Merge pull request #1820 from wpscanteam/dfs

Updates DFs

.codeclimate.yml

@@ -0,0 +1,7 @@
+version: "2"
+# https://docs.codeclimate.com/docs/default-analysis-configuration#sample-codeclimateyml
+checks:
+  method-complexity:
+    enabled: true
+    config:
+      threshold: 15

.dockerignore

@@ -12,5 +12,6 @@ spec/
 Dockerfile
 **/*.orig
 *.orig
-bin/wpscan-docker*
+bin/wpscan-*
 .wpscan/
+.github/

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,3 +1,14 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+Before submitting an issue, please make sure you fully read any potential error messages output and did some research on your own.
+
 ### Subject of the issue
 Describe your issue here.
 
@@ -24,4 +35,4 @@ Things you have tried (where relevant):
 * Update Ruby to the latest version [ ]
 * Ensure you can reach the target site using cURL [ ]
 * Proxied WPScan through a HTTP proxy to view the raw traffic [ ]
-* Ensure you are using a supported Operating System (Linux and macOS) [ ]
+* Ensure you are using a supported Operating System (Linux and macOS) [ ]

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/other-issue.md

@@ -0,0 +1,10 @@
+---
+name: Other Issue
+about: Create a report which is not a related to a Bug or Feature
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+Before submitting an issue, please make sure you fully read any potential error messages output and did some research on your own.

.github/dependabot.yml

@@ -0,0 +1,17 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "bundler"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      # Check for updates to GitHub Actions every weekday
+      interval: "daily"

.github/workflows/build.yml

@@ -0,0 +1,42 @@
+name: Build
+
+on: [push, pull_request]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        ruby: [2.7, '3.0', 3.1, 3.2]
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set up Ruby ${{ matrix.ruby }}
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+
+    - name: Install GEMs
+      run: |
+        gem install bundler
+        bundle config force_ruby_platform true
+        bundle config path vendor/bundle
+        bundle install --jobs 4 --retry 3
+
+    - name: rubocop
+      run: |
+        bundle exec rubocop
+
+    - name: rspec
+      run: |
+        bundle exec rspec
+
+    - name: Coveralls
+      uses: coverallsapp/github-action@master
+      continue-on-error: true
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/docker.yml

@@ -0,0 +1,56 @@
+name: Build Docker Images
+
+on:
+  push:
+    branches:
+      - master
+  release:
+    types: [published]
+  schedule:
+    - cron: "0 7 * * *"
+
+jobs:
+  images:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: checkout sources
+        uses: actions/checkout@v4
+
+      - name: Set tag to latest
+        if: (github.event_name == 'push' && github.ref == 'refs/heads/master') || github.event_name == 'schedule'
+        run: |
+          echo "DOCKER_TAG=latest" >> $GITHUB_ENV
+
+      - name: Set tag to release name
+        if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags/')
+        run: |
+          echo "DOCKER_TAG=${{ github.event.release.tag_name }}" >> $GITHUB_ENV
+
+      - name: Check if DOCKER_TAG is set
+        if: env.DOCKER_TAG == ''
+        run: |
+          echo DOCKER_TAG is not set!
+          exit 1
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        id: buildx
+        with:
+          install: true
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2.2.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v4
+        with:
+          platforms: linux/amd64,linux/arm/v7,linux/arm64
+          push: true
+          tags: wpscanteam/wpscan:${{ env.DOCKER_TAG }}

.github/workflows/gempush.yml

@@ -0,0 +1,40 @@
+name: Ruby Gem
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  build:
+    name: Build + Publish
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Ruby 2.6
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.6
+
+    #- name: Publish to GPR
+    #  run: |
+    #    mkdir -p $HOME/.gem
+    #    touch $HOME/.gem/credentials
+    #    chmod 0600 $HOME/.gem/credentials
+    #    printf -- "---\n:github: Bearer ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials
+    #    gem build *.gemspec
+    #    gem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem
+    #  env:
+    #    GEM_HOST_API_KEY: ${{secrets.GITHUB_TOKEN}}
+    #    OWNER: wpscanteam
+
+    - name: Publish to RubyGems
+      run: |
+        mkdir -p $HOME/.gem
+        touch $HOME/.gem/credentials
+        chmod 0600 $HOME/.gem/credentials
+        printf -- "---\n:rubygems_api_key: ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials
+        gem build *.gemspec
+        gem push *.gem
+      env:
+        GEM_HOST_API_KEY: ${{secrets.RUBYGEMS_AUTH_TOKEN}}

.gitignore

@@ -21,3 +21,6 @@ doc/
 # Old files from v2
 cache/
 data/
+
+# Profiling reports
+bin/memprof*.report

.rspec

@@ -1,2 +1,2 @@
---color
+--require spec_helper
---fail-fast
+--color

.rubocop.yml

@@ -1,28 +1,42 @@
+require: rubocop-performance
 AllCops:
-  TargetRubyVersion: 2.3
+  NewCops: enable
+  SuggestExtensions: false
+  TargetRubyVersion: 2.7
   Exclude:
   - '*.gemspec'
   - 'vendor/**/*'
-ClassVars:
+Layout/LineLength:
-  Enabled: false
-LineLength:
   Max: 120
-MethodLength:
+Lint/ConstantDefinitionInBlock:
-  Max: 20
+  Enabled: false
+Lint/MissingSuper:
+  Enabled: false
 Lint/UriEscapeUnescape:
   Enabled: false
 Metrics/AbcSize:
-  Max: 25
+  Max: 27
 Metrics/BlockLength:
   Exclude:
   - 'spec/**/*'
 Metrics/ClassLength:
   Max: 150
+  Exclude:
+  - 'app/controllers/enumeration/cli_options.rb'
 Metrics/CyclomaticComplexity:
-  Max: 8
+  Max: 10
-Style/Documentation:
+Metrics/MethodLength:
+  Max: 20
+  Exclude:
+  - 'app/controllers/enumeration/cli_options.rb'
+Metrics/PerceivedComplexity:
+  Max: 11
+Style/ClassVars:
   Enabled: false
-Style/FrozenStringLiteralComment:
+Style/Documentation:
   Enabled: false
 Style/FormatStringToken:
   Enabled: false
+Style/NumericPredicate:
+  Exclude:
+  - 'app/controllers/vuln_api.rb'

.ruby-version

@@ -1 +1 @@
-2.5.3
+3.0.2

.simplecov

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+if ENV['GITHUB_ACTION']
+  require 'simplecov-lcov'
+
+  SimpleCov::Formatter::LcovFormatter.config do |c|
+    c.single_report_path = 'coverage/lcov.info'
+    c.report_with_single_file = true
+  end
+
+  SimpleCov.formatter = SimpleCov::Formatter::LcovFormatter
+end
+
+SimpleCov.start do
+  enable_coverage :branch # Only supported for Ruby >= 2.5
+
+  add_filter '/spec/'
+  add_filter 'helper'
+end

.travis.yml

@@ -1,35 +0,0 @@
-language: ruby
-sudo: false
-cache: bundler
-rvm:
-  - 2.3.0
-  - 2.3.1
-  - 2.3.2
-  - 2.3.3
-  - 2.3.4
-  - 2.3.5
-  - 2.3.6
-  - 2.3.7
-  - 2.3.8
-  - 2.4.1
-  - 2.4.2
-  - 2.4.3
-  - 2.4.4
-  - 2.4.5
-  - 2.5.0
-  - 2.5.1
-  - 2.5.2
-  - 2.5.3
-  - ruby-head
-before_install:
-  - "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
-  - "gem update --system"
-matrix:
-  allow_failures:
-    - rvm: ruby-head
-script:
-  - bundle exec rubocop
-  - bundle exec rspec
-notifications:
-  email:
-    - team@wpscan.org

Dockerfile

@@ -1,16 +1,16 @@
-FROM ruby:2.5.1-alpine AS builder
+FROM ruby:3.0.2-alpine AS builder
-LABEL maintainer="WPScan Team <team@wpscan.org>"
+LABEL maintainer="WPScan Team <contact@wpscan.com>"
 
-ARG BUNDLER_ARGS="--jobs=8 --without test development"
+RUN echo "install: --no-document --no-post-install-message\nupdate: --no-document --no-post-install-message" > /etc/gemrc
-
-RUN echo "gem: --no-ri --no-rdoc" > /etc/gemrc
 
 COPY . /wpscan
 
 RUN apk add --no-cache git libcurl ruby-dev libffi-dev make gcc musl-dev zlib-dev procps sqlite-dev && \
-  bundle install --system --clean --no-cache --gemfile=/wpscan/Gemfile $BUNDLER_ARGS && \
+  bundle config force_ruby_platform true && \
-  # temp fix for https://github.com/bundler/bundler/issues/6680
+  bundle config disable_version_check 'true' && \
-  rm -rf /usr/local/bundle/cache
+  bundle config without "test development" && \
+  bundle config path.system 'true' && \
+  bundle install --gemfile=/wpscan/Gemfile --jobs=8
 
 WORKDIR /wpscan
 RUN rake install --trace
@@ -19,20 +19,23 @@ RUN rake install --trace
 RUN chmod -R a+r /usr/local/bundle
 
 
-FROM ruby:2.5-alpine
+FROM ruby:3.0.2-alpine
-LABEL maintainer="WPScan Team <team@wpscan.org>"
+LABEL maintainer="WPScan Team <contact@wpscan.com>"
+LABEL org.opencontainers.image.source https://github.com/wpscanteam/wpscan
 
 RUN adduser -h /wpscan -g WPScan -D wpscan
 
 COPY --from=builder /usr/local/bundle /usr/local/bundle
+
 RUN chown -R wpscan:wpscan /wpscan
 
 # runtime dependencies
 RUN apk add --no-cache libcurl procps sqlite-libs
 
+WORKDIR /wpscan
 
 USER wpscan
+
 RUN /usr/local/bundle/bin/wpscan --update --verbose
 
 ENTRYPOINT ["/usr/local/bundle/bin/wpscan"]
-CMD ["--help"]

Gemfile

@@ -1,2 +1,6 @@
+# frozen_string_literal: true
+
 source 'https://rubygems.org'
 gemspec
+
+# gem 'cms_scanner', branch: 'xxx', git: 'https://github.com/wpscanteam/CMSScanner.git'

LICENSE

@@ -1,14 +1,14 @@
 WPScan Public Source License
 
-The WPScan software (henceforth referred to simply as "WPScan") is dual-licensed - Copyright 2011-2018 WPScan Team.
+The WPScan software (henceforth referred to simply as "WPScan") is dual-licensed - Copyright 2011-2019 WPScan Team.
 
 Cases that include commercialization of WPScan require a commercial, non-free license. Otherwise, WPScan can be used without charge under the terms set out below.
 
 1. Definitions
 
-1.1 “License” means this document.
+1.1 "License" means this document.
-1.2 “Contributor” means each individual or legal entity that creates, contributes to the creation of, or owns WPScan.
+1.2 "Contributor" means each individual or legal entity that creates, contributes to the creation of, or owns WPScan.
-1.3 “WPScan Team” means WPScan’s core developers, an updated list of whom can be found within the CREDITS file.
+1.3 "WPScan Team" means WPScan’s core developers.
 
 2. Commercialization
 
@@ -27,9 +27,7 @@ Example cases which do not require a commercial license, and thus fall under the
  - Using WPScan to test your own systems.
  - Any non-commercial use of WPScan.
 
-If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - team@wpscan.org.
+If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - contact@wpscan.com.
-
-We may grant commercial licenses at no monetary cost at our own discretion if the commercial usage is deemed by the WPScan Team to significantly benefit WPScan.
 
 Free-use Terms and Conditions;
 
@@ -59,7 +57,7 @@ WPScan is provided under an AS-IS basis and without any support, updates or main
 
 8. Disclaimer of Warranty
 
-WPScan is provided under this License on an “as is” basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the WPScan is free of defects, merchantable, fit for a particular purpose or non-infringing.
+WPScan is provided under this License on an "as is" basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the WPScan is free of defects, merchantable, fit for a particular purpose or non-infringing.
 
 9. Limitation of Liability
 

README.md

@@ -1,111 +1,167 @@
-![alt text](https://raw.githubusercontent.com/wpscanteam/wpscan/gh-pages/images/wpscan_logo.png "WPScan - WordPress Security Scanner")
+<p align="center">
+  <a href="https://wpscan.com/">
+    <img src="https://raw.githubusercontent.com/wpscanteam/wpscan/gh-pages/images/wpscan_logo.png" alt="WPScan logo">
+  </a>
+</p>
 
-[![Gem Version](https://badge.fury.io/rb/wpscan.svg)](https://badge.fury.io/rb/wpscan)
+<h3 align="center">WPScan</h3>
-[![Build Status](https://travis-ci.org/wpscanteam/wpscan.svg?branch=master)](https://travis-ci.org/wpscanteam/wpscan)
+
-[![Code Climate](https://codeclimate.com/github/wpscanteam/wpscan/badges/gpa.svg)](https://codeclimate.com/github/wpscanteam/wpscan)
+<p align="center">
-[![Patreon Donate](https://img.shields.io/badge/patreon-donate-green.svg)](https://www.patreon.com/wpscan)
+  WordPress Security Scanner
+  <br>
+  <br>
+  <a href="https://wpscan.com/" title="homepage" target="_blank">WPScan WordPress Vulnerability Database</a> - <a href="https://wordpress.org/plugins/wpscan/" title="wordpress security plugin" target="_blank">WordPress Security Plugin</a>
+</p>
+
+<p align="center">
+  <a href="https://badge.fury.io/rb/wpscan" target="_blank"><img src="https://badge.fury.io/rb/wpscan.svg"></a>
+  <a href="https://hub.docker.com/r/wpscanteam/wpscan/" target="_blank"><img src="https://img.shields.io/docker/pulls/wpscanteam/wpscan.svg"></a>
+  <a href="https://github.com/wpscanteam/wpscan/actions?query=workflow%3ABuild" target="_blank"><img src="https://github.com/wpscanteam/wpscan/workflows/Build/badge.svg"></a>
+  <a href="https://codeclimate.com/github/wpscanteam/wpscan" target="_blank"><img src="https://codeclimate.com/github/wpscanteam/wpscan/badges/gpa.svg"></a>
+</p>
 
 # INSTALL
 
-## Prerequisites:
+## Prerequisites
 
-- Ruby >= 2.3 - Recommended: latest
+- (Optional but highly recommended: [RVM](https://rvm.io/rvm/install))
-- Curl >= 7.21  - Recommended: latest - FYI the 7.29 has a segfault
+- Ruby >= 2.7 - Recommended: latest
+- Curl >= 7.72  - Recommended: latest
+  - The 7.29 has a segfault
+  - The < 7.72 could result in `Stream error in the HTTP/2 framing layer` in some cases
 - RubyGems      - Recommended: latest
+- Nokogiri might require packages to be installed via your package manager depending on your OS, see https://nokogiri.org/tutorials/installing_nokogiri.html
 
-### From RubyGems:
+### In a Pentesting distribution
 
+When using a pentesting distubution (such as Kali Linux), it is recommended to install/update wpscan via the package manager if available.
+
+### In macOSX via Homebrew
+
+```shell
+brew install wpscanteam/tap/wpscan
 ```
+
+### From RubyGems
+
+```shell
 gem install wpscan
 ```
 
-### From sources:
+On MacOSX, if a ```Gem::FilePermissionError``` is raised due to the Apple's System Integrity Protection (SIP), either install RVM and install wpscan again, or run ```sudo gem install -n /usr/local/bin wpscan``` (see [#1286](https://github.com/wpscanteam/wpscan/issues/1286))
 
-Prerequisites: Git
+# Updating
 
-```
+You can update the local database by using ```wpscan --update```
-git clone https://github.com/wpscanteam/wpscan
 
-cd wpscan/
+Updating WPScan itself is either done via ```gem update wpscan``` or the packages manager (this is quite important for distributions such as in Kali Linux: ```apt-get update && apt-get upgrade```) depending on how WPScan was (pre)installed
-
-bundle install && rake install
-```
 
 # Docker
 
 Pull the repo with ```docker pull wpscanteam/wpscan```
 
 Enumerating usernames
-```
+
+```shell
 docker run -it --rm wpscanteam/wpscan --url https://target.tld/ --enumerate u
 ```
 
 Enumerating a range of usernames
-```
+
+```shell
 docker run -it --rm wpscanteam/wpscan --url https://target.tld/ --enumerate u1-100
 ```
+
 ** replace u1-100 with a range of your choice.
 
 # Usage
 
-```wpscan --url blog.tld``` This will scan the blog using default options with a good compromise between speed and accuracy. For example, the plugins will be checked passively but their version with a mixed detection mode (passively + aggressively). Potential config backup files will also be checked, along with other interesting findings. If a more stealthy approach is required, then ```wpscan --stealthy --url blog.tld``` can be used.
+Full user documentation can be found here; https://github.com/wpscanteam/wpscan/wiki/WPScan-User-Documentation
+
+```wpscan --url blog.tld``` This will scan the blog using default options with a good compromise between speed and accuracy. For example, the plugins will be checked passively but their version with a mixed detection mode (passively + aggressively). Potential config backup files will also be checked, along with other interesting findings.
+
+If a more stealthy approach is required, then ```wpscan --stealthy --url blog.tld``` can be used.
 As a result, when using the ```--enumerate``` option, don't forget to set the ```--plugins-detection``` accordingly, as its default is 'passive'.
 
 For more options, open a terminal and type ```wpscan --help``` (if you built wpscan from the source, you should type the command outside of the git repo)
 
 The DB is located at ~/.wpscan/db
 
+## Optional: WordPress Vulnerability Database API
+
+The WPScan CLI tool uses the [WordPress Vulnerability Database API](https://wpscan.com/api) to retrieve WordPress vulnerability data in real time. For WPScan to retrieve the vulnerability data an API token must be supplied via the `--api-token` option, or via a configuration file, as discussed below. An API token can be obtained by registering an account on [WPScan.com](https://wpscan.com/register).
+
+Up to **25** API requests per day are given free of charge, that should be suitable to scan most WordPress websites at least once per day. When the daily 25 API requests are exhausted, WPScan will continue to work as normal but without any vulnerability data.
+
+### How many API requests do you need?
+
+- Our WordPress scanner makes one API request for the WordPress version, one request per installed plugin and one request per installed theme.
+- On average, a WordPress website has 22 installed plugins.
+
+## Load CLI options from file/s
+
 WPScan can load all options (including the --url) from configuration files, the following locations are checked (order: first to last):
 
-* ~/.wpscan/cli_options.json
+- ~/.wpscan/scan.json
-* ~/.wpscan/cli_options.yml
+- ~/.wpscan/scan.yml
-* pwd/.wpscan/cli_options.json
+- pwd/.wpscan/scan.json
-* pwd/.wpscan/cli_options.yml
+- pwd/.wpscan/scan.yml
 
-If those files exist, options from them will be loaded and overridden if found twice.
+If those files exist, options from the `cli_options` key will be loaded and overridden if found twice.
 
 e.g:
 
-~/.wpscan/cli_options.yml:
+~/.wpscan/scan.yml:
-```
+
-proxy: 'http://127.0.0.1:8080'
+```yml
-verbose: true
+cli_options:
+  proxy: 'http://127.0.0.1:8080'
+  verbose: true
 ```
 
-pwd/.wpscan/cli_options.yml:
+pwd/.wpscan/scan.yml:
-```
+
-proxy: 'socks5://127.0.0.1:9090'
+```yml
-url: 'http://target.tld'
+cli_options:
+  proxy: 'socks5://127.0.0.1:9090'
+  url: 'http://target.tld'
 ```
 
 Running ```wpscan``` in the current directory (pwd), is the same as ```wpscan -v --proxy socks5://127.0.0.1:9090 --url http://target.tld```
 
+## Save API Token in a file
 
-Enumerating usernames
+The feature mentioned above is useful to keep the API Token in a config file and not have to supply it via the CLI each time. To do so, create the ~/.wpscan/scan.yml file containing the below:
+
+```yml
+cli_options:
+  api_token: 'YOUR_API_TOKEN'
 ```
+
+## Load API Token From ENV (since v3.7.10)
+
+The API Token will be automatically loaded from the ENV variable `WPSCAN_API_TOKEN` if present. If the `--api-token` CLI option is also provided, the value from the CLI will be used.
+
+
+## Enumerating usernames
+
+```shell
 wpscan --url https://target.tld/ --enumerate u
 ```
 
 Enumerating a range of usernames
-```
+
+```shell
 wpscan --url https://target.tld/ --enumerate u1-100
 ```
+
 ** replace u1-100 with a range of your choice.
 
-
-# PROJECT HOME
-
-[https://wpscan.org](https://wpscan.org)
-
-# VULNERABILITY DATABASE
-
-[https://wpvulndb.com](https://wpvulndb.com)
-
 # LICENSE
 
 ## WPScan Public Source License
 
-The WPScan software (henceforth referred to simply as "WPScan") is dual-licensed - Copyright 2011-2018 WPScan Team.
+The WPScan software (henceforth referred to simply as "WPScan") is dual-licensed - Copyright 2011-2019 WPScan Team.
 
 Cases that include commercialization of WPScan require a commercial, non-free license. Otherwise, WPScan can be used without charge under the terms set out below.
 
@@ -115,7 +171,7 @@ Cases that include commercialization of WPScan require a commercial, non-free li
 
 1.2 "Contributor" means each individual or legal entity that creates, contributes to the creation of, or owns WPScan.
 
-1.3 "WPScan Team" means WPScan’s core developers, an updated list of whom can be found within the CREDITS file.
+1.3 "WPScan Team" means WPScan’s core developers.
 
 ### 2. Commercialization
 
@@ -123,20 +179,18 @@ A commercial use is one intended for commercial advantage or monetary compensati
 
 Example cases of commercialization are:
 
- - Using WPScan to provide commercial managed/Software-as-a-Service services.
+- Using WPScan to provide commercial managed/Software-as-a-Service services.
- - Distributing WPScan as a commercial product or as part of one.
+- Distributing WPScan as a commercial product or as part of one.
- - Using WPScan as a value added service/product.
+- Using WPScan as a value added service/product.
 
 Example cases which do not require a commercial license, and thus fall under the terms set out below, include (but are not limited to):
 
- - Penetration testers (or penetration testing organizations) using WPScan as part of their assessment toolkit.
+- Penetration testers (or penetration testing organizations) using WPScan as part of their assessment toolkit.
- - Penetration Testing Linux Distributions including but not limited to Kali Linux, SamuraiWTF, BackBox Linux.
+- Penetration Testing Linux Distributions including but not limited to Kali Linux, SamuraiWTF, BackBox Linux.
- - Using WPScan to test your own systems.
+- Using WPScan to test your own systems.
- - Any non-commercial use of WPScan.
+- Any non-commercial use of WPScan.
 
-If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - team@wpscan.org.
+If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - contact@wpscan.com.
-
-We may grant commercial licenses at no monetary cost at our own discretion if the commercial usage is deemed by the WPScan Team to significantly benefit WPScan.
 
 Free-use Terms and Conditions;
 
@@ -144,9 +198,9 @@ Free-use Terms and Conditions;
 
 Redistribution is permitted under the following conditions:
 
- - Unmodified License is provided with WPScan.
+- Unmodified License is provided with WPScan.
- - Unmodified Copyright notices are provided with WPScan.
+- Unmodified Copyright notices are provided with WPScan.
- - Does not conflict with the commercialization clause.
+- Does not conflict with the commercialization clause.
 
 ### 4. Copying
 

Rakefile

@@ -6,14 +6,18 @@ exec = []
 
 begin
   require 'rubocop/rake_task'
+
   RuboCop::RakeTask.new
+
   exec << :rubocop
 rescue LoadError
 end
 
 begin
   require 'rspec/core/rake_task'
-  RSpec::Core::RakeTask.new(:spec)
+
+  RSpec::Core::RakeTask.new(:spec) { |t| t.rspec_opts = %w{--tag ~slow} }
+
   exec << :spec
 rescue LoadError
 end

app/app.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'models'
 require_relative 'finders'
 require_relative 'controllers'

app/controllers.rb

@@ -1,4 +1,7 @@
+# frozen_string_literal: true
+
 require_relative 'controllers/core'
+require_relative 'controllers/vuln_api'
 require_relative 'controllers/custom_directories'
 require_relative 'controllers/wp_version'
 require_relative 'controllers/main_theme'

app/controllers/aliases.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Controller
     # Controller to add the aliases in the CLI

app/controllers/core.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Controller
     # Specific Core controller to include WordPress checks
@@ -6,13 +8,13 @@ module WPScan
       def cli_options
         [OptURL.new(['--url URL', 'The URL of the blog to scan'],
                     required_unless: %i[update help hh version], default_protocol: 'http')] +
-          super.drop(1) + # delete the --url from CMSScanner
+          super.drop(2) + # delete the --url and --force from CMSScanner
           [
             OptChoice.new(['--server SERVER', 'Force the supplied server module to be loaded'],
                           choices: %w[apache iis nginx],
                           normalize: %i[downcase to_sym],
                           advanced: true),
-            OptBoolean.new(['--force', 'Do not check if the target is running WordPress']),
+            OptBoolean.new(['--force', 'Do not check if the target is running WordPress or returns a 403']),
             OptBoolean.new(['--[no-]update', 'Whether or not to update the Database'])
           ]
       end
@@ -25,53 +27,56 @@ module WPScan
       # @return [ Boolean ]
       def update_db_required?
         if local_db.missing_files?
-          raise MissingDatabaseFile if parsed_options[:update] == false
+          raise Error::MissingDatabaseFile if ParsedCli.update == false
 
           return true
         end
 
-        return parsed_options[:update] unless parsed_options[:update].nil?
+        return ParsedCli.update unless ParsedCli.update.nil?
 
         return false unless user_interaction? && local_db.outdated?
 
         output('@notice', msg: 'It seems like you have not updated the database for some time.')
         print '[?] Do you want to update now? [Y]es [N]o, default: [N]'
 
-        Readline.readline =~ /^y/i ? true : false
+        /^y/i.match?(Readline.readline)
       end
 
       def update_db
         output('db_update_started')
-        output('db_update_finished', updated: local_db.update, verbose: parsed_options[:verbose])
+        output('db_update_finished', updated: local_db.update, verbose: ParsedCli.verbose)
 
-        exit(0) unless parsed_options[:url]
+        exit(0) unless ParsedCli.url
       end
 
       def before_scan
         @last_update = local_db.last_update
 
-        maybe_output_banner_help_and_version # From CMS Scanner
+        maybe_output_banner_help_and_version # From CMSScanner
 
         update_db if update_db_required?
         setup_cache
         check_target_availability
         load_server_module
         check_wordpress_state
+      rescue Error::NotWordPress => e
+        target.maybe_add_cookies
+        raise e unless target.wordpress?(ParsedCli.detection_mode)
       end
 
       # Raises errors if the target is hosted on wordpress.com or is not running WordPress
       # Also check if the homepage_url is still the install url
       def check_wordpress_state
-        raise WordPressHostedError if target.wordpress_hosted?
+        raise Error::WordPressHosted if target.wordpress_hosted?
 
-        if Addressable::URI.parse(target.homepage_url).path =~ %r{/wp-admin/install.php$}i
+        if %r{/wp-admin/install.php$}i.match?(Addressable::URI.parse(target.homepage_url).path)
 
           output('not_fully_configured', url: target.homepage_url)
 
           exit(WPScan::ExitCode::VULNERABLE)
         end
 
-        raise NotWordPressError unless target.wordpress? || parsed_options[:force]
+        raise Error::NotWordPress unless target.wordpress?(ParsedCli.detection_mode) || ParsedCli.force
       end
 
       # Loads the related server module in the target
@@ -83,7 +88,7 @@ module WPScan
         server = target.server || :Apache # Tries to auto detect the server
 
         # Force a specific server module to be loaded if supplied
-        case parsed_options[:server]
+        case ParsedCli.server
         when :apache
           server = :Apache
         when :iis
@@ -95,7 +100,7 @@ module WPScan
         mod = CMSScanner::Target::Server.const_get(server)
 
         target.extend mod
-        WPScan::WpItem.include mod
+        Model::WpItem.include mod
 
         server
       end

app/controllers/custom_directories.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Controller
     # Controller to ensure that the wp-content and wp-plugins
@@ -5,18 +7,18 @@ module WPScan
     class CustomDirectories < CMSScanner::Controller::Base
       def cli_options
         [
-          OptString.new(['--wp-content-dir DIR']),
+          OptString.new(['--wp-content-dir DIR',
-          OptString.new(['--wp-plugins-dir DIR'])
+                         'The wp-content directory if custom or not detected, such as "wp-content"']),
+          OptString.new(['--wp-plugins-dir DIR',
+                         'The plugins directory if custom or not detected, such as "wp-content/plugins"'])
         ]
       end
 
       def before_scan
-        target.content_dir = parsed_options[:wp_content_dir] if parsed_options[:wp_content_dir]
+        target.content_dir = ParsedCli.wp_content_dir if ParsedCli.wp_content_dir
-        target.plugins_dir = parsed_options[:wp_plugins_dir] if parsed_options[:wp_plugins_dir]
+        target.plugins_dir = ParsedCli.wp_plugins_dir if ParsedCli.wp_plugins_dir
 
-        return if target.content_dir
+        raise Error::WpContentDirNotDetected unless target.content_dir
-
-        raise 'Unable to identify the wp-content dir, please supply it with --wp-content-dir'
       end
     end
   end

app/controllers/enumeration.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'enumeration/cli_options'
 require_relative 'enumeration/enum_methods'
 
@@ -5,13 +7,8 @@ module WPScan
   module Controller
     # Enumeration Controller
     class Enumeration < CMSScanner::Controller::Base
-      def before_scan
-        DB::DynamicFinders::Plugin.create_versions_finders
-        DB::DynamicFinders::Theme.create_versions_finders
-      end
-
       def run
-        enum = parsed_options[:enumerate] || {}
+        enum = ParsedCli.enumerate || {}
 
         enum_plugins if enum_plugins?(enum)
         enum_themes  if enum_themes?(enum)

app/controllers/enumeration/cli_options.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Controller
     # Enumeration CLI Options
@@ -9,7 +11,6 @@ module WPScan
       end
 
       # @return [ Array<OptParseValidator::OptBase> ]
-      # rubocop:disable Metrics/MethodLength
       def cli_enum_choices
         [
           OptMultiChoices.new(
@@ -17,10 +18,10 @@ module WPScan
             choices: {
               vp: OptBoolean.new(['--vulnerable-plugins']),
               ap: OptBoolean.new(['--all-plugins']),
-              p: OptBoolean.new(['--plugins']),
+              p: OptBoolean.new(['--popular-plugins']),
               vt: OptBoolean.new(['--vulnerable-themes']),
               at: OptBoolean.new(['--all-themes']),
-              t: OptBoolean.new(['--themes']),
+              t: OptBoolean.new(['--popular-themes']),
               tt: OptBoolean.new(['--timthumbs']),
               cb: OptBoolean.new(['--config-backups']),
               dbe: OptBoolean.new(['--db-exports']),
@@ -43,7 +44,6 @@ module WPScan
           )
         ]
       end
-      # rubocop:enable Metrics/MethodLength
 
       # @return [ Array<OptParseValidator::OptBase> ]
       def cli_plugins_opts
@@ -51,7 +51,7 @@ module WPScan
           OptSmartList.new(['--plugins-list LIST', 'List of plugins to enumerate'], advanced: true),
           OptChoice.new(
             ['--plugins-detection MODE',
-             'Use the supplied mode to enumerate Plugins, instead of the global (--detection-mode) mode.'],
+             'Use the supplied mode to enumerate Plugins.'],
             choices: %w[mixed passive aggressive], normalize: :to_sym, default: :passive
           ),
           OptBoolean.new(
@@ -62,9 +62,13 @@ module WPScan
           ),
           OptChoice.new(
             ['--plugins-version-detection MODE',
-             'Use the supplied mode to check plugins versions instead of the --detection-mode ' \
+             'Use the supplied mode to check plugins\' versions.'],
-             'or --plugins-detection modes.'],
             choices: %w[mixed passive aggressive], normalize: :to_sym, default: :mixed
+          ),
+          OptInteger.new(
+            ['--plugins-threshold THRESHOLD',
+             'Raise an error when the number of detected plugins via known locations reaches the threshold. ' \
+             'Set to 0 to ignore the threshold.'], default: 100, advanced: true
           )
         ]
       end
@@ -89,6 +93,11 @@ module WPScan
              'Use the supplied mode to check themes versions instead of the --detection-mode ' \
              'or --themes-detection modes.'],
             choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true
+          ),
+          OptInteger.new(
+            ['--themes-threshold THRESHOLD',
+             'Raise an error when the number of detected themes via known locations reaches the threshold. ' \
+             'Set to 0 to ignore the threshold.'], default: 20, advanced: true
           )
         ]
       end
@@ -98,7 +107,7 @@ module WPScan
         [
           OptFilePath.new(
             ['--timthumbs-list FILE-PATH', 'List of timthumbs\' location to use'],
-            exists: true, default: File.join(DB_DIR, 'timthumbs-v3.txt'), advanced: true
+            exists: true, default: DB_DIR.join('timthumbs-v3.txt').to_s, advanced: true
           ),
           OptChoice.new(
             ['--timthumbs-detection MODE',
@@ -113,7 +122,7 @@ module WPScan
         [
           OptFilePath.new(
             ['--config-backups-list FILE-PATH', 'List of config backups\' filenames to use'],
-            exists: true, default: File.join(DB_DIR, 'config_backups.txt'), advanced: true
+            exists: true, default: DB_DIR.join('config_backups.txt').to_s, advanced: true
           ),
           OptChoice.new(
             ['--config-backups-detection MODE',
@@ -128,7 +137,7 @@ module WPScan
         [
           OptFilePath.new(
             ['--db-exports-list FILE-PATH', 'List of DB exports\' paths to use'],
-            exists: true, default: File.join(DB_DIR, 'db_exports.txt'), advanced: true
+            exists: true, default: DB_DIR.join('db_exports.txt').to_s, advanced: true
           ),
           OptChoice.new(
             ['--db-exports-detection MODE',
@@ -161,6 +170,12 @@ module WPScan
             ['--users-detection MODE',
              'Use the supplied mode to enumerate Users, instead of the global (--detection-mode) mode.'],
             choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true
+          ),
+          OptRegexp.new(
+            [
+              '--exclude-usernames REGEXP_OR_STRING',
+              'Exclude usernames matching the Regexp/string (case insensitive). Regexp delimiters are not required.'
+            ], options: Regexp::IGNORECASE
           )
         ]
       end

app/controllers/enumeration/enum_methods.rb

@@ -1,37 +1,53 @@
+# frozen_string_literal: true
+
 module WPScan
   module Controller
     # Enumeration Methods
     class Enumeration < CMSScanner::Controller::Base
       # @param [ String ] type (plugins or themes)
+      # @param [ Symbol ] detection_mode
       #
-      # @return [ String ] The related enumration message depending on the parsed_options and type supplied
+      # @return [ String ] The related enumration message depending on the ParsedCli and type supplied
-      def enum_message(type)
+      def enum_message(type, detection_mode)
         return unless %w[plugins themes].include?(type)
 
-        details = if parsed_options[:enumerate][:"vulnerable_#{type}"]
+        details = if ParsedCli.enumerate[:"vulnerable_#{type}"]
                     'Vulnerable'
-                  elsif parsed_options[:enumerate][:"all_#{type}"]
+                  elsif ParsedCli.enumerate[:"all_#{type}"]
                     'All'
                   else
                     'Most Popular'
                   end
 
-        "Enumerating #{details} #{type.capitalize}"
+        "Enumerating #{details} #{type.capitalize} #{enum_detection_message(detection_mode)}"
+      end
+
+      # @param [ Symbol ] detection_mode
+      #
+      # @return [ String ]
+      def enum_detection_message(detection_mode)
+        detection_method = if detection_mode == :mixed
+                             'Passive and Aggressive'
+                           else
+                             detection_mode.to_s.capitalize
+                           end
+
+        "(via #{detection_method} Methods)"
       end
 
       # @param [ String ] type (plugins, themes etc)
       #
       # @return [ Hash ]
       def default_opts(type)
-        mode = parsed_options[:"#{type}_detection"] || parsed_options[:detection_mode]
+        mode = ParsedCli.options[:"#{type}_detection"] || ParsedCli.detection_mode
 
         {
           mode: mode,
-          exclude_content: parsed_options[:exclude_content_based],
+          exclude_content: ParsedCli.exclude_content_based,
           show_progression: user_interaction?,
           version_detection: {
-            mode: parsed_options[:"#{type}_version_detection"] || mode,
+            mode: ParsedCli.options[:"#{type}_version_detection"] || mode,
-            confidence_threshold: parsed_options[:"#{type}_version_all"] ? 0 : 100
+            confidence_threshold: ParsedCli.options[:"#{type}_version_all"] ? 0 : 100
           }
         }
       end
@@ -40,25 +56,29 @@ module WPScan
       #
       # @return [ Boolean ] Wether or not to enumerate the plugins
       def enum_plugins?(opts)
-        opts[:plugins] || opts[:all_plugins] || opts[:vulnerable_plugins]
+        opts[:popular_plugins] || opts[:all_plugins] || opts[:vulnerable_plugins]
       end
 
       def enum_plugins
         opts = default_opts('plugins').merge(
-          list: plugins_list_from_opts(parsed_options),
+          list: plugins_list_from_opts(ParsedCli.options),
+          threshold: ParsedCli.plugins_threshold,
           sort: true
         )
 
-        output('@info', msg: enum_message('plugins')) if user_interaction?
+        output('@info', msg: enum_message('plugins', opts[:mode])) if user_interaction?
         # Enumerate the plugins & find their versions to avoid doing that when #version
         # is called in the view
         plugins = target.plugins(opts)
 
-        output('@info', msg: 'Checking Plugin Versions') if user_interaction? && !plugins.empty?
+        if user_interaction? && !plugins.empty?
+          output('@info',
+                 msg: "Checking Plugin Versions #{enum_detection_message(opts[:version_detection][:mode])}")
+        end
 
         plugins.each(&:version)
 
-        plugins.select!(&:vulnerable?) if parsed_options[:enumerate][:vulnerable_plugins]
+        plugins.select!(&:vulnerable?) if ParsedCli.enumerate[:vulnerable_plugins]
 
         output('plugins', plugins: plugins)
       end
@@ -72,7 +92,7 @@ module WPScan
 
         if opts[:enumerate][:all_plugins]
           DB::Plugins.all_slugs
-        elsif opts[:enumerate][:plugins]
+        elsif opts[:enumerate][:popular_plugins]
           DB::Plugins.popular_slugs
         else
           DB::Plugins.vulnerable_slugs
@@ -83,25 +103,29 @@ module WPScan
       #
       # @return [ Boolean ] Wether or not to enumerate the themes
       def enum_themes?(opts)
-        opts[:themes] || opts[:all_themes] || opts[:vulnerable_themes]
+        opts[:popular_themes] || opts[:all_themes] || opts[:vulnerable_themes]
       end
 
       def enum_themes
         opts = default_opts('themes').merge(
-          list: themes_list_from_opts(parsed_options),
+          list: themes_list_from_opts(ParsedCli.options),
+          threshold: ParsedCli.themes_threshold,
           sort: true
         )
 
-        output('@info', msg: enum_message('themes')) if user_interaction?
+        output('@info', msg: enum_message('themes', opts[:mode])) if user_interaction?
         # Enumerate the themes & find their versions to avoid doing that when #version
         # is called in the view
         themes = target.themes(opts)
 
-        output('@info', msg: 'Checking Theme Versions') if user_interaction? && !themes.empty?
+        if user_interaction? && !themes.empty?
+          output('@info',
+                 msg: "Checking Theme Versions #{enum_detection_message(opts[:version_detection][:mode])}")
+        end
 
         themes.each(&:version)
 
-        themes.select!(&:vulnerable?) if parsed_options[:enumerate][:vulnerable_themes]
+        themes.select!(&:vulnerable?) if ParsedCli.enumerate[:vulnerable_themes]
 
         output('themes', themes: themes)
       end
@@ -115,7 +139,7 @@ module WPScan
 
         if opts[:enumerate][:all_themes]
           DB::Themes.all_slugs
-        elsif opts[:enumerate][:themes]
+        elsif opts[:enumerate][:popular_themes]
           DB::Themes.popular_slugs
         else
           DB::Themes.vulnerable_slugs
@@ -123,31 +147,33 @@ module WPScan
       end
 
       def enum_timthumbs
-        opts = default_opts('timthumbs').merge(list: parsed_options[:timthumbs_list])
+        opts = default_opts('timthumbs').merge(list: ParsedCli.timthumbs_list)
 
-        output('@info', msg: 'Enumerating Timthumbs') if user_interaction?
+        output('@info', msg: "Enumerating Timthumbs #{enum_detection_message(opts[:mode])}") if user_interaction?
         output('timthumbs', timthumbs: target.timthumbs(opts))
       end
 
       def enum_config_backups
-        opts = default_opts('config_backups').merge(list: parsed_options[:config_backups_list])
+        opts = default_opts('config_backups').merge(list: ParsedCli.config_backups_list)
 
-        output('@info', msg: 'Enumerating Config Backups') if user_interaction?
+        output('@info', msg: "Enumerating Config Backups #{enum_detection_message(opts[:mode])}") if user_interaction?
         output('config_backups', config_backups: target.config_backups(opts))
       end
 
       def enum_db_exports
-        opts = default_opts('db_exports').merge(list: parsed_options[:db_exports_list])
+        opts = default_opts('db_exports').merge(list: ParsedCli.db_exports_list)
 
-        output('@info', msg: 'Enumerating DB Exports') if user_interaction?
+        output('@info', msg: "Enumerating DB Exports #{enum_detection_message(opts[:mode])}") if user_interaction?
         output('db_exports', db_exports: target.db_exports(opts))
       end
 
       def enum_medias
-        opts = default_opts('medias').merge(range: parsed_options[:enumerate][:medias])
+        opts = default_opts('medias').merge(range: ParsedCli.enumerate[:medias])
 
         if user_interaction?
-          output('@info', msg: 'Enumerating Medias (Permalink setting must be set to "Plain" for those to be detected)')
+          output('@info',
+                 msg: "Enumerating Medias #{enum_detection_message(opts[:mode])} "\
+                      '(Permalink setting must be set to "Plain" for those to be detected)')
         end
 
         output('medias', medias: target.medias(opts))
@@ -157,16 +183,16 @@ module WPScan
       #
       # @return [ Boolean ] Wether or not to enumerate the users
       def enum_users?(opts)
-        opts[:users] || (parsed_options[:passwords] && !parsed_options[:username] && !parsed_options[:usernames])
+        opts[:users] || (ParsedCli.passwords && !ParsedCli.username && !ParsedCli.usernames)
       end
 
       def enum_users
         opts = default_opts('users').merge(
           range: enum_users_range,
-          list: parsed_options[:users_list]
+          list: ParsedCli.users_list
         )
 
-        output('@info', msg: 'Enumerating Users') if user_interaction?
+        output('@info', msg: "Enumerating Users #{enum_detection_message(opts[:mode])}") if user_interaction?
         output('users', users: target.users(opts))
       end
 
@@ -174,7 +200,7 @@ module WPScan
       # If the --enumerate is used, the default value is handled by the Option
       # However, when using --passwords alone, the default has to be set by the code below
       def enum_users_range
-        parsed_options[:enumerate][:users] || cli_enum_choices[0].choices[:u].validate(nil)
+        ParsedCli.enumerate[:users] || cli_enum_choices[0].choices[:u].validate(nil)
       end
     end
   end

app/controllers/main_theme.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Controller
     # Main Theme Controller
@@ -16,9 +18,9 @@ module WPScan
         output(
           'theme',
           theme: target.main_theme(
-            mode: parsed_options[:main_theme_detection] || parsed_options[:detection_mode]
+            mode: ParsedCli.main_theme_detection || ParsedCli.detection_mode
           ),
-          verbose: parsed_options[:verbose]
+          verbose: ParsedCli.verbose
         )
       end
     end

app/controllers/password_attack.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Controller
     # Password Attack Controller
@@ -15,33 +17,40 @@ module WPScan
                           'Maximum number of passwords to send by request with XMLRPC multicall'],
                          default: 500),
           OptChoice.new(['--password-attack ATTACK',
-                         'Force the supplied attack to be used rather than automatically determining one.'],
+                         'Force the supplied attack to be used rather than automatically determining one.',
+                         'Multicall will only work against WP < 4.4'],
                         choices: %w[wp-login xmlrpc xmlrpc-multicall],
-                        normalize: %i[downcase underscore to_sym])
+                        normalize: %i[downcase underscore to_sym]),
+          OptString.new(['--login-uri URI', 'The URI of the login page if different from /wp-login.php'])
         ]
       end
 
-      def run
+      def attack_opts
-        return unless parsed_options[:passwords]
+        @attack_opts ||= {
-
-        if user_interaction?
-          output('@info',
-                 msg: "Performing password attack on #{attacker.titleize} against #{users.size} user/s")
-        end
-
-        attack_opts = {
           show_progression: user_interaction?,
-          multicall_max_passwords: parsed_options[:multicall_max_passwords]
+          multicall_max_passwords: ParsedCli.multicall_max_passwords
         }
+      end
+
+      def run
+        return unless ParsedCli.passwords
 
         begin
           found = []
 
-          attacker.attack(users, passwords(parsed_options[:passwords]), attack_opts) do |user|
+          if user_interaction?
+            output('@info',
+                   msg: "Performing password attack on #{attacker.titleize} against #{users.size} user/s")
+          end
+
+          attacker.attack(users, ParsedCli.passwords, attack_opts) do |user|
             found << user
 
             attacker.progress_bar.log("[SUCCESS] - #{user.username} / #{user.password}")
           end
+        rescue Error::NoLoginInterfaceDetected => e
+          # TODO: Maybe output that in JSON as well.
+          output('@notice', msg: e.to_s) if user_interaction?
         ensure
           output('users', users: found)
         end
@@ -52,55 +61,67 @@ module WPScan
         @attacker ||= attacker_from_cli_options || attacker_from_automatic_detection
       end
 
-      # @return [ WPScan::XMLRPC ]
+      # @return [ Model::XMLRPC ]
       def xmlrpc
         @xmlrpc ||= target.xmlrpc
       end
 
       # @return [ CMSScanner::Finders::Finder ]
       def attacker_from_cli_options
-        return unless parsed_options[:password_attack]
+        return unless ParsedCli.password_attack
 
-        case parsed_options[:password_attack]
+        case ParsedCli.password_attack
         when :wp_login
-          WPScan::Finders::Passwords::WpLogin.new(target)
+          raise Error::NoLoginInterfaceDetected unless target.login_url
+
+          Finders::Passwords::WpLogin.new(target)
         when :xmlrpc
-          WPScan::Finders::Passwords::XMLRPC.new(xmlrpc)
+          raise Error::XMLRPCNotDetected unless xmlrpc
+
+          Finders::Passwords::XMLRPC.new(xmlrpc)
         when :xmlrpc_multicall
-          WPScan::Finders::Passwords::XMLRPCMulticall.new(xmlrpc)
+          raise Error::XMLRPCNotDetected unless xmlrpc
+
+          Finders::Passwords::XMLRPCMulticall.new(xmlrpc)
+        end
+      end
+
+      # @return [ Boolean ]
+      def xmlrpc_get_users_blogs_enabled?
+        if xmlrpc&.enabled? &&
+           xmlrpc.available_methods.include?('wp.getUsersBlogs') &&
+           !xmlrpc.method_call('wp.getUsersBlogs', [SecureRandom.hex[0, 6], SecureRandom.hex[0, 4]])
+                  .run.body.match?(/>\s*405\s*</)
+
+          true
+        else
+          false
         end
       end
 
       # @return [ CMSScanner::Finders::Finder ]
       def attacker_from_automatic_detection
-        if xmlrpc&.enabled? && xmlrpc.available_methods.include?('wp.getUsersBlogs')
+        if xmlrpc_get_users_blogs_enabled?
           wp_version = target.wp_version
 
           if wp_version && wp_version < '4.4'
-            WPScan::Finders::Passwords::XMLRPCMulticall.new(xmlrpc)
+            Finders::Passwords::XMLRPCMulticall.new(xmlrpc)
           else
-            WPScan::Finders::Passwords::XMLRPC.new(xmlrpc)
+            Finders::Passwords::XMLRPC.new(xmlrpc)
           end
+        elsif target.login_url
+          Finders::Passwords::WpLogin.new(target)
         else
-          WPScan::Finders::Passwords::WpLogin.new(target)
+          raise Error::NoLoginInterfaceDetected
         end
       end
 
       # @return [ Array<Users> ] The users to brute force
       def users
-        return target.users unless parsed_options[:usernames]
+        return target.users unless ParsedCli.usernames
 
-        parsed_options[:usernames].reduce([]) do |acc, elem|
+        ParsedCli.usernames.reduce([]) do |acc, elem|
-          acc << CMSScanner::User.new(elem.chomp)
+          acc << Model::User.new(elem.chomp)
-        end
-      end
-
-      # @param [ String ] wordlist_path
-      #
-      # @return [ Array<String> ]
-      def passwords(wordlist_path)
-        @passwords ||= File.open(wordlist_path).reduce([]) do |acc, elem|
-          acc << elem.chomp
         end
       end
     end

app/controllers/vuln_api.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Controller
+    # Controller to handle the API token
+    class VulnApi < CMSScanner::Controller::Base
+      ENV_KEY = 'WPSCAN_API_TOKEN'
+
+      def cli_options
+        [
+          OptString.new(
+            ['--api-token TOKEN',
+             'The WPScan API Token to display vulnerability data, available at https://wpscan.com/profile']
+          )
+        ]
+      end
+
+      def before_scan
+        return unless ParsedCli.api_token || ENV.key?(ENV_KEY)
+
+        DB::VulnApi.token = ParsedCli.api_token || ENV[ENV_KEY]
+
+        api_status = DB::VulnApi.status
+
+        raise Error::InvalidApiToken if api_status['status'] == 'forbidden'
+        raise Error::ApiLimitReached if api_status['requests_remaining'] == 0
+        raise api_status['http_error'] if api_status['http_error']
+      end
+
+      def after_scan
+        output('status', status: DB::VulnApi.status, api_requests: WPScan.api_requests)
+      end
+    end
+  end
+end

app/controllers/wp_version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Controller
     # Wp Version Controller
@@ -15,15 +17,15 @@ module WPScan
       end
 
       def before_scan
-        WPScan::DB::DynamicFinders::Wordpress.create_versions_finders
+        DB::DynamicFinders::Wordpress.create_versions_finders
       end
 
       def run
         output(
           'version',
           version: target.wp_version(
-            mode: parsed_options[:wp_version_detection] || parsed_options[:detection_mode],
+            mode: ParsedCli.wp_version_detection || ParsedCli.detection_mode,
-            confidence_threshold: parsed_options[:wp_version_all] ? 0 : 100,
+            confidence_threshold: ParsedCli.wp_version_all ? 0 : 100,
             show_progression: user_interaction?
           )
         )

app/finders.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'finders/interesting_findings'
 require_relative 'finders/wp_items'
 require_relative 'finders/wp_version'

app/finders/config_backups.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'config_backups/known_filenames'
 
 module WPScan

app/finders/config_backups/known_filenames.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module ConfigBackups
@@ -13,11 +15,10 @@ module WPScan
         def aggressive(opts = {})
           found = []
 
-          enumerate(potential_urls(opts), opts) do |res|
+          enumerate(potential_urls(opts), opts.merge(check_full_response: 200)) do |res|
-            # Might need to improve that
             next unless res.body =~ /define/i && res.body !~ /<\s?html/i
 
-            found << WPScan::ConfigBackup.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100)
+            found << Model::ConfigBackup.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100)
           end
 
           found

app/finders/db_exports.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'db_exports/known_locations'
 
 module WPScan

app/finders/db_exports/known_locations.rb

@@ -1,11 +1,18 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module DbExports
       # DB Exports finder
-      # See https://github.com/wpscanteam/wpscan-v3/issues/62
       class KnownLocations < CMSScanner::Finders::Finder
         include CMSScanner::Finders::Finder::Enumerator
 
+        def valid_response_codes
+          @valid_response_codes ||= [200, 206].freeze
+        end
+
+        SQL_PATTERN = /(?:DROP|(?:UN)?LOCK|CREATE|ALTER) (?:TABLE|DATABASE)|INSERT INTO/.freeze
+
         # @param [ Hash ] opts
         # @option opts [ String ] :list
         # @option opts [ Boolean ] :show_progression
@@ -14,32 +21,79 @@ module WPScan
         def aggressive(opts = {})
           found = []
 
-          enumerate(potential_urls(opts), opts) do |res|
+          enumerate(potential_urls(opts), opts.merge(check_full_response: valid_response_codes)) do |res|
-            next unless res.code == 200 && res.body =~ /INSERT INTO/
+            if res.effective_url.end_with?('.zip')
+              next unless %r{\Aapplication/zip}i.match?(res.headers['Content-Type'])
+            else
+              next unless SQL_PATTERN.match?(res.body)
+            end
 
-            found << WPScan::DbExport.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100)
+            found << Model::DbExport.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100)
           end
 
           found
         end
 
+        def full_request_params
+          @full_request_params ||= { headers: { 'Range' => 'bytes=0-3000' } }
+        end
+
         # @param [ Hash ] opts
         # @option opts [ String ] :list Mandatory
         #
         # @return [ Hash ]
         def potential_urls(opts = {})
-          urls        = {}
+          urls = {}
-          domain_name = target.uri.host[/(^[\w|-]+)/, 1]
+          index = 0
 
-          File.open(opts[:list]).each_with_index do |path, index|
+          File.open(opts[:list]).each do |path|
-            path.gsub!('{domain_name}', domain_name)
+            path.chomp!
 
-            urls[target.url(path.chomp)] = index
+            if path.include?('{domain_name}')
+              urls[target.url(path.gsub('{domain_name}', domain_name))] = index
+
+              if domain_name != domain_name_with_sub
+                urls[target.url(path.gsub('{domain_name}', domain_name_with_sub))] = index + 1
+
+                index += 1
+              end
+            else
+              urls[target.url(path)] = index
+            end
+
+            index += 1
           end
 
           urls
         end
 
+        def domain_name
+          @domain_name ||= if Resolv::AddressRegex.match?(target.uri.host)
+                             target.uri.host
+                           else
+                             (PublicSuffix.domain(target.uri.host) || target.uri.host)[/(^[\w|-]+)/, 1]
+                           end
+        end
+
+        def domain_name_with_sub
+          @domain_name_with_sub ||=
+            if Resolv::AddressRegex.match?(target.uri.host)
+              target.uri.host
+            else
+              parsed = PublicSuffix.parse(target.uri.host)
+
+              if parsed.subdomain
+                parsed.subdomain.gsub(".#{parsed.tld}", '')
+              elsif parsed.domain
+                parsed.domain.gsub(".#{parsed.tld}", '')
+              else
+                target.uri.host
+              end
+            end
+        rescue PublicSuffix::DomainNotAllowed
+          @domain_name_with_sub = target.uri.host
+        end
+
         def create_progress_bar(opts = {})
           super(opts.merge(title: ' Checking DB Exports -'))
         end

app/finders/interesting_findings.rb

@@ -1,8 +1,12 @@
+# frozen_string_literal: true
+
 require_relative 'interesting_findings/readme'
+require_relative 'interesting_findings/wp_cron'
 require_relative 'interesting_findings/multisite'
 require_relative 'interesting_findings/debug_log'
 require_relative 'interesting_findings/backup_db'
 require_relative 'interesting_findings/mu_plugins'
+require_relative 'interesting_findings/php_disabled'
 require_relative 'interesting_findings/registration'
 require_relative 'interesting_findings/tmm_db_migrate'
 require_relative 'interesting_findings/upload_sql_dump'
@@ -23,7 +27,7 @@ module WPScan
           %w[
             Readme DebugLog FullPathDisclosure BackupDB DuplicatorInstallerLog
             Multisite MuPlugins Registration UploadDirectoryListing TmmDbMigrate
-            UploadSQLDump EmergencyPwdResetScript
+            UploadSQLDump EmergencyPwdResetScript WPCron PHPDisabled
           ].each do |f|
             finders << InterestingFindings.const_get(f).new(target)
           end

app/finders/interesting_findings/backup_db.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module InterestingFindings
@@ -6,17 +8,15 @@ module WPScan
         # @return [ InterestingFinding ]
         def aggressive(_opts = {})
           path = 'wp-content/backup-db/'
-          url  = target.url(path)
+          res  = target.head_and_get(path, [200, 403])
-          res  = Browser.get(url)
 
           return unless [200, 403].include?(res.code) && !target.homepage_or_404?(res)
 
-          WPScan::BackupDB.new(
+          Model::BackupDB.new(
-            url,
+            target.url(path),
             confidence: 70,
             found_by: DIRECT_ACCESS,
-            interesting_entries: target.directory_listing_entries(path),
+            interesting_entries: target.directory_listing_entries(path)
-            references: { url: 'https://github.com/wpscanteam/wpscan/issues/422' }
           )
         end
       end

app/finders/interesting_findings/debug_log.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module InterestingFindings
@@ -9,10 +11,7 @@ module WPScan
 
           return unless target.debug_log?(path)
 
-          WPScan::DebugLog.new(
+          Model::DebugLog.new(target.url(path), confidence: 100, found_by: DIRECT_ACCESS)
-            target.url(path),
-            confidence: 100, found_by: DIRECT_ACCESS
-          )
         end
       end
     end

app/finders/interesting_findings/duplicator_installer_log.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module InterestingFindings
@@ -5,17 +7,11 @@ module WPScan
       class DuplicatorInstallerLog < CMSScanner::Finders::Finder
         # @return [ InterestingFinding ]
         def aggressive(_opts = {})
-          url = target.url('installer-log.txt')
+          path = 'installer-log.txt'
-          res = Browser.get(url)
 
-          return unless res.body =~ /DUPLICATOR INSTALL-LOG/
+          return unless /DUPLICATOR(-|\s)?(PRO|LITE)?:? INSTALL-LOG/i.match?(target.head_and_get(path).body)
 
-          WPScan::DuplicatorInstallerLog.new(
+          Model::DuplicatorInstallerLog.new(target.url(path), confidence: 100, found_by: DIRECT_ACCESS)
-            url,
-            confidence: 100,
-            found_by: DIRECT_ACCESS,
-            references: { url: 'https://www.exploit-db.com/ghdb/3981/' }
-          )
         end
       end
     end

app/finders/interesting_findings/emergency_pwd_reset_script.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module InterestingFindings
@@ -5,18 +7,15 @@ module WPScan
       class EmergencyPwdResetScript < CMSScanner::Finders::Finder
         # @return [ InterestingFinding ]
         def aggressive(_opts = {})
-          url  = target.url('/emergency.php')
+          path = 'emergency.php'
-          res  = Browser.get(url)
+          res  = target.head_and_get(path)
 
           return unless res.code == 200 && !target.homepage_or_404?(res)
 
-          WPScan::EmergencyPwdResetScript.new(
+          Model::EmergencyPwdResetScript.new(
-            url,
+            target.url(path),
-            confidence: res.body =~ /password/i ? 100 : 40,
+            confidence: /password/i.match?(res.body) ? 100 : 40,
-            found_by: DIRECT_ACCESS,
+            found_by: DIRECT_ACCESS
-            references: {
-              url: 'https://codex.wordpress.org/Resetting_Your_Password#Using_the_Emergency_Password_Reset_Script'
-            }
           )
         end
       end

app/finders/interesting_findings/full_path_disclosure.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module InterestingFindings
@@ -10,7 +12,7 @@ module WPScan
 
           return if fpd_entries.empty?
 
-          WPScan::FullPathDisclosure.new(
+          Model::FullPathDisclosure.new(
             target.url(path),
             confidence: 100,
             found_by: DIRECT_ACCESS,

app/finders/interesting_findings/mu_plugins.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module InterestingFindings
@@ -5,20 +7,16 @@ module WPScan
       class MuPlugins < CMSScanner::Finders::Finder
         # @return [ InterestingFinding ]
         def passive(_opts = {})
-          pattern = %r{#{target.content_dir}/mu\-plugins/}i
+          pattern = %r{#{target.content_dir}/mu-plugins/}i
 
-          target.in_scope_urls(target.homepage_res) do |url|
+          target.in_scope_uris(target.homepage_res, '(//@href|//@src)[contains(., "mu-plugins")]') do |uri|
-            next unless Addressable::URI.parse(url).path =~ pattern
+            next unless uri.path&.match?(pattern)
 
             url = target.url('wp-content/mu-plugins/')
 
-            return WPScan::MuPlugins.new(
+            target.mu_plugins = true
-              url,
+
-              confidence: 70,
+            return Model::MuPlugins.new(url, confidence: 70, found_by: 'URLs In Homepage (Passive Detection)')
-              found_by: 'URLs In Homepage (Passive Detection)',
-              to_s: "This site has 'Must Use Plugins': #{url}",
-              references: { url: 'http://codex.wordpress.org/Must_Use_Plugins' }
-            )
           end
           nil
         end
@@ -31,17 +29,9 @@ module WPScan
           return unless [200, 401, 403].include?(res.code)
           return if target.homepage_or_404?(res)
 
-          # TODO: add the check for --exclude-content once implemented ?
-
           target.mu_plugins = true
 
-          WPScan::MuPlugins.new(
+          Model::MuPlugins.new(url, confidence: 80, found_by: DIRECT_ACCESS)
-            url,
-            confidence: 80,
-            found_by: DIRECT_ACCESS,
-            to_s: "This site has 'Must Use Plugins': #{url}",
-            references: { url: 'http://codex.wordpress.org/Must_Use_Plugins' }
-          )
         end
       end
     end

app/finders/interesting_findings/multisite.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module InterestingFindings
@@ -10,18 +12,12 @@ module WPScan
           location = res.headers_hash['location']
 
           return unless [200, 302].include?(res.code)
-          return if res.code == 302 && location =~ /wp-login\.php\?action=register/
+          return if res.code == 302 && location&.include?('wp-login.php?action=register')
-          return unless res.code == 200 || res.code == 302 && location =~ /wp-signup\.php/
+          return unless res.code == 200 || (res.code == 302 && location&.include?('wp-signup.php'))
 
           target.multisite = true
 
-          WPScan::Multisite.new(
+          Model::Multisite.new(url, confidence: 100, found_by: DIRECT_ACCESS)
-            url,
-            confidence: 100,
-            found_by: DIRECT_ACCESS,
-            to_s: 'This site seems to be a multisite',
-            references: { url: 'http://codex.wordpress.org/Glossary#Multisite' }
-          )
         end
       end
     end

app/finders/interesting_findings/php_disabled.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # See https://github.com/wpscanteam/wpscan/issues/1593
+      class PHPDisabled < CMSScanner::Finders::Finder
+        PATTERN = /\$wp_version =/.freeze
+
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'wp-includes/version.php'
+
+          return unless PATTERN.match?(target.head_and_get(path).body)
+
+          Model::PHPDisabled.new(target.url(path), confidence: 100, found_by: DIRECT_ACCESS)
+        end
+      end
+    end
+  end
+end

app/finders/interesting_findings/readme.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module InterestingFindings
@@ -5,14 +7,14 @@ module WPScan
       class Readme < CMSScanner::Finders::Finder
         # @return [ InterestingFinding ]
         def aggressive(_opts = {})
-          potential_files.each do |file|
+          potential_files.each do |path|
-            url = target.url(file)
+            res = target.head_and_get(path)
-            res = Browser.get(url)
 
-            if res.code == 200 && res.body =~ /wordpress/i
+            next unless res.code == 200 && res.body =~ /wordpress/i
-              return WPScan::Readme.new(url, confidence: 100, found_by: DIRECT_ACCESS)
+
-            end
+            return Model::Readme.new(target.url(path), confidence: 100, found_by: DIRECT_ACCESS)
           end
+
           nil
         end
 

app/finders/interesting_findings/registration.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module InterestingFindings
@@ -18,12 +20,7 @@ module WPScan
 
           target.registration_enabled = true
 
-          WPScan::Registration.new(
+          Model::Registration.new(res.effective_url, confidence: 100, found_by: DIRECT_ACCESS)
-            res.effective_url,
-            confidence: 100,
-            found_by: DIRECT_ACCESS,
-            to_s: "Registration is enabled: #{res.effective_url}"
-          )
         end
       end
     end

app/finders/interesting_findings/tmm_db_migrate.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module InterestingFindings
@@ -7,16 +9,11 @@ module WPScan
         def aggressive(_opts = {})
           path = 'wp-content/uploads/tmm_db_migrate/tmm_db_migrate.zip'
           url  = target.url(path)
-          res  = Browser.get(url)
+          res  = browser.forge_request(url, target.head_or_get_request_params).run
 
           return unless res.code == 200 && res.headers['Content-Type'] =~ %r{\Aapplication/zip}i
 
-          WPScan::TmmDbMigrate.new(
+          Model::TmmDbMigrate.new(url, confidence: 100, found_by: DIRECT_ACCESS)
-            url,
-            confidence: 100,
-            found_by: DIRECT_ACCESS,
-            references: { packetstorm: 131_957 }
-          )
         end
       end
     end

app/finders/interesting_findings/upload_directory_listing.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module InterestingFindings
@@ -11,12 +13,7 @@ module WPScan
 
           url = target.url(path)
 
-          WPScan::UploadDirectoryListing.new(
+          Model::UploadDirectoryListing.new(url, confidence: 100, found_by: DIRECT_ACCESS)
-            url,
-            confidence: 100,
-            found_by: DIRECT_ACCESS,
-            to_s: "Upload directory has listing enabled: #{url}"
-          )
         end
       end
     end

app/finders/interesting_findings/upload_sql_dump.rb

@@ -1,26 +1,20 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module InterestingFindings
       # UploadSQLDump finder
       class UploadSQLDump < CMSScanner::Finders::Finder
-        SQL_PATTERN = /(?:(?:(?:DROP|CREATE) TABLE)|INSERT INTO)/.freeze
+        SQL_PATTERN = /(?:DROP|CREATE|(?:UN)?LOCK) TABLE|INSERT INTO/.freeze
 
         # @return [ InterestingFinding ]
         def aggressive(_opts = {})
-          url = dump_url
+          path = 'wp-content/uploads/dump.sql'
-          res = Browser.get(url)
+          res  = target.head_and_get(path, [200], get: { headers: { 'Range' => 'bytes=0-3000' } })
 
-          return unless res.code == 200 && res.body =~ SQL_PATTERN
+          return unless SQL_PATTERN.match?(res.body)
 
-          WPScan::UploadSQLDump.new(
+          Model::UploadSQLDump.new(target.url(path), confidence: 100, found_by: DIRECT_ACCESS)
-            url,
-            confidence: 100,
-            found_by: DIRECT_ACCESS
-          )
-        end
-
-        def dump_url
-          target.url('wp-content/uploads/dump.sql')
         end
       end
     end

app/finders/interesting_findings/wp_cron.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # wp-cron.php finder
+      class WPCron < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          res = Browser.get(wp_cron_url)
+
+          return unless res.code == 200
+
+          Model::WPCron.new(wp_cron_url, confidence: 60, found_by: DIRECT_ACCESS)
+        end
+
+        def wp_cron_url
+          @wp_cron_url ||= target.url('wp-cron.php')
+        end
+      end
+    end
+  end
+end

app/finders/main_theme.rb

@@ -1,6 +1,10 @@
-require_relative 'main_theme/css_style'
+# frozen_string_literal: true
+
+require_relative 'main_theme/css_style_in_homepage'
+require_relative 'main_theme/css_style_in_404_page'
 require_relative 'main_theme/woo_framework_meta_generator'
 require_relative 'main_theme/urls_in_homepage'
+require_relative 'main_theme/urls_in_404_page'
 
 module WPScan
   module Finders
@@ -12,9 +16,11 @@ module WPScan
         # @param [ WPScan::Target ] target
         def initialize(target)
           finders <<
-            MainTheme::CssStyle.new(target) <<
+            MainTheme::CssStyleInHomepage.new(target) <<
+            MainTheme::CssStyleIn404Page.new(target) <<
             MainTheme::WooFrameworkMetaGenerator.new(target) <<
-            MainTheme::UrlsInHomepage.new(target)
+            MainTheme::UrlsInHomepage.new(target) <<
+            MainTheme::UrlsIn404Page.new(target)
         end
       end
     end

app/finders/main_theme/css_style_in_404_page.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module MainTheme
+      # From the CSS style in the 404 page
+      class CssStyleIn404Page < CssStyleInHomepage
+        def passive(opts = {})
+          passive_from_css_href(target.error_404_res, opts) || passive_from_style_code(target.error_404_res, opts)
+        end
+      end
+    end
+  end
+end

app/finders/main_theme/css_style_in_homepage.rb

@@ -1,12 +1,14 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module MainTheme
-      # From the css style
+      # From the CSS style in the homepage
-      class CssStyle < CMSScanner::Finders::Finder
+      class CssStyleInHomepage < CMSScanner::Finders::Finder
-        include Finders::WpItems::URLsInHomepage
+        include Finders::WpItems::UrlsInPage # To have the item_code_pattern method available here
 
         def create_theme(slug, style_url, opts)
-          WPScan::Theme.new(
+          Model::Theme.new(
             slug,
             target,
             opts.merge(found_by: found_by, confidence: 70, style_url: style_url)
@@ -18,10 +20,10 @@ module WPScan
         end
 
         def passive_from_css_href(res, opts)
-          target.in_scope_urls(res, '//style/@src|//link/@href') do |url|
+          target.in_scope_uris(res, '//link/@href[contains(., "style.css")]') do |uri|
-            next unless Addressable::URI.parse(url).path =~ %r{/themes/([^\/]+)/style.css\z}i
+            next unless uri.path =~ %r{/themes/([^/]+)/style.css\z}i
 
-            return create_theme(Regexp.last_match[1], url, opts)
+            return create_theme(Regexp.last_match[1], uri.to_s, opts)
           end
           nil
         end
@@ -31,7 +33,7 @@ module WPScan
             code = tag.text.to_s
             next if code.empty?
 
-            next unless code =~ %r{#{item_code_pattern('themes')}\\?/style\.css[^"'\( ]*}i
+            next unless code =~ %r{#{item_code_pattern('themes')}\\?/style\.css[^"'( ]*}i
 
             return create_theme(Regexp.last_match[1], Regexp.last_match[0].strip, opts)
           end

app/finders/main_theme/urls_in_404_page.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module MainTheme
+      # URLs In 404 Page Finder
+      class UrlsIn404Page < UrlsInHomepage
+        # @return [ Typhoeus::Response ]
+        def page_res
+          @page_res ||= target.error_404_res
+        end
+      end
+    end
+  end
+end

app/finders/main_theme/urls_in_homepage.rb

@@ -1,9 +1,11 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module MainTheme
       # URLs In Homepage Finder
       class UrlsInHomepage < CMSScanner::Finders::Finder
-        include WpItems::URLsInHomepage
+        include WpItems::UrlsInPage
 
         # @param [ Hash ] opts
         #
@@ -11,14 +13,19 @@ module WPScan
         def passive(opts = {})
           found = []
 
-          slugs = items_from_links('themes', false) + items_from_codes('themes', false)
+          slugs = items_from_links('themes', uniq: false) + items_from_codes('themes', uniq: false)
 
           slugs.each_with_object(Hash.new(0)) { |slug, counts| counts[slug] += 1 }.each do |slug, occurences|
-            found << WPScan::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 2 * occurences))
+            found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 2 * occurences))
           end
 
           found
         end
+
+        # @return [ Typhoeus::Response ]
+        def page_res
+          @page_res ||= target.homepage_res
+        end
       end
     end
   end

app/finders/main_theme/woo_framework_meta_generator.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module MainTheme
@@ -8,9 +10,9 @@ module WPScan
         PATTERN           = /#{THEME_PATTERN}\s+#{FRAMEWORK_PATTERN}/i.freeze
 
         def passive(opts = {})
-          return unless target.homepage_res.body =~ PATTERN
+          return unless target.homepage_res.body =~ PATTERN || target.error_404_res.body =~ PATTERN
 
-          WPScan::Theme.new(
+          Model::Theme.new(
             Regexp.last_match[1],
             target,
             opts.merge(found_by: found_by, confidence: 80)

app/finders/medias.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'medias/attachment_brute_forcing'
 
 module WPScan

app/finders/medias/attachment_brute_forcing.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module Medias
@@ -15,7 +17,7 @@ module WPScan
           enumerate(target_urls(opts), opts) do |res|
             next unless res.code == 200
 
-            found << WPScan::Media.new(res.effective_url, opts.merge(found_by: found_by, confidence: 100))
+            found << Model::Media.new(res.effective_url, opts.merge(found_by: found_by, confidence: 100))
           end
 
           found

app/finders/passwords.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'passwords/wp_login'
 require_relative 'passwords/xml_rpc'
 require_relative 'passwords/xml_rpc_multicall'

app/finders/passwords/wp_login.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module Passwords
@@ -10,7 +12,8 @@ module WPScan
         end
 
         def valid_credentials?(response)
-          response.code == 302
+          response.code == 302 &&
+            Array(response.headers['Set-Cookie'])&.any? { |cookie| cookie =~ /wordpress_logged_in_/i }
         end
 
         def errored_response?(response)

app/finders/passwords/xml_rpc.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module Passwords
@@ -6,15 +8,15 @@ module WPScan
         include CMSScanner::Finders::Finder::BreadthFirstDictionaryAttack
 
         def login_request(username, password)
-          target.method_call('wp.getUsersBlogs', [username, password])
+          target.method_call('wp.getUsersBlogs', [username, password], cache_ttl: 0)
         end
 
         def valid_credentials?(response)
-          response.code == 200 && response.body =~ /blogName/
+          response.code == 200 && response.body.include?('blogName')
         end
 
         def errored_response?(response)
-          response.code != 200 && response.body !~ /login_error/i
+          response.code != 200 && response.body !~ /Incorrect username or password/i
         end
       end
     end

app/finders/passwords/xml_rpc_multicall.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module Passwords
@@ -17,32 +19,58 @@ module WPScan
             end
           end
 
-          target.multi_call(methods).run
+          target.multi_call(methods, cache_ttl: 0).run
         end
 
-        # @param [ Array<CMSScanner::User> ] users
+        # @param [ IO ] file
-        # @param [ Array<String> ] passwords
+        # @param [ Integer ] passwords_size
+        # @return [ Array<String> ] The passwords from the last checked position in the file until there are
+        #                           passwords_size passwords retrieved
+        def passwords_from_wordlist(file, passwords_size)
+          pwds       = []
+          added_pwds = 0
+
+          return pwds if passwords_size.zero?
+
+          # Make sure that the main code does not call #sysseek or #count etc
+          # otherwise the file descriptor will be set to somwehere else
+          file.each_line(chomp: true) do |line|
+            pwds << line
+            added_pwds += 1
+
+            break if added_pwds == passwords_size
+          end
+
+          pwds
+        end
+
+        # @param [ Array<Model::User> ] users
+        # @param [ String ] wordlist_path
         # @param [ Hash ] opts
         # @option opts [ Boolean ] :show_progression
         # @option opts [ Integer ] :multicall_max_passwords
         #
-        # @yield [ CMSScanner::User ] When a valid combination is found
+        # @yield [ Model::User ] When a valid combination is found
         #
         # TODO: Make rubocop happy about metrics etc
         #
         # rubocop:disable all
-        def attack(users, passwords, opts = {})
+        def attack(users, wordlist_path, opts = {})
-          wordlist_index         = 0
+          checked_passwords      = 0
+          wordlist               = File.open(wordlist_path)
+          wordlist_size          = wordlist.count
           max_passwords          = opts[:multicall_max_passwords]
           current_passwords_size = passwords_size(max_passwords, users.size)
 
-          create_progress_bar(total: (passwords.size / current_passwords_size.round(1)).ceil,
+          create_progress_bar(total: (wordlist_size / current_passwords_size.round(1)).ceil,
                               show_progression: opts[:show_progression])
 
+          wordlist.sysseek(0) # reset the descriptor to the beginning of the file as it changed with #count
+
           loop do
-            current_users     = users.select { |user| user.password.nil? }
+            current_users      = users.select { |user| user.password.nil? }
-            current_passwords = passwords[wordlist_index, current_passwords_size]
+            current_passwords  = passwords_from_wordlist(wordlist, current_passwords_size)
-            wordlist_index   += current_passwords_size
+            checked_passwords += current_passwords_size
 
             break if current_users.empty? || current_passwords.nil? || current_passwords.empty?
 
@@ -74,16 +102,19 @@ module WPScan
                 break
               end
 
-              progress_bar.total = progress_bar.progress + ((passwords.size - wordlist_index) / current_passwords_size.round(1)).ceil
+              begin
+                progress_bar.total = progress_bar.progress + ((wordlist_size - checked_passwords) / current_passwords_size.round(1)).ceil
+              rescue ProgressBar::InvalidProgressError
+              end
             end
           end
           # Maybe a progress_bar.stop ?
         end
-        # rubocop:disable all
+        # rubocop:enable all
 
         def passwords_size(max_passwords, users_size)
           return 1 if max_passwords < users_size
-          return 0 if users_size == 0
+          return 0 if users_size.zero?
 
           max_passwords / users_size
         end
@@ -92,9 +123,13 @@ module WPScan
         def check_and_output_errors(res)
           progress_bar.log("Incorrect response: #{res.code} / #{res.return_message}") unless res.code == 200
 
-          progress_bar.log('Parsing error, might be caused by a too high --max-passwords value (such as >= 2k)') if res.body =~ /parse error. not well formed/i
+          if /parse error. not well formed/i.match?(res.body)
+            progress_bar.log('Parsing error, might be caused by a too high --max-passwords value (such as >= 2k)')
+          end
 
-          progress_bar.log('The requested method is not supported') if res.body =~ /requested method [^ ]+ does not exist/i
+          return unless /requested method [^ ]+ does not exist/i.match?(res.body)
+
+          progress_bar.log('The requested method is not supported')
         end
       end
     end

app/finders/plugin_version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'plugin_version/readme'
 
 module WPScan
@@ -7,29 +9,19 @@ module WPScan
       class Base
         include CMSScanner::Finders::UniqueFinder
 
-        # @param [ WPScan::Plugin ] plugin
+        # @param [ Model::Plugin ] plugin
         def initialize(plugin)
           finders << PluginVersion::Readme.new(plugin)
 
-          load_specific_finders(plugin)
+          create_and_load_dynamic_versions_finders(plugin)
         end
 
-        # Load the finders associated with the plugin
+        # Create the dynamic version finders related to the plugin and register them
         #
-        # @param [ WPScan::Plugin ] plugin
+        # @param [ Model::Plugin ] plugin
-        def load_specific_finders(plugin)
+        def create_and_load_dynamic_versions_finders(plugin)
-          module_name = plugin.classify
+          DB::DynamicFinders::Plugin.create_versions_finders(plugin.slug).each do |finder|
-
+            finders << finder.new(plugin)
-          return unless Finders::PluginVersion.constants.include?(module_name)
-
-          mod = Finders::PluginVersion.const_get(module_name)
-
-          mod.constants.each do |constant|
-            c = mod.const_get(constant)
-
-            next unless c.is_a?(Class)
-
-            finders << c.new(plugin)
           end
         end
       end

app/finders/plugin_version/readme.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module PluginVersion
@@ -7,21 +9,23 @@ module WPScan
         def aggressive(_opts = {})
           found_by_msg = 'Readme - %s (Aggressive Detection)'
 
-          WPScan::WpItem::READMES.each do |file|
+          # The target(plugin)#readme_url can't be used directly here
-            url = target.url(file)
+          # as if the --detection-mode is passive, it will always return nil
-            res = Browser.get(url)
+          target.potential_readme_filenames.each do |file|
+            res = target.head_and_get(file)
 
             next unless res.code == 200 && !(numbers = version_numbers(res.body)).empty?
 
             return numbers.reduce([]) do |a, e|
-              a << WPScan::Version.new(
+              a << Model::Version.new(
                 e[0],
                 found_by: format(found_by_msg, e[1]),
                 confidence: e[2],
-                interesting_entries: [url]
+                interesting_entries: [res.effective_url]
               )
             end
           end
+
           nil
         end
 
@@ -44,31 +48,29 @@ module WPScan
         #
         # @return [ String, nil ] The version number detected from the stable tag
         def from_stable_tag(body)
-          return unless body =~ /\b(?:stable tag|version):\s*(?!trunk)([0-9a-z\.-]+)/i
+          return unless body =~ /\b(?:stable tag|version):\s*(?!trunk)([0-9a-z.-]+)/i
 
           number = Regexp.last_match[1]
 
-          number if number =~ /[0-9]+/
+          number if /[0-9]+/.match?(number)
         end
 
         # @param [ String ] body
         #
         # @return [ String, nil ] The best version number detected from the changelog section
         def from_changelog_section(body)
-          extracted_versions = body.scan(%r{[=]+\s+(?:v(?:ersion)?\s*)?([0-9\.-]+)[ \ta-z0-9\(\)\.\-\/]*[=]+}i)
+          extracted_versions = body.scan(/^=+\s+(?:v(?:ersion)?\s*)?([0-9.-]+)[^=]*=+$/i)
 
           return if extracted_versions.nil? || extracted_versions.empty?
 
           extracted_versions.flatten!
           # must contain at least one number
-          extracted_versions = extracted_versions.select { |x| x =~ /[0-9]+/ }
+          extracted_versions = extracted_versions.grep(/[0-9]+/)
 
           sorted = extracted_versions.sort do |x, y|
-            begin
+            Gem::Version.new(x) <=> Gem::Version.new(y)
-              Gem::Version.new(x) <=> Gem::Version.new(y)
+          rescue StandardError
-            rescue StandardError
+            0
-              0
-            end
           end
 
           sorted.last

app/finders/plugins.rb

@@ -1,4 +1,7 @@
+# frozen_string_literal: true
+
 require_relative 'plugins/urls_in_homepage'
+require_relative 'plugins/urls_in_404_page'
 require_relative 'plugins/known_locations'
 # From the DynamicFinders
 require_relative 'plugins/comment'
@@ -20,6 +23,7 @@ module WPScan
         def initialize(target)
           finders <<
             Plugins::UrlsInHomepage.new(target) <<
+            Plugins::UrlsIn404Page.new(target) <<
             Plugins::HeaderPattern.new(target) <<
             Plugins::Comment.new(target) <<
             Plugins::Xpath.new(target) <<

app/finders/plugins/body_pattern.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module Plugins
       # Plugins finder from Dynamic Finder 'BodyPattern'
-      class BodyPattern < WPScan::Finders::DynamicFinder::WpItems::Finder
+      class BodyPattern < Finders::DynamicFinder::WpItems::Finder
         DEFAULT_CONFIDENCE = 30
 
         # @param [ Hash ] opts The options from the #passive, #aggressive methods
@@ -13,9 +15,9 @@ module WPScan
         #
         # @return [ Plugin ] The detected plugin in the response, related to the config
         def process_response(opts, response, slug, klass, config)
-          return unless response.body =~ config['pattern']
+          return unless response.body&.match?(config['pattern'])
 
-          Plugin.new(
+          Model::Plugin.new(
             slug,
             target,
             opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)

app/finders/plugins/comment.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module Plugins
       # Plugins finder from the Dynamic Finder 'Comment'
-      class Comment < WPScan::Finders::DynamicFinder::WpItems::Finder
+      class Comment < Finders::DynamicFinder::WpItems::Finder
         DEFAULT_CONFIDENCE = 30
 
         # @param [ Hash ] opts The options from the #passive, #aggressive methods
@@ -16,9 +18,9 @@ module WPScan
           response.html.xpath(config['xpath'] || '//comment()').each do |node|
             comment = node.text.to_s.strip
 
-            next unless comment =~ config['pattern']
+            next unless comment&.match?(config['pattern'])
 
-            return Plugin.new(
+            return Model::Plugin.new(
               slug,
               target,
               opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)

app/finders/plugins/config_parser.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module Plugins
       # Plugins finder from Dynamic Finder 'ConfigParser'
-      class ConfigParser < WPScan::Finders::DynamicFinder::WpItems::Finder
+      class ConfigParser < Finders::DynamicFinder::WpItems::Finder
         DEFAULT_CONFIDENCE = 40
 
         # @param [ Hash ] opts The options from the #passive, #aggressive methods
@@ -19,7 +21,7 @@ module WPScan
           # when checking for plugins
           #
 
-          Plugin.new(
+          Model::Plugin.new(
             slug,
             target,
             opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)

app/finders/plugins/header_pattern.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module Plugins
       # Plugins finder from Dynamic Finder 'HeaderPattern'
-      class HeaderPattern < WPScan::Finders::DynamicFinder::WpItems::Finder
+      class HeaderPattern < Finders::DynamicFinder::WpItems::Finder
         DEFAULT_CONFIDENCE = 30
 
         # @param [ Hash ] opts
@@ -18,7 +20,7 @@ module WPScan
             configs.each do |klass, config|
               next unless headers[config['header']] && headers[config['header']].to_s =~ config['pattern']
 
-              found << Plugin.new(
+              found << Model::Plugin.new(
                 slug,
                 target,
                 opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)

app/finders/plugins/javascript_var.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module Plugins
       # Plugins finder from the Dynamic Finder 'JavascriptVar'
-      class JavascriptVar < WPScan::Finders::DynamicFinder::WpItems::Finder
+      class JavascriptVar < Finders::DynamicFinder::WpItems::Finder
         DEFAULT_CONFIDENCE = 60
 
         # @param [ Hash ] opts The options from the #passive, #aggressive methods
@@ -16,7 +18,7 @@ module WPScan
           response.html.xpath(config['xpath'] || '//script[not(@src)]').each do |node|
             next if config['pattern'] && !node.text.match(config['pattern'])
 
-            return Plugin.new(
+            return Model::Plugin.new(
               slug,
               target,
               opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)

app/finders/plugins/known_locations.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module Plugins
@@ -5,6 +7,11 @@ module WPScan
       class KnownLocations < CMSScanner::Finders::Finder
         include CMSScanner::Finders::Finder::Enumerator
 
+        # @return [ Array<Integer> ]
+        def valid_response_codes
+          @valid_response_codes ||= [200, 401, 403, 500].freeze
+        end
+
         # @param [ Hash ] opts
         # @option opts [ String ] :list
         #
@@ -12,12 +19,14 @@ module WPScan
         def aggressive(opts = {})
           found = []
 
-          enumerate(target_urls(opts), opts) do |res, slug|
+          enumerate(target_urls(opts), opts.merge(check_full_response: true)) do |res, slug|
-            # TODO: follow the location (from enumerate()) and remove the 301 here ?
+            finding_opts = opts.merge(found_by: found_by,
-            # As a result, it might remove false positive due to redirection to the homepage
+                                      confidence: 80,
-            next unless [200, 401, 403, 301].include?(res.code)
+                                      interesting_entries: ["#{res.effective_url}, status: #{res.code}"])
 
-            found << WPScan::Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
+            found << Model::Plugin.new(slug, target, finding_opts)
+
+            raise Error::PluginsThresholdReached if opts[:threshold].positive? && found.size >= opts[:threshold]
           end
 
           found
@@ -30,10 +39,9 @@ module WPScan
         def target_urls(opts = {})
           slugs       = opts[:list] || DB::Plugins.vulnerable_slugs
           urls        = {}
-          plugins_url = target.plugins_url
 
           slugs.each do |slug|
-            urls["#{plugins_url}#{URI.encode(slug)}/"] = slug
+            urls[target.plugin_url(slug)] = slug
           end
 
           urls

app/finders/plugins/query_parameter.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module Plugins
       # Plugins finder from Dynamic Finder 'QueryParameter'
-      class QueryParameter < WPScan::Finders::DynamicFinder::WpItems::Finder
+      class QueryParameter < Finders::DynamicFinder::WpItems::Finder
         DEFAULT_CONFIDENCE = 10
 
         def passive(_opts = {})

app/finders/plugins/urls_in_404_page.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Plugins
+      # URLs In 404 Page Finder
+      # Typically, the items detected from URLs like /wp-content/plugins/<slug>/
+      class UrlsIn404Page < UrlsInHomepage
+        # @return [ Typhoeus::Response ]
+        def page_res
+          @page_res ||= target.error_404_res
+        end
+      end
+    end
+  end
+end

app/finders/plugins/urls_in_homepage.rb

@@ -1,11 +1,12 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module Plugins
       # URLs In Homepage Finder
-      # Typically, the items detected from URLs like
+      # Typically, the items detected from URLs like /wp-content/plugins/<slug>/
-      # /wp-content/plugins/<slug>/
       class UrlsInHomepage < CMSScanner::Finders::Finder
-        include WpItems::URLsInHomepage
+        include WpItems::UrlsInPage
 
         # @param [ Hash ] opts
         #
@@ -14,11 +15,16 @@ module WPScan
           found = []
 
           (items_from_links('plugins') + items_from_codes('plugins')).uniq.sort.each do |slug|
-            found << Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
+            found << Model::Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
           end
 
           found
         end
+
+        # @return [ Typhoeus::Response ]
+        def page_res
+          @page_res ||= target.homepage_res
+        end
       end
     end
   end

app/finders/plugins/xpath.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module Plugins
       # Plugins finder from the Dynamic Finder 'Xpath'
-      class Xpath < WPScan::Finders::DynamicFinder::WpItems::Finder
+      class Xpath < Finders::DynamicFinder::WpItems::Finder
         DEFAULT_CONFIDENCE = 40
 
         # @param [ Hash ] opts The options from the #passive, #aggressive methods
@@ -16,7 +18,7 @@ module WPScan
           response.html.xpath(config['xpath']).each do |node|
             next if config['pattern'] && !node.text.match(config['pattern'])
 
-            return Plugin.new(
+            return Model::Plugin.new(
               slug,
               target,
               opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)

app/finders/theme_version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'theme_version/style'
 require_relative 'theme_version/woo_framework_meta_generator'
 
@@ -8,31 +10,21 @@ module WPScan
       class Base
         include CMSScanner::Finders::UniqueFinder
 
-        # @param [ WPScan::Theme ] theme
+        # @param [ Model::Theme ] theme
         def initialize(theme)
           finders <<
             ThemeVersion::Style.new(theme) <<
             ThemeVersion::WooFrameworkMetaGenerator.new(theme)
 
-          load_specific_finders(theme)
+          create_and_load_dynamic_versions_finders(theme)
         end
 
-        # Load the finders associated with the theme
+        # Create the dynamic version finders related to the theme and register them
         #
-        # @param [ WPScan::Theme ] theme
+        # @param [ Model::Theme ] theme
-        def load_specific_finders(theme)
+        def create_and_load_dynamic_versions_finders(theme)
-          module_name = theme.classify
+          DB::DynamicFinders::Theme.create_versions_finders(theme.slug).each do |finder|
-
+            finders << finder.new(theme)
-          return unless Finders::ThemeVersion.constants.include?(module_name)
-
-          mod = Finders::ThemeVersion.const_get(module_name)
-
-          mod.constants.each do |constant|
-            c = mod.const_get(constant)
-
-            next unless c.is_a?(Class)
-
-            finders << c.new(theme)
           end
         end
       end

app/finders/theme_version/style.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module ThemeVersion
@@ -28,9 +30,9 @@ module WPScan
 
         # @return [ Version ]
         def style_version
-          return unless Browser.get(target.style_url).body =~ /Version:[\t ]*(?!trunk)([0-9a-z\.-]+)/i
+          return unless Browser.get(target.style_url).body =~ /Version:[\t ]*(?!trunk)([0-9a-z.-]+)/i
 
-          WPScan::Version.new(
+          Model::Version.new(
             Regexp.last_match[1],
             found_by: found_by,
             confidence: 80,

app/finders/theme_version/woo_framework_meta_generator.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module ThemeVersion
@@ -11,7 +13,7 @@ module WPScan
 
           return unless Regexp.last_match[1] == target.slug
 
-          WPScan::Version.new(Regexp.last_match[2], found_by: found_by, confidence: 80)
+          Model::Version.new(Regexp.last_match[2], found_by: found_by, confidence: 80)
         end
       end
     end

app/finders/themes.rb

@@ -1,10 +1,13 @@
+# frozen_string_literal: true
+
 require_relative 'themes/urls_in_homepage'
+require_relative 'themes/urls_in_404_page'
 require_relative 'themes/known_locations'
 
 module WPScan
   module Finders
     module Themes
-      # themes Finder
+      # Themes Finder
       class Base
         include CMSScanner::Finders::SameTypeFinder
 
@@ -12,6 +15,7 @@ module WPScan
         def initialize(target)
           finders <<
             Themes::UrlsInHomepage.new(target) <<
+            Themes::UrlsIn404Page.new(target) <<
             Themes::KnownLocations.new(target)
         end
       end

app/finders/themes/known_locations.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module Themes
@@ -5,6 +7,11 @@ module WPScan
       class KnownLocations < CMSScanner::Finders::Finder
         include CMSScanner::Finders::Finder::Enumerator
 
+        # @return [ Array<Integer> ]
+        def valid_response_codes
+          @valid_response_codes ||= [200, 401, 403, 500].freeze
+        end
+
         # @param [ Hash ] opts
         # @option opts [ String ] :list
         #
@@ -12,12 +19,14 @@ module WPScan
         def aggressive(opts = {})
           found = []
 
-          enumerate(target_urls(opts), opts) do |res, slug|
+          enumerate(target_urls(opts), opts.merge(check_full_response: true)) do |res, slug|
-            # TODO: follow the location (from enumerate()) and remove the 301 here ?
+            finding_opts = opts.merge(found_by: found_by,
-            # As a result, it might remove false positive due to redirection to the homepage
+                                      confidence: 80,
-            next unless [200, 401, 403, 301].include?(res.code)
+                                      interesting_entries: ["#{res.effective_url}, status: #{res.code}"])
 
-            found << WPScan::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
+            found << Model::Theme.new(slug, target, finding_opts)
+
+            raise Error::ThemesThresholdReached if opts[:threshold].positive? && found.size >= opts[:threshold]
           end
 
           found
@@ -28,12 +37,11 @@ module WPScan
         #
         # @return [ Hash ]
         def target_urls(opts = {})
-          slugs       = opts[:list] || DB::Themes.vulnerable_slugs
+          slugs = opts[:list] || DB::Themes.vulnerable_slugs
-          urls        = {}
+          urls  = {}
-          themes_url  = target.url('wp-content/themes/')
 
           slugs.each do |slug|
-            urls["#{themes_url}#{URI.encode(slug)}/"] = slug
+            urls[target.theme_url(slug)] = slug
           end
 
           urls

app/finders/themes/urls_in_404_page.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Themes
+      # URLs In 04 Page Finder
+      class UrlsIn404Page < UrlsInHomepage
+        # @return [ Typhoeus::Response ]
+        def page_res
+          @page_res ||= target.error_404_res
+        end
+      end
+    end
+  end
+end

app/finders/themes/urls_in_homepage.rb

@@ -1,9 +1,11 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module Themes
       # URLs In Homepage Finder
       class UrlsInHomepage < CMSScanner::Finders::Finder
-        include WpItems::URLsInHomepage
+        include WpItems::UrlsInPage
 
         # @param [ Hash ] opts
         #
@@ -12,11 +14,16 @@ module WPScan
           found = []
 
           (items_from_links('themes') + items_from_codes('themes')).uniq.sort.each do |slug|
-            found << WPScan::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
+            found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
           end
 
           found
         end
+
+        # @return [ Typhoeus::Response ]
+        def page_res
+          @page_res ||= target.homepage_res
+        end
       end
     end
   end

app/finders/timthumb_version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'timthumb_version/bad_request'
 
 module WPScan
@@ -7,7 +9,7 @@ module WPScan
       class Base
         include CMSScanner::Finders::UniqueFinder
 
-        # @param [ WPScan::Timthumb ] target
+        # @param [ Model::Timthumb ] target
         def initialize(target)
           finders << TimthumbVersion::BadRequest.new(target)
         end

app/finders/timthumb_version/bad_request.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module TimthumbVersion
@@ -8,7 +10,7 @@ module WPScan
         def aggressive(_opts = {})
           return unless Browser.get(target.url).body =~ /(TimThumb version\s*: ([^<]+))/
 
-          WPScan::Version.new(
+          Model::Version.new(
             Regexp.last_match[2],
             found_by: 'Bad Request (Aggressive Detection)',
             confidence: 90,

app/finders/timthumbs.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'timthumbs/known_locations'
 
 module WPScan

app/finders/timthumbs/known_locations.rb

@@ -1,10 +1,19 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module Timthumbs
       # Known Locations Timthumbs Finder
+      # Note: A vulnerable version, 2.8.13 can be found here:
+      # https://github.com/GabrielGil/TimThumb/blob/980c3d6a823477761570475e8b83d3e9fcd2d7ae/timthumb.php
       class KnownLocations < CMSScanner::Finders::Finder
         include CMSScanner::Finders::Finder::Enumerator
 
+        # @return [ Array<Integer> ]
+        def valid_response_codes
+          @valid_response_codes ||= [400]
+        end
+
         # @param [ Hash ] opts
         # @option opts [ String ] :list Mandatory
         #
@@ -12,10 +21,10 @@ module WPScan
         def aggressive(opts = {})
           found = []
 
-          enumerate(target_urls(opts), opts) do |res|
+          enumerate(target_urls(opts), opts.merge(check_full_response: 400)) do |res|
-            next unless res.code == 400 && res.body =~ /no image specified/i
+            next unless /no image specified/i.match?(res.body)
 
-            found << WPScan::Timthumb.new(res.request.url, opts.merge(found_by: found_by, confidence: 100))
+            found << Model::Timthumb.new(res.request.url, opts.merge(found_by: found_by, confidence: 100))
           end
 
           found

app/finders/users.rb

@@ -1,13 +1,26 @@
+# frozen_string_literal: true
+
 require_relative 'users/author_posts'
 require_relative 'users/wp_json_api'
 require_relative 'users/oembed_api'
 require_relative 'users/rss_generator'
 require_relative 'users/author_id_brute_forcing'
 require_relative 'users/login_error_messages'
-require_relative 'users/yoast_seo_author_sitemap.rb'
+require_relative 'users/author_sitemap'
+require_relative 'users/yoast_seo_author_sitemap'
 
 module WPScan
   module Finders
+    # Specific Finders container to filter the usernames found
+    # and remove the ones matching ParsedCli.exclude_username if supplied
+    class UsersFinders < SameTypeFinders
+      def filter_findings
+        findings.delete_if { |user| ParsedCli.exclude_usernames.match?(user.username) } if ParsedCli.exclude_usernames
+
+        findings
+      end
+    end
+
     module Users
       # Users Finder
       class Base
@@ -20,10 +33,15 @@ module WPScan
             Users::WpJsonApi.new(target) <<
             Users::OembedApi.new(target) <<
             Users::RSSGenerator.new(target) <<
+            Users::AuthorSitemap.new(target) <<
             Users::YoastSeoAuthorSitemap.new(target) <<
             Users::AuthorIdBruteForcing.new(target) <<
             Users::LoginErrorMessages.new(target)
         end
+
+        def finders
+          @finders ||= Finders::UsersFinders.new
+        end
       end
     end
   end

app/finders/users/author_id_brute_forcing.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module Users
@@ -5,6 +7,11 @@ module WPScan
       class AuthorIdBruteForcing < CMSScanner::Finders::Finder
         include CMSScanner::Finders::Finder::Enumerator
 
+        # @return [ Array<Integer> ]
+        def valid_response_codes
+          @valid_response_codes ||= [200, 301, 302]
+        end
+
         # @param [ Hash ] opts
         # @option opts [ Range ] :range Mandatory
         #
@@ -13,12 +20,12 @@ module WPScan
           found = []
           found_by_msg = 'Author Id Brute Forcing - %s (Aggressive Detection)'
 
-          enumerate(target_urls(opts), opts) do |res, id|
+          enumerate(target_urls(opts), opts.merge(check_full_response: true)) do |res, id|
             username, found_by, confidence = potential_username(res)
 
             next unless username
 
-            found << CMSScanner::User.new(
+            found << Model::User.new(
               username,
               id: id,
               found_by: format(found_by_msg, found_by),
@@ -47,7 +54,7 @@ module WPScan
           super(opts.merge(title: ' Brute Forcing Author IDs -'))
         end
 
-        def request_params
+        def full_request_params
           { followlocation: true }
         end
 
@@ -64,11 +71,13 @@ module WPScan
           return username, 'Display Name', 50 if username
         end
 
-        # @param [ String ] url
+        # @param [ String, Addressable::URI ] uri
         #
         # @return [ String, nil ]
-        def username_from_author_url(url)
+        def username_from_author_url(uri)
-          url[%r{/author/([^/\b]+)/?}i, 1]
+          uri = Addressable::URI.parse(uri) unless uri.is_a?(Addressable::URI)
+
+          uri.path[%r{/author/([^/\b]+)/?}i, 1]
         end
 
         # @param [ Typhoeus::Response ] res
@@ -76,12 +85,12 @@ module WPScan
         # @return [ String, nil ] The username found
         def username_from_response(res)
           # Permalink enabled
-          target.in_scope_urls(res, '//link/@href|//a/@href') do |url|
+          target.in_scope_uris(res, '//@href[contains(., "author/")]') do |uri|
-            username = username_from_author_url(url)
+            username = username_from_author_url(uri)
             return username if username
           end
 
-          # No permalink
+          # No permalink, TODO Maybe use xpath to extract the classes ?
           res.body[/<body class="archive author author-([^\s]+)[ "]/i, 1]
         end
 
@@ -90,9 +99,12 @@ module WPScan
         # @return [ String, nil ]
         def display_name_from_body(body)
           page = Nokogiri::HTML.parse(body)
+
           # WP >= 3.0
           page.css('h1.page-title span').each do |node|
-            return node.text.to_s
+            text = node.text.to_s.strip
+
+            return text unless text.empty?
           end
 
           # WP < 3.0

app/finders/users/author_posts.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module Users
@@ -10,7 +12,7 @@ module WPScan
           found_by_msg = 'Author Posts - %s (Passive Detection)'
 
           usernames(opts).reduce([]) do |a, e|
-            a << CMSScanner::User.new(
+            a << Model::User.new(
               e[0],
               found_by: format(found_by_msg, e[1]),
               confidence: e[2]
@@ -43,12 +45,10 @@ module WPScan
         def potential_usernames(res)
           usernames = []
 
-          target.in_scope_urls(res, '//a/@href') do |url, node|
+          target.in_scope_uris(res, '//a/@href[contains(., "author")]') do |uri, node|
-            uri = Addressable::URI.parse(url)
-
             if uri.path =~ %r{/author/([^/\b]+)/?\z}i
               usernames << [Regexp.last_match[1], 'Author Pattern', 100]
-            elsif uri.query =~ /author=[0-9]+/
+            elsif /author=[0-9]+/.match?(uri.query)
               usernames << [node.text.to_s.strip, 'Display Name', 30]
             end
           end

app/finders/users/author_sitemap.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module Users
+      # Since WP 5.5, /wp-sitemap-users-1.xml is generated and contains
+      # the usernames of accounts who made a post
+      class AuthorSitemap < CMSScanner::Finders::Finder
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<User> ]
+        def aggressive(_opts = {})
+          found = []
+
+          Browser.get(sitemap_url).html.xpath('//url/loc').each do |user_tag|
+            username = user_tag.text.to_s[%r{/author/([^/]+)/}, 1]
+
+            next unless username && !username.strip.empty?
+
+            found << Model::User.new(username,
+                                     found_by: found_by,
+                                     confidence: 100,
+                                     interesting_entries: [sitemap_url])
+          end
+
+          found
+        end
+
+        # @return [ String ] The URL of the sitemap
+        def sitemap_url
+          @sitemap_url ||= target.url('wp-sitemap-users-1.xml')
+        end
+      end
+    end
+  end
+end

app/finders/users/login_error_messages.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module Users
@@ -22,9 +24,9 @@ module WPScan
 
             return found if error.empty? # Protection plugin / error disabled
 
-            next unless error =~ /The password you entered for the username|Incorrect Password/i
+            next unless /The password you entered for the username|Incorrect Password/i.match?(error)
 
-            found << CMSScanner::User.new(username, found_by: found_by, confidence: 100)
+            found << Model::User.new(username, found_by: found_by, confidence: 100)
           end
 
           found
@@ -35,7 +37,7 @@ module WPScan
           # usernames from the potential Users found
           unames = opts[:found].map(&:username)
 
-          [*opts[:list]].each { |uname| unames << uname.chomp }
+          Array(opts[:list]).each { |uname| unames << uname.chomp }
 
           unames.uniq
         end

app/finders/users/oembed_api.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module Users
@@ -21,10 +23,10 @@ module WPScan
 
           return [] unless details
 
-          [CMSScanner::User.new(details[0],
+          [Model::User.new(details[0],
-                                found_by: format(found_by_msg, details[1]),
+                           found_by: format(found_by_msg, details[1]),
-                                confidence: details[2],
+                           confidence: details[2],
-                                interesting_entries: [api_url])]
+                           interesting_entries: [api_url])]
         rescue JSON::ParserError
           []
         end
@@ -32,6 +34,8 @@ module WPScan
         def user_details_from_oembed_data(oembed_data)
           return unless oembed_data
 
+          oembed_data = oembed_data.first if oembed_data.is_a?(Array)
+
           if oembed_data['author_url'] =~ %r{/author/([^/]+)/?\z}
             details = [Regexp.last_match[1], 'Author URL', 90]
           elsif oembed_data['author_name'] && !oembed_data['author_name'].empty?

app/finders/users/rss_generator.rb

@@ -1,36 +1,38 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module Users
       # Users disclosed from the dc:creator field in the RSS
       # The names disclosed are display names, however depending on the configuration of the blog,
       # they can be the same than usernames
-      class RSSGenerator < WPScan::Finders::WpVersion::RSSGenerator
+      class RSSGenerator < Finders::WpVersion::RSSGenerator
         def process_urls(urls, _opts = {})
           found = []
 
           urls.each do |url|
             res = Browser.get_and_follow_location(url)
 
-            next unless res.code == 200 && res.body =~ /<dc\:creator>/i
+            next unless res.code == 200 && res.body =~ /<dc:creator>/i
 
             potential_usernames = []
 
             begin
               res.xml.xpath('//item/dc:creator').each do |node|
-                potential_username = node.text.to_s
+                username = node.text.to_s
 
                 # Ignoring potential username longer than 60 characters and containing accents
                 # as they are considered invalid. See https://github.com/wpscanteam/wpscan/issues/1215
-                next if potential_username.length > 60 || potential_username =~ /[^\x00-\x7F]/
+                next if username.strip.empty? || username.length > 60 || username =~ /[^\x00-\x7F]/
 
-                potential_usernames << potential_username
+                potential_usernames << username
               end
             rescue Nokogiri::XML::XPath::SyntaxError
               next
             end
 
-            potential_usernames.uniq.each do |potential_username|
+            potential_usernames.uniq.each do |username|
-              found << CMSScanner::User.new(potential_username, found_by: found_by, confidence: 50)
+              found << Model::User.new(username, found_by: found_by, confidence: 50)
             end
 
             break

app/finders/users/wp_json_api.rb

@@ -1,23 +1,34 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module Users
       # WP JSON API
       #
       # Since 4.7 - Need more investigation as it seems WP 4.7.1 reduces the exposure, see https://github.com/wpscanteam/wpscan/issues/1038)
+      # For the pagination, see https://github.com/wpscanteam/wpscan/issues/1285
       #
       class WpJsonApi < CMSScanner::Finders::Finder
+        MAX_PER_PAGE = 100 # See https://developer.wordpress.org/rest-api/using-the-rest-api/pagination/
+
         # @param [ Hash ] opts
         #
         # @return [ Array<User> ]
         def aggressive(_opts = {})
-          found = []
+          found        = []
+          current_page = 0
 
-          JSON.parse(Browser.get(api_url).body)&.each do |user|
+          loop do
-            found << CMSScanner::User.new(user['slug'],
+            current_page += 1
-                                          id: user['id'],
+
-                                          found_by: found_by,
+            res = Browser.get(api_url, params: { per_page: MAX_PER_PAGE, page: current_page })
-                                          confidence: 100,
+
-                                          interesting_entries: [api_url])
+            total_pages ||= res.headers['X-WP-TotalPages'].to_i
+
+            users_in_page = users_from_response(res)
+            found        += users_in_page
+
+            break if current_page >= total_pages || users_in_page.empty?
           end
 
           found
@@ -25,9 +36,32 @@ module WPScan
           found
         end
 
+        # @param [ Typhoeus::Response ] response
+        #
+        # @return [ Array<User> ] The users from the response
+        def users_from_response(response)
+          found = []
+
+          JSON.parse(response.body)&.each do |user|
+            found << Model::User.new(user['slug'],
+                                     id: user['id'],
+                                     found_by: found_by,
+                                     confidence: 100,
+                                     interesting_entries: [response.effective_url])
+          end
+
+          found
+        end
+
         # @return [ String ] The URL of the API listing the Users
         def api_url
-          @api_url ||= target.url('wp-json/wp/v2/users/')
+          return @api_url if @api_url
+
+          target.in_scope_uris(target.homepage_res, "//link[@rel='https://api.w.org/']/@href").each do |uri|
+            return @api_url = uri.join('wp/v2/users/').to_s if uri.path.include?('wp-json')
+          end
+
+          @api_url = target.url('wp-json/wp/v2/users/')
         end
       end
     end

app/finders/users/yoast_seo_author_sitemap.rb

@@ -1,29 +1,11 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module Users
       # The YOAST SEO plugin has an author-sitemap.xml which can leak usernames
       # See https://github.com/wpscanteam/wpscan/issues/1228
-      class YoastSeoAuthorSitemap < CMSScanner::Finders::Finder
+      class YoastSeoAuthorSitemap < AuthorSitemap
-        # @param [ Hash ] opts
-        #
-        # @return [ Array<User> ]
-        def aggressive(_opts = {})
-          found = []
-
-          Browser.get(sitemap_url).html.xpath('//url/loc').each do |user_tag|
-            username = user_tag.text.to_s[%r{/author/([^\/]+)/}, 1]
-
-            next unless username && !username.strip.empty?
-
-            found << CMSScanner::User.new(username,
-                                          found_by: found_by,
-                                          confidence: 100,
-                                          interesting_entries: [sitemap_url])
-          end
-
-          found
-        end
-
         # @return [ String ] The URL of the author-sitemap
         def sitemap_url
           @sitemap_url ||= target.url('author-sitemap.xml')

app/finders/wp_items.rb

@@ -1 +1,3 @@
-require_relative 'wp_items/urls_in_homepage'
+# frozen_string_literal: true
+
+require_relative 'wp_items/urls_in_page'

app/finders/wp_items/urls_in_page.rb

@@ -1,19 +1,27 @@
+# frozen_string_literal: true
+
 module WPScan
   module Finders
     module WpItems
       # URLs In Homepage Module to use in plugins & themes finders
-      module URLsInHomepage
+      module UrlsInPage
         # @param [ String ] type plugins / themes
         # @param [ Boolean ] uniq Wether or not to apply the #uniq on the results
         #
-        # @return [Array<String> ] The plugins/themes detected in the href, src attributes of the homepage
+        # @return [ Array<String> ] The plugins/themes detected in the href, src attributes of the page
-        def items_from_links(type, uniq = true)
+        def items_from_links(type, uniq: true)
           found = []
+          xpath = format(
+            '(//@href|//@src|//@data-src)[contains(., "%s")]',
+            type == 'plugins' ? target.plugins_dir : target.content_dir
+          )
 
-          target.in_scope_urls(target.homepage_res) do |url|
+          target.in_scope_uris(page_res, xpath) do |uri|
-            next unless url =~ item_attribute_pattern(type)
+            next unless uri.to_s =~ item_attribute_pattern(type)
 
-            found << Regexp.last_match[1]
+            slug = Regexp.last_match[1]&.strip
+
+            found << slug unless slug&.empty?
           end
 
           uniq ? found.uniq.sort : found.sort
@@ -23,10 +31,10 @@ module WPScan
         # @param [ Boolean ] uniq Wether or not to apply the #uniq on the results
         #
         # @return [Array<String> ] The plugins/themes detected in the javascript/style of the homepage
-        def items_from_codes(type, uniq = true)
+        def items_from_codes(type, uniq: true)
           found = []
 
-          target.homepage_res.html.css('script,style').each do |tag|
+          page_res.html.xpath('//script[not(@src)]|//style[not(@src)]').each do |tag|
             code = tag.text.to_s
             next if code.empty?
 
@@ -40,14 +48,14 @@ module WPScan
         #
         # @return [ Regexp ]
         def item_attribute_pattern(type)
-          @item_attribute_pattern ||= %r{\A#{item_url_pattern(type)}([^/]+)/}i
+          @item_attribute_pattern ||= %r{#{item_url_pattern(type)}([^/]+)/}i
         end
 
         # @param [ String ] type
         #
         # @return [ Regexp ]
         def item_code_pattern(type)
-          @item_code_pattern ||= %r{["'\( ]#{item_url_pattern(type)}([^\\\/\)"']+)}i
+          @item_code_pattern ||= %r{["'( ]#{item_url_pattern(type)}([^\\/)"']+)}i
         end
 
         # @param [ String ] type
@@ -57,10 +65,10 @@ module WPScan
           item_dir = type == 'plugins' ? target.plugins_dir : target.content_dir
           item_url = type == 'plugins' ? target.plugins_url : target.content_url
 
-          url = /#{item_url.gsub(/\A(?:http|https)/i, 'https?').gsub('/', '\\\\\?\/')}/i
+          url = /#{item_url.gsub(/\A(?:https?)/i, 'https?').gsub('/', '\\\\\?\/')}/i
-          item_dir = %r{(?:#{url}|\\?\/#{item_dir.gsub('/', '\\\\\?\/')}\\?/)}i
+          item_dir = %r{(?:#{url}|\\?/#{item_dir.gsub('/', '\\\\\?\/')}\\?/)}i
 
-          type == 'plugins' ? item_dir : %r{#{item_dir}#{type}\\?\/}i
+          type == 'plugins' ? item_dir : %r{#{item_dir}#{type}\\?/}i
         end
       end
     end

app/finders/wp_version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'wp_version/rss_generator'
 require_relative 'wp_version/atom_generator'
 require_relative 'wp_version/rdf_generator'
@@ -8,7 +10,7 @@ module WPScan
   module Finders
     # Specific Finders container to filter the version detected
     # and remove the one with low confidence to avoid false
-    # positive when there is not enought information to accurately
+    # positive when there is not enough information to accurately
     # determine it.
     class WpVersionFinders < UniqueFinders
       def filter_findings
@@ -26,7 +28,7 @@ module WPScan
         # @param [ WPScan::Target ] target
         def initialize(target)
           (%w[RSSGenerator AtomGenerator RDFGenerator] +
-           WPScan::DB::DynamicFinders::Wordpress.versions_finders_configs.keys +
+           DB::DynamicFinders::Wordpress.versions_finders_configs.keys +
            %w[Readme UniqueFingerprinting]
           ).each do |finder_name|
             finders << WpVersion.const_get(finder_name.to_sym).new(target)