do |slug, occurences|
+            found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 2 * occurences))
+          end
+
+          found
+        end
+
+        # @return [ Typhoeus::Response ]
+        def page_res
+          @page_res ||= target.homepage_res
+        end
+      end
+    end
+  end
+end

app/finders/main_theme/woo_framework_meta_generator.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module MainTheme
+      # From the WooFramework meta generators
+      class WooFrameworkMetaGenerator < CMSScanner::Finders::Finder
+        THEME_PATTERN     = %r{<meta name="generator" content="([^\s"]+)\s?([^"]+)?"\s+/?>}.freeze
+        FRAMEWORK_PATTERN = %r{<meta name="generator" content="WooFramework\s?([^"]+)?"\s+/?>}.freeze
+        PATTERN           = /#{THEME_PATTERN}\s+#{FRAMEWORK_PATTERN}/i.freeze
+
+        def passive(opts = {})
+          return unless target.homepage_res.body =~ PATTERN || target.error_404_res.body =~ PATTERN
+
+          Model::Theme.new(
+            Regexp.last_match[1],
+            target,
+            opts.merge(found_by: found_by, confidence: 80)
+          )
+        end
+      end
+    end
+  end
+end

app/finders/medias.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require_relative 'medias/attachment_brute_forcing'
+
+module WPScan
+  module Finders
+    module Medias
+      # Medias Finder
+      class Base
+        include CMSScanner::Finders::SameTypeFinder
+
+        # @param [ WPScan::Target ] target
+        def initialize(target)
+          finders << Medias::AttachmentBruteForcing.new(target)
+        end
+      end
+    end
+  end
+end

app/finders/medias/attachment_brute_forcing.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Medias
+      # Medias Finder, see https://github.com/wpscanteam/wpscan/issues/172
+      class AttachmentBruteForcing < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::Enumerator
+
+        # @param [ Hash ] opts
+        # @option opts [ Range ] :range Mandatory
+        #
+        # @return [ Array<Media> ]
+        def aggressive(opts = {})
+          found = []
+
+          enumerate(target_urls(opts), opts) do |res|
+            next unless res.code == 200
+
+            found << Model::Media.new(res.effective_url, opts.merge(found_by: found_by, confidence: 100))
+          end
+
+          found
+        end
+
+        # @param [ Hash ] opts
+        # @option opts [ Range ] :range Mandatory
+        #
+        # @return [ Hash ]
+        def target_urls(opts = {})
+          urls = {}
+
+          opts[:range].each do |id|
+            urls[target.uri.join("?attachment_id=#{id}").to_s] = id
+          end
+
+          urls
+        end
+
+        def create_progress_bar(opts = {})
+          super(opts.merge(title: ' Brute Forcing Attachment IDs -'))
+        end
+      end
+    end
+  end
+end

app/finders/passwords.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+require_relative 'passwords/wp_login'
+require_relative 'passwords/xml_rpc'
+require_relative 'passwords/xml_rpc_multicall'

app/finders/passwords/wp_login.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Passwords
+      # Password attack against the wp-login.php
+      class WpLogin < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::BreadthFirstDictionaryAttack
+
+        def login_request(username, password)
+          target.login_request(username, password)
+        end
+
+        def valid_credentials?(response)
+          response.code == 302 &&
+            Array(response.headers['Set-Cookie'])&.any? { |cookie| cookie =~ /wordpress_logged_in_/i }
+        end
+
+        def errored_response?(response)
+          response.code != 200 && response.body !~ /login_error/i
+        end
+      end
+    end
+  end
+end

app/finders/passwords/xml_rpc.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Passwords
+      # Password attack against the XMLRPC interface
+      class XMLRPC < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::BreadthFirstDictionaryAttack
+
+        def login_request(username, password)
+          target.method_call('wp.getUsersBlogs', [username, password], cache_ttl: 0)
+        end
+
+        def valid_credentials?(response)
+          response.code == 200 && response.body.include?('blogName')
+        end
+
+        def errored_response?(response)
+          response.code != 200 && response.body !~ /Incorrect username or password/i
+        end
+      end
+    end
+  end
+end

app/finders/passwords/xml_rpc_multicall.rb

@@ -0,0 +1,137 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Passwords
+      # Password attack against the XMLRPC interface with the multicall method
+      # WP < 4.4 is vulnerable to such attack
+      class XMLRPCMulticall < CMSScanner::Finders::Finder
+        # @param [ Array<User> ] users
+        # @param [ Array<String> ] passwords
+        #
+        # @return [ Typhoeus::Response ]
+        def do_multi_call(users, passwords)
+          methods = []
+
+          users.each do |user|
+            passwords.each do |password|
+              methods << ['wp.getUsersBlogs', user.username, password]
+            end
+          end
+
+          target.multi_call(methods, cache_ttl: 0).run
+        end
+
+        # @param [ IO ] file
+        # @param [ Integer ] passwords_size
+        # @return [ Array<String> ] The passwords from the last checked position in the file until there are
+        #                           passwords_size passwords retrieved
+        def passwords_from_wordlist(file, passwords_size)
+          pwds       = []
+          added_pwds = 0
+
+          return pwds if passwords_size.zero?
+
+          # Make sure that the main code does not call #sysseek or #count etc
+          # otherwise the file descriptor will be set to somwehere else
+          file.each_line(chomp: true) do |line|
+            pwds << line
+            added_pwds += 1
+
+            break if added_pwds == passwords_size
+          end
+
+          pwds
+        end
+
+        # @param [ Array<Model::User> ] users
+        # @param [ String ] wordlist_path
+        # @param [ Hash ] opts
+        # @option opts [ Boolean ] :show_progression
+        # @option opts [ Integer ] :multicall_max_passwords
+        #
+        # @yield [ Model::User ] When a valid combination is found
+        #
+        # TODO: Make rubocop happy about metrics etc
+        #
+        # rubocop:disable all
+        def attack(users, wordlist_path, opts = {})
+          checked_passwords      = 0
+          wordlist               = File.open(wordlist_path)
+          wordlist_size          = wordlist.count
+          max_passwords          = opts[:multicall_max_passwords]
+          current_passwords_size = passwords_size(max_passwords, users.size)
+
+          create_progress_bar(total: (wordlist_size / current_passwords_size.round(1)).ceil,
+                              show_progression: opts[:show_progression])
+
+          wordlist.sysseek(0) # reset the descriptor to the beginning of the file as it changed with #count
+
+          loop do
+            current_users      = users.select { |user| user.password.nil? }
+            current_passwords  = passwords_from_wordlist(wordlist, current_passwords_size)
+            checked_passwords += current_passwords_size
+
+            break if current_users.empty? || current_passwords.nil? || current_passwords.empty?
+
+            res = do_multi_call(current_users, current_passwords)
+
+            progress_bar.increment
+
+            check_and_output_errors(res)
+
+            # Avoid to parse the response and iterate over all the structs in the document
+            # if there isn't any tag matching a valid combination
+            next unless res.body =~ /isAdmin/ # maybe a better one ?
+
+            Nokogiri::XML(res.body).xpath('//struct').each_with_index do |struct, index|
+              next if struct.text =~ /faultCode/
+
+              user = current_users[index / current_passwords.size]
+              user.password = current_passwords[index % current_passwords.size]
+
+              yield user
+
+              # Updates the current_passwords_size and progress_bar#total
+              # given that less requests will be done due to a valid combination found.
+              current_passwords_size = passwords_size(max_passwords, current_users.size - 1)
+
+              if current_passwords_size == 0
+                progress_bar.log('All Found') # remove ?
+                progress_bar.stop
+                break
+              end
+
+              begin
+                progress_bar.total = progress_bar.progress + ((wordlist_size - checked_passwords) / current_passwords_size.round(1)).ceil
+              rescue ProgressBar::InvalidProgressError
+              end
+            end
+          end
+          # Maybe a progress_bar.stop ?
+        end
+        # rubocop:enable all
+
+        def passwords_size(max_passwords, users_size)
+          return 1 if max_passwords < users_size
+          return 0 if users_size.zero?
+
+          max_passwords / users_size
+        end
+
+        # @param [ Typhoeus::Response ] res
+        def check_and_output_errors(res)
+          progress_bar.log("Incorrect response: #{res.code} / #{res.return_message}") unless res.code == 200
+
+          if /parse error. not well formed/i.match?(res.body)
+            progress_bar.log('Parsing error, might be caused by a too high --max-passwords value (such as >= 2k)')
+          end
+
+          return unless /requested method [^ ]+ does not exist/i.match?(res.body)
+
+          progress_bar.log('The requested method is not supported')
+        end
+      end
+    end
+  end
+end

app/finders/plugin_version.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require_relative 'plugin_version/readme'
+
+module WPScan
+  module Finders
+    module PluginVersion
+      # Plugin Version Finder
+      class Base
+        include CMSScanner::Finders::UniqueFinder
+
+        # @param [ Model::Plugin ] plugin
+        def initialize(plugin)
+          finders << PluginVersion::Readme.new(plugin)
+
+          create_and_load_dynamic_versions_finders(plugin)
+        end
+
+        # Create the dynamic version finders related to the plugin and register them
+        #
+        # @param [ Model::Plugin ] plugin
+        def create_and_load_dynamic_versions_finders(plugin)
+          DB::DynamicFinders::Plugin.create_versions_finders(plugin.slug).each do |finder|
+            finders << finder.new(plugin)
+          end
+        end
+      end
+    end
+  end
+end

app/finders/plugin_version/readme.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module PluginVersion
+      # Plugin Version Finder from the readme.txt file
+      class Readme < CMSScanner::Finders::Finder
+        # @return [ Version ]
+        def aggressive(_opts = {})
+          found_by_msg = 'Readme - %s (Aggressive Detection)'
+
+          # The target(plugin)#readme_url can't be used directly here
+          # as if the --detection-mode is passive, it will always return nil
+          target.potential_readme_filenames.each do |file|
+            res = target.head_and_get(file)
+
+            next unless res.code == 200 && !(numbers = version_numbers(res.body)).empty?
+
+            return numbers.reduce([]) do |a, e|
+              a << Model::Version.new(
+                e[0],
+                found_by: format(found_by_msg, e[1]),
+                confidence: e[2],
+                interesting_entries: [res.effective_url]
+              )
+            end
+          end
+
+          nil
+        end
+
+        # @return [ Array<String, String, Integer> ] number, found_by, confidence
+        def version_numbers(body)
+          numbers = []
+
+          if (number = from_stable_tag(body))
+            numbers << [number, 'Stable Tag', 80]
+          end
+
+          if (number = from_changelog_section(body))
+            numbers << [number, 'ChangeLog Section', 50]
+          end
+
+          numbers
+        end
+
+        # @param [ String ] body
+        #
+        # @return [ String, nil ] The version number detected from the stable tag
+        def from_stable_tag(body)
+          return unless body =~ /\b(?:stable tag|version):\s*(?!trunk)([0-9a-z.-]+)/i
+
+          number = Regexp.last_match[1]
+
+          number if /[0-9]+/.match?(number)
+        end
+
+        # @param [ String ] body
+        #
+        # @return [ String, nil ] The best version number detected from the changelog section
+        def from_changelog_section(body)
+          extracted_versions = body.scan(/^=+\s+(?:v(?:ersion)?\s*)?([0-9.-]+)[^=]*=+$/i)
+
+          return if extracted_versions.nil? || extracted_versions.empty?
+
+          extracted_versions.flatten!
+          # must contain at least one number
+          extracted_versions = extracted_versions.grep(/[0-9]+/)
+
+          sorted = extracted_versions.sort do |x, y|
+            Gem::Version.new(x) <=> Gem::Version.new(y)
+          rescue StandardError
+            0
+          end
+
+          sorted.last
+        end
+      end
+    end
+  end
+end

app/finders/plugins.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require_relative 'plugins/urls_in_homepage'
+require_relative 'plugins/urls_in_404_page'
+require_relative 'plugins/known_locations'
+# From the DynamicFinders
+require_relative 'plugins/comment'
+require_relative 'plugins/xpath'
+require_relative 'plugins/header_pattern'
+require_relative 'plugins/body_pattern'
+require_relative 'plugins/javascript_var'
+require_relative 'plugins/query_parameter'
+require_relative 'plugins/config_parser' # Not loaded below as not implemented
+
+module WPScan
+  module Finders
+    module Plugins
+      # Plugins Finder
+      class Base
+        include CMSScanner::Finders::SameTypeFinder
+
+        # @param [ WPScan::Target ] target
+        def initialize(target)
+          finders <<
+            Plugins::UrlsInHomepage.new(target) <<
+            Plugins::UrlsIn404Page.new(target) <<
+            Plugins::HeaderPattern.new(target) <<
+            Plugins::Comment.new(target) <<
+            Plugins::Xpath.new(target) <<
+            Plugins::BodyPattern.new(target) <<
+            Plugins::JavascriptVar.new(target) <<
+            Plugins::KnownLocations.new(target)
+        end
+      end
+    end
+  end
+end

app/finders/plugins/body_pattern.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Plugins
+      # Plugins finder from Dynamic Finder 'BodyPattern'
+      class BodyPattern < Finders::DynamicFinder::WpItems::Finder
+        DEFAULT_CONFIDENCE = 30
+
+        # @param [ Hash ] opts The options from the #passive, #aggressive methods
+        # @param [ Typhoeus::Response ] response
+        # @param [ String ] slug
+        # @param [ String ] klass
+        # @param [ Hash ] config The related dynamic finder config hash
+        #
+        # @return [ Plugin ] The detected plugin in the response, related to the config
+        def process_response(opts, response, slug, klass, config)
+          return unless response.body&.match?(config['pattern'])
+
+          Model::Plugin.new(
+            slug,
+            target,
+            opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)
+          )
+        end
+      end
+    end
+  end
+end

app/finders/plugins/comment.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Plugins
+      # Plugins finder from the Dynamic Finder 'Comment'
+      class Comment < Finders::DynamicFinder::WpItems::Finder
+        DEFAULT_CONFIDENCE = 30
+
+        # @param [ Hash ] opts The options from the #passive, #aggressive methods
+        # @param [ Typhoeus::Response ] response
+        # @param [ String ] slug
+        # @param [ String ] klass
+        # @param [ Hash ] config The related dynamic finder config hash
+        #
+        # @return [ Plugin ] The detected plugin in the response, related to the config
+        def process_response(opts, response, slug, klass, config)
+          response.html.xpath(config['xpath'] || '//comment()').each do |node|
+            comment = node.text.to_s.strip
+
+            next unless comment&.match?(config['pattern'])
+
+            return Model::Plugin.new(
+              slug,
+              target,
+              opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)
+            )
+          end
+        end
+      end
+    end
+  end
+end

app/finders/plugins/config_parser.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Plugins
+      # Plugins finder from Dynamic Finder 'ConfigParser'
+      class ConfigParser < Finders::DynamicFinder::WpItems::Finder
+        DEFAULT_CONFIDENCE = 40
+
+        # @param [ Hash ] opts The options from the #passive, #aggressive methods
+        # @param [ Typhoeus::Response ] response
+        # @param [ String ] slug
+        # @param [ String ] klass
+        # @param [ Hash ] config The related dynamic finder config hash
+        #
+        # @return [ Plugin ] The detected plugin in the response, related to the config
+        def _process_response(_opts, _response, slug, klass, config)
+          #
+          # TODO. Currently not implemented, and not even loaded by the Finders, as this
+          # finder only has an aggressive method, which has been disabled (globally)
+          # when checking for plugins
+          #
+
+          Model::Plugin.new(
+            slug,
+            target,
+            opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)
+          )
+        end
+      end
+    end
+  end
+end

app/finders/plugins/header_pattern.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Plugins
+      # Plugins finder from Dynamic Finder 'HeaderPattern'
+      class HeaderPattern < Finders::DynamicFinder::WpItems::Finder
+        DEFAULT_CONFIDENCE = 30
+
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<Plugin> ]
+        def passive(opts = {})
+          found = []
+          headers = target.homepage_res.headers
+
+          return found if headers.empty?
+
+          DB::DynamicFinders::Plugin.passive_header_pattern_finder_configs.each do |slug, configs|
+            configs.each do |klass, config|
+              next unless headers[config['header']] && headers[config['header']].to_s =~ config['pattern']
+
+              found << Model::Plugin.new(
+                slug,
+                target,
+                opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)
+              )
+            end
+          end
+
+          found
+        end
+
+        # @param [ Hash ] opts
+        #
+        # @return [ nil ]
+        def aggressive(_opts = {})
+          # None
+        end
+      end
+    end
+  end
+end

app/finders/plugins/javascript_var.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Plugins
+      # Plugins finder from the Dynamic Finder 'JavascriptVar'
+      class JavascriptVar < Finders::DynamicFinder::WpItems::Finder
+        DEFAULT_CONFIDENCE = 60
+
+        # @param [ Hash ] opts The options from the #passive, #aggressive methods
+        # @param [ Typhoeus::Response ] response
+        # @param [ String ] slug
+        # @param [ String ] klass
+        # @param [ Hash ] config The related dynamic finder config hash
+        #
+        # @return [ Plugin ] The detected plugin in the response, related to the config
+        def process_response(opts, response, slug, klass, config)
+          response.html.xpath(config['xpath'] || '//script[not(@src)]').each do |node|
+            next if config['pattern'] && !node.text.match(config['pattern'])
+
+            return Model::Plugin.new(
+              slug,
+              target,
+              opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)
+            )
+          end
+        end
+      end
+    end
+  end
+end

app/finders/plugins/known_locations.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Plugins
+      # Known Locations Plugins Finder
+      class KnownLocations < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::Enumerator
+
+        # @return [ Array<Integer> ]
+        def valid_response_codes
+          @valid_response_codes ||= [200, 401, 403, 500].freeze
+        end
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list
+        #
+        # @return [ Array<Plugin> ]
+        def aggressive(opts = {})
+          found = []
+
+          enumerate(target_urls(opts), opts.merge(check_full_response: true)) do |res, slug|
+            finding_opts = opts.merge(found_by: found_by,
+                                      confidence: 80,
+                                      interesting_entries: ["#{res.effective_url}, status: #{res.code}"])
+
+            found << Model::Plugin.new(slug, target, finding_opts)
+
+            raise Error::PluginsThresholdReached if opts[:threshold].positive? && found.size >= opts[:threshold]
+          end
+
+          found
+        end
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list
+        #
+        # @return [ Hash ]
+        def target_urls(opts = {})
+          slugs       = opts[:list] || DB::Plugins.vulnerable_slugs
+          urls        = {}
+
+          slugs.each do |slug|
+            urls[target.plugin_url(slug)] = slug
+          end
+
+          urls
+        end
+
+        def create_progress_bar(opts = {})
+          super(opts.merge(title: ' Checking Known Locations -'))
+        end
+      end
+    end
+  end
+end

app/finders/plugins/query_parameter.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Plugins
+      # Plugins finder from Dynamic Finder 'QueryParameter'
+      class QueryParameter < Finders::DynamicFinder::WpItems::Finder
+        DEFAULT_CONFIDENCE = 10
+
+        def passive(_opts = {})
+          # Handled by UrlsInHomePage, so no need to check this twice
+        end
+
+        # @param [ Hash ] opts The options from the #passive, #aggressive methods
+        # @param [ Typhoeus::Response ] response
+        # @param [ String ] slug
+        # @param [ String ] klass
+        # @param [ Hash ] config The related dynamic finder config hash
+        #
+        # @return [ Plugin ] The detected plugin in the response, related to the config
+        def process_response(opts, response, slug, klass, config)
+          # TODO: when a real case will be found
+        end
+      end
+    end
+  end
+end

app/finders/plugins/urls_in_404_page.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Plugins
+      # URLs In 404 Page Finder
+      # Typically, the items detected from URLs like /wp-content/plugins/<slug>/
+      class UrlsIn404Page < UrlsInHomepage
+        # @return [ Typhoeus::Response ]
+        def page_res
+          @page_res ||= target.error_404_res
+        end
+      end
+    end
+  end
+end

app/finders/plugins/urls_in_homepage.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Plugins
+      # URLs In Homepage Finder
+      # Typically, the items detected from URLs like /wp-content/plugins/<slug>/
+      class UrlsInHomepage < CMSScanner::Finders::Finder
+        include WpItems::UrlsInPage
+
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<Plugin> ]
+        def passive(opts = {})
+          found = []
+
+          (items_from_links('plugins') + items_from_codes('plugins')).uniq.sort.each do |slug|
+            found << Model::Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
+          end
+
+          found
+        end
+
+        # @return [ Typhoeus::Response ]
+        def page_res
+          @page_res ||= target.homepage_res
+        end
+      end
+    end
+  end
+end

app/finders/plugins/xpath.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Plugins
+      # Plugins finder from the Dynamic Finder 'Xpath'
+      class Xpath < Finders::DynamicFinder::WpItems::Finder
+        DEFAULT_CONFIDENCE = 40
+
+        # @param [ Hash ] opts The options from the #passive, #aggressive methods
+        # @param [ Typhoeus::Response ] response
+        # @param [ String ] slug
+        # @param [ String ] klass
+        # @param [ Hash ] config The related dynamic finder config hash
+        #
+        # @return [ Plugin ] The detected plugin in the response, related to the config
+        def process_response(opts, response, slug, klass, config)
+          response.html.xpath(config['xpath']).each do |node|
+            next if config['pattern'] && !node.text.match(config['pattern'])
+
+            return Model::Plugin.new(
+              slug,
+              target,
+              opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)
+            )
+          end
+        end
+      end
+    end
+  end
+end

app/finders/theme_version.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require_relative 'theme_version/style'
+require_relative 'theme_version/woo_framework_meta_generator'
+
+module WPScan
+  module Finders
+    module ThemeVersion
+      # Theme Version Finder
+      class Base
+        include CMSScanner::Finders::UniqueFinder
+
+        # @param [ Model::Theme ] theme
+        def initialize(theme)
+          finders <<
+            ThemeVersion::Style.new(theme) <<
+            ThemeVersion::WooFrameworkMetaGenerator.new(theme)
+
+          create_and_load_dynamic_versions_finders(theme)
+        end
+
+        # Create the dynamic version finders related to the theme and register them
+        #
+        # @param [ Model::Theme ] theme
+        def create_and_load_dynamic_versions_finders(theme)
+          DB::DynamicFinders::Theme.create_versions_finders(theme.slug).each do |finder|
+            finders << finder.new(theme)
+          end
+        end
+      end
+    end
+  end
+end

app/finders/theme_version/style.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module ThemeVersion
+      # Theme Version Finder from the style.css file
+      class Style < CMSScanner::Finders::Finder
+        # @param [ Hash ] opts
+        #
+        # @return [ Version ]
+        def passive(_opts = {})
+          return unless cached_style?
+
+          style_version
+        end
+
+        # @param [ Hash ] opts
+        #
+        # @return [ Version ]
+        def aggressive(_opts = {})
+          return if cached_style?
+
+          style_version
+        end
+
+        # @return [ Boolean ]
+        def cached_style?
+          Typhoeus::Config.cache.get(browser.forge_request(target.style_url)) ? true : false
+        end
+
+        # @return [ Version ]
+        def style_version
+          return unless Browser.get(target.style_url).body =~ /Version:[\t ]*(?!trunk)([0-9a-z.-]+)/i
+
+          Model::Version.new(
+            Regexp.last_match[1],
+            found_by: found_by,
+            confidence: 80,
+            interesting_entries: ["#{target.style_url}, Match: '#{Regexp.last_match}'"]
+          )
+        end
+      end
+    end
+  end
+end

app/finders/theme_version/woo_framework_meta_generator.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module ThemeVersion
+      # Theme Version Finder from the WooFramework generators
+      class WooFrameworkMetaGenerator < CMSScanner::Finders::Finder
+        # @param [ Hash ] opts
+        #
+        # @return [ Version ]
+        def passive(_opts = {})
+          return unless target.blog.homepage_res.body =~ Finders::MainTheme::WooFrameworkMetaGenerator::PATTERN
+
+          return unless Regexp.last_match[1] == target.slug
+
+          Model::Version.new(Regexp.last_match[2], found_by: found_by, confidence: 80)
+        end
+      end
+    end
+  end
+end

app/finders/themes.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require_relative 'themes/urls_in_homepage'
+require_relative 'themes/urls_in_404_page'
+require_relative 'themes/known_locations'
+
+module WPScan
+  module Finders
+    module Themes
+      # Themes Finder
+      class Base
+        include CMSScanner::Finders::SameTypeFinder
+
+        # @param [ WPScan::Target ] target
+        def initialize(target)
+          finders <<
+            Themes::UrlsInHomepage.new(target) <<
+            Themes::UrlsIn404Page.new(target) <<
+            Themes::KnownLocations.new(target)
+        end
+      end
+    end
+  end
+end

app/finders/themes/known_locations.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Themes
+      # Known Locations Themes Finder
+      class KnownLocations < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::Enumerator
+
+        # @return [ Array<Integer> ]
+        def valid_response_codes
+          @valid_response_codes ||= [200, 401, 403, 500].freeze
+        end
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list
+        #
+        # @return [ Array<Theme> ]
+        def aggressive(opts = {})
+          found = []
+
+          enumerate(target_urls(opts), opts.merge(check_full_response: true)) do |res, slug|
+            finding_opts = opts.merge(found_by: found_by,
+                                      confidence: 80,
+                                      interesting_entries: ["#{res.effective_url}, status: #{res.code}"])
+
+            found << Model::Theme.new(slug, target, finding_opts)
+
+            raise Error::ThemesThresholdReached if opts[:threshold].positive? && found.size >= opts[:threshold]
+          end
+
+          found
+        end
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list
+        #
+        # @return [ Hash ]
+        def target_urls(opts = {})
+          slugs = opts[:list] || DB::Themes.vulnerable_slugs
+          urls  = {}
+
+          slugs.each do |slug|
+            urls[target.theme_url(slug)] = slug
+          end
+
+          urls
+        end
+
+        def create_progress_bar(opts = {})
+          super(opts.merge(title: ' Checking Known Locations -'))
+        end
+      end
+    end
+  end
+end

app/finders/themes/urls_in_404_page.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Themes
+      # URLs In 04 Page Finder
+      class UrlsIn404Page < UrlsInHomepage
+        # @return [ Typhoeus::Response ]
+        def page_res
+          @page_res ||= target.error_404_res
+        end
+      end
+    end
+  end
+end

app/finders/themes/urls_in_homepage.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Themes
+      # URLs In Homepage Finder
+      class UrlsInHomepage < CMSScanner::Finders::Finder
+        include WpItems::UrlsInPage
+
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<Theme> ]
+        def passive(opts = {})
+          found = []
+
+          (items_from_links('themes') + items_from_codes('themes')).uniq.sort.each do |slug|
+            found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
+          end
+
+          found
+        end
+
+        # @return [ Typhoeus::Response ]
+        def page_res
+          @page_res ||= target.homepage_res
+        end
+      end
+    end
+  end
+end

app/finders/timthumb_version.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require_relative 'timthumb_version/bad_request'
+
+module WPScan
+  module Finders
+    module TimthumbVersion
+      # Timthumb Version Finder
+      class Base
+        include CMSScanner::Finders::UniqueFinder
+
+        # @param [ Model::Timthumb ] target
+        def initialize(target)
+          finders << TimthumbVersion::BadRequest.new(target)
+        end
+      end
+    end
+  end
+end

app/finders/timthumb_version/bad_request.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module TimthumbVersion
+      # Timthumb Version Finder from the body of a bad request
+      # See https://code.google.com/p/timthumb/source/browse/trunk/timthumb.php#435
+      class BadRequest < CMSScanner::Finders::Finder
+        # @return [ Version ]
+        def aggressive(_opts = {})
+          return unless Browser.get(target.url).body =~ /(TimThumb version\s*: ([^<]+))/
+
+          Model::Version.new(
+            Regexp.last_match[2],
+            found_by: 'Bad Request (Aggressive Detection)',
+            confidence: 90,
+            interesting_entries: ["#{target.url}, Match: '#{Regexp.last_match[1]}'"]
+          )
+        end
+      end
+    end
+  end
+end

app/finders/timthumbs.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require_relative 'timthumbs/known_locations'
+
+module WPScan
+  module Finders
+    module Timthumbs
+      # Timthumbs Finder
+      class Base
+        include CMSScanner::Finders::SameTypeFinder
+
+        # @param [ WPScan::Target ] target
+        def initialize(target)
+          finders << Timthumbs::KnownLocations.new(target)
+        end
+      end
+    end
+  end
+end

app/finders/timthumbs/known_locations.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Timthumbs
+      # Known Locations Timthumbs Finder
+      # Note: A vulnerable version, 2.8.13 can be found here:
+      # https://github.com/GabrielGil/TimThumb/blob/980c3d6a823477761570475e8b83d3e9fcd2d7ae/timthumb.php
+      class KnownLocations < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::Enumerator
+
+        # @return [ Array<Integer> ]
+        def valid_response_codes
+          @valid_response_codes ||= [400]
+        end
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list Mandatory
+        #
+        # @return [ Array<Timthumb> ]
+        def aggressive(opts = {})
+          found = []
+
+          enumerate(target_urls(opts), opts.merge(check_full_response: 400)) do |res|
+            next unless /no image specified/i.match?(res.body)
+
+            found << Model::Timthumb.new(res.request.url, opts.merge(found_by: found_by, confidence: 100))
+          end
+
+          found
+        end
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list Mandatory
+        #
+        # @return [ Hash ]
+        def target_urls(opts = {})
+          urls = {}
+
+          File.open(opts[:list]).each_with_index do |path, index|
+            urls[target.url(path.chomp)] = index
+          end
+
+          # Add potential timthumbs located in the main theme
+          if target.main_theme
+            main_theme_timthumbs_paths.each do |path|
+              urls[target.main_theme.url(path)] = 1 # index not important there
+            end
+          end
+
+          urls
+        end
+
+        def main_theme_timthumbs_paths
+          %w[timthumb.php lib/timthumb.php inc/timthumb.php includes/timthumb.php
+             scripts/timthumb.php tools/timthumb.php functions/timthumb.php]
+        end
+
+        def create_progress_bar(opts = {})
+          super(opts.merge(title: ' Checking Known Locations -'))
+        end
+      end
+    end
+  end
+end

app/finders/users.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require_relative 'users/author_posts'
+require_relative 'users/wp_json_api'
+require_relative 'users/oembed_api'
+require_relative 'users/rss_generator'
+require_relative 'users/author_id_brute_forcing'
+require_relative 'users/login_error_messages'
+require_relative 'users/author_sitemap'
+require_relative 'users/yoast_seo_author_sitemap'
+
+module WPScan
+  module Finders
+    # Specific Finders container to filter the usernames found
+    # and remove the ones matching ParsedCli.exclude_username if supplied
+    class UsersFinders < SameTypeFinders
+      def filter_findings
+        findings.delete_if { |user| ParsedCli.exclude_usernames.match?(user.username) } if ParsedCli.exclude_usernames
+
+        findings
+      end
+    end
+
+    module Users
+      # Users Finder
+      class Base
+        include CMSScanner::Finders::SameTypeFinder
+
+        # @param [ WPScan::Target ] target
+        def initialize(target)
+          finders <<
+            Users::AuthorPosts.new(target) <<
+            Users::WpJsonApi.new(target) <<
+            Users::OembedApi.new(target) <<
+            Users::RSSGenerator.new(target) <<
+            Users::AuthorSitemap.new(target) <<
+            Users::YoastSeoAuthorSitemap.new(target) <<
+            Users::AuthorIdBruteForcing.new(target) <<
+            Users::LoginErrorMessages.new(target)
+        end
+
+        def finders
+          @finders ||= Finders::UsersFinders.new
+        end
+      end
+    end
+  end
+end

app/finders/users/author_id_brute_forcing.rb

@@ -0,0 +1,123 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Users
+      # Author Id Brute Forcing
+      class AuthorIdBruteForcing < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::Enumerator
+
+        # @return [ Array<Integer> ]
+        def valid_response_codes
+          @valid_response_codes ||= [200, 301, 302]
+        end
+
+        # @param [ Hash ] opts
+        # @option opts [ Range ] :range Mandatory
+        #
+        # @return [ Array<User> ]
+        def aggressive(opts = {})
+          found = []
+          found_by_msg = 'Author Id Brute Forcing - %s (Aggressive Detection)'
+
+          enumerate(target_urls(opts), opts.merge(check_full_response: true)) do |res, id|
+            username, found_by, confidence = potential_username(res)
+
+            next unless username
+
+            found << Model::User.new(
+              username,
+              id: id,
+              found_by: format(found_by_msg, found_by),
+              confidence: confidence
+            )
+          end
+
+          found
+        end
+
+        # @param [ Hash ] opts
+        # @option opts [ Range ] :range
+        #
+        # @return [ Hash ]
+        def target_urls(opts = {})
+          urls = {}
+
+          opts[:range].each do |id|
+            urls[target.uri.join("?author=#{id}").to_s] = id
+          end
+
+          urls
+        end
+
+        def create_progress_bar(opts = {})
+          super(opts.merge(title: ' Brute Forcing Author IDs -'))
+        end
+
+        def full_request_params
+          { followlocation: true }
+        end
+
+        # @param [ Typhoeus::Response ] res
+        #
+        # @return [ Array<String, String, Integer>, nil ] username, found_by, confidence
+        def potential_username(res)
+          username = username_from_author_url(res.effective_url) || username_from_response(res)
+
+          return username, 'Author Pattern', 100 if username
+
+          username = display_name_from_body(res.body)
+
+          return username, 'Display Name', 50 if username
+        end
+
+        # @param [ String, Addressable::URI ] uri
+        #
+        # @return [ String, nil ]
+        def username_from_author_url(uri)
+          uri = Addressable::URI.parse(uri) unless uri.is_a?(Addressable::URI)
+
+          uri.path[%r{/author/([^/\b]+)/?}i, 1]
+        end
+
+        # @param [ Typhoeus::Response ] res
+        #
+        # @return [ String, nil ] The username found
+        def username_from_response(res)
+          # Permalink enabled
+          target.in_scope_uris(res, '//@href[contains(., "author/")]') do |uri|
+            username = username_from_author_url(uri)
+            return username if username
+          end
+
+          # No permalink, TODO Maybe use xpath to extract the classes ?
+          res.body[/<body class="archive author author-([^\s]+)[ "]/i, 1]
+        end
+
+        # @param [ String ] body
+        #
+        # @return [ String, nil ]
+        def display_name_from_body(body)
+          page = Nokogiri::HTML.parse(body)
+
+          # WP >= 3.0
+          page.css('h1.page-title span').each do |node|
+            text = node.text.to_s.strip
+
+            return text unless text.empty?
+          end
+
+          # WP < 3.0
+          page.xpath('//link[@rel="alternate" and @type="application/rss+xml"]').each do |node|
+            title = node['title']
+
+            next unless title =~ /Posts by (.*) Feed\z/i
+
+            return Regexp.last_match[1] unless Regexp.last_match[1].empty?
+          end
+          nil
+        end
+      end
+    end
+  end
+end

app/finders/users/author_posts.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Users
+      # Author Posts
+      class AuthorPosts < CMSScanner::Finders::Finder
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<User> ]
+        def passive(opts = {})
+          found_by_msg = 'Author Posts - %s (Passive Detection)'
+
+          usernames(opts).reduce([]) do |a, e|
+            a << Model::User.new(
+              e[0],
+              found_by: format(found_by_msg, e[1]),
+              confidence: e[2]
+            )
+          end
+        end
+
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<Array>> ]
+        def usernames(_opts = {})
+          found = potential_usernames(target.homepage_res)
+
+          return found unless found.empty?
+
+          target.homepage_res.html.css('header.entry-header a').each do |post_url_node|
+            url = post_url_node['href']
+
+            next if url.nil? || url.empty?
+
+            found += potential_usernames(Browser.get(url))
+          end
+
+          found.compact.uniq
+        end
+
+        # @param [ Typhoeus::Response ] res
+        #
+        # @return [ Array<Array> ]
+        def potential_usernames(res)
+          usernames = []
+
+          target.in_scope_uris(res, '//a/@href[contains(., "author")]') do |uri, node|
+            if uri.path =~ %r{/author/([^/\b]+)/?\z}i
+              usernames << [Regexp.last_match[1], 'Author Pattern', 100]
+            elsif /author=[0-9]+/.match?(uri.query)
+              usernames << [node.text.to_s.strip, 'Display Name', 30]
+            end
+          end
+
+          usernames.uniq
+        end
+      end
+    end
+  end
+end

app/finders/users/author_sitemap.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Users
+      # Since WP 5.5, /wp-sitemap-users-1.xml is generated and contains
+      # the usernames of accounts who made a post
+      class AuthorSitemap < CMSScanner::Finders::Finder
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<User> ]
+        def aggressive(_opts = {})
+          found = []
+
+          Browser.get(sitemap_url).html.xpath('//url/loc').each do |user_tag|
+            username = user_tag.text.to_s[%r{/author/([^/]+)/}, 1]
+
+            next unless username && !username.strip.empty?
+
+            found << Model::User.new(username,
+                                     found_by: found_by,
+                                     confidence: 100,
+                                     interesting_entries: [sitemap_url])
+          end
+
+          found
+        end
+
+        # @return [ String ] The URL of the sitemap
+        def sitemap_url
+          @sitemap_url ||= target.url('wp-sitemap-users-1.xml')
+        end
+      end
+    end
+  end
+end

app/finders/users/login_error_messages.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Users
+      # Login Error Messages
+      #
+      # Existing username:
+      #   WP < 3.1 - Incorrect password.
+      #   WP >= 3.1 - The password you entered for the username admin is incorrect.
+      # Non existent username: Invalid username.
+      #
+      class LoginErrorMessages < CMSScanner::Finders::Finder
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list
+        #
+        # @return [ Array<User> ]
+        def aggressive(opts = {})
+          found = []
+
+          usernames(opts).each do |username|
+            res   = target.do_login(username, SecureRandom.hex[0, 8])
+            error = res.html.css('div#login_error').text.strip
+
+            return found if error.empty? # Protection plugin / error disabled
+
+            next unless /The password you entered for the username|Incorrect Password/i.match?(error)
+
+            found << Model::User.new(username, found_by: found_by, confidence: 100)
+          end
+
+          found
+        end
+
+        # @return [ Array<String> ] List of usernames to check
+        def usernames(opts = {})
+          # usernames from the potential Users found
+          unames = opts[:found].map(&:username)
+
+          Array(opts[:list]).each { |uname| unames << uname.chomp }
+
+          unames.uniq
+        end
+      end
+    end
+  end
+end

app/finders/users/oembed_api.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Users
+      # Since WP 4.4, the oembed API can disclose a user
+      # https://github.com/wpscanteam/wpscan/issues/1049
+      class OembedApi < CMSScanner::Finders::Finder
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<User> ]
+        def passive(_opts = {})
+          # TODO: get the api_url from the Homepage and query it if present,
+          # then discard the aggressive check if same/similar URL
+        end
+
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<User> ]
+        def aggressive(_opts = {})
+          oembed_data = JSON.parse(Browser.get(api_url).body)
+          details     = user_details_from_oembed_data(oembed_data)
+
+          return [] unless details
+
+          [Model::User.new(details[0],
+                           found_by: format(found_by_msg, details[1]),
+                           confidence: details[2],
+                           interesting_entries: [api_url])]
+        rescue JSON::ParserError
+          []
+        end
+
+        def user_details_from_oembed_data(oembed_data)
+          return unless oembed_data
+
+          oembed_data = oembed_data.first if oembed_data.is_a?(Array)
+
+          if oembed_data['author_url'] =~ %r{/author/([^/]+)/?\z}
+            details = [Regexp.last_match[1], 'Author URL', 90]
+          elsif oembed_data['author_name'] && !oembed_data['author_name'].empty?
+            details = [oembed_data['author_name'], 'Author Name', 70]
+          end
+
+          details
+        end
+
+        def found_by_msg
+          'Oembed API - %s (Aggressive Detection)'
+        end
+
+        # @return [ String ] The URL of the API listing the Users
+        def api_url
+          @api_url ||= target.url("wp-json/oembed/1.0/embed?url=#{target.url}&format=json")
+        end
+      end
+    end
+  end
+end