Bumps version

Update webmock requirement from ~> 3.6.0 to ~> 3.7.0

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,3 +1,14 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+Before submitting an issue, please make sure you fully read any potential error messages output and did some research on your own.
+
 ### Subject of the issue
 Describe your issue here.
 
@@ -24,4 +35,4 @@ Things you have tried (where relevant):
 * Update Ruby to the latest version [ ]
 * Ensure you can reach the target site using cURL [ ]
 * Proxied WPScan through a HTTP proxy to view the raw traffic [ ]
-* Ensure you are using a supported Operating System (Linux and macOS) [ ]
+* Ensure you are using a supported Operating System (Linux and macOS) [ ]

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/other-issue.md

@@ -0,0 +1,10 @@
+---
+name: Other Issue
+about: Create a report which is not a related to a Bug or Feature
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+Before submitting an issue, please make sure you fully read any potential error messages output and did some research on your own.

.rubocop.yml

@@ -1,5 +1,6 @@
+require: rubocop-performance
 AllCops:
-  TargetRubyVersion: 2.3
+  TargetRubyVersion: 2.4
   Exclude:
   - '*.gemspec'
   - 'vendor/**/*'
@@ -7,10 +8,12 @@ ClassVars:
   Enabled: false
 LineLength:
   Max: 120
-MethodLength:
-  Max: 20
 Lint/UriEscapeUnescape:
   Enabled: false
+MethodLength:
+  Max: 20
+  Exclude:
+  - 'app/controllers/enumeration/cli_options.rb'
 Metrics/AbcSize:
   Max: 25
 Metrics/BlockLength:
@@ -18,9 +21,14 @@ Metrics/BlockLength:
   - 'spec/**/*'
 Metrics/ClassLength:
   Max: 150
+  Exclude:
+  - 'app/controllers/enumeration/cli_options.rb'
 Metrics/CyclomaticComplexity:
   Max: 8
 Style/Documentation:
   Enabled: false
 Style/FormatStringToken:
   Enabled: false
+Style/NumericPredicate:
+  Exclude:
+  - 'app/controllers/vuln_api.rb'

.travis.yml

@@ -2,20 +2,12 @@ language: ruby
 sudo: false
 cache: bundler
 rvm:
-  - 2.3.0
-  - 2.3.1
-  - 2.3.2
-  - 2.3.3
-  - 2.3.4
-  - 2.3.5
-  - 2.3.6
-  - 2.3.7
-  - 2.3.8
   - 2.4.1
   - 2.4.2
   - 2.4.3
   - 2.4.4
   - 2.4.5
+  - 2.4.6
   - 2.5.0
   - 2.5.1
   - 2.5.2
@@ -25,6 +17,7 @@ rvm:
   - 2.6.0
   - 2.6.1
   - 2.6.2
+  - 2.6.3
   - ruby-head
 before_install:
   - "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"

Dockerfile

@@ -1,4 +1,4 @@
-FROM ruby:2.6.2-alpine3.9 AS builder
+FROM ruby:2.6.3-alpine AS builder
 LABEL maintainer="WPScan Team <team@wpscan.org>"
 
 ARG BUNDLER_ARGS="--jobs=8 --without test development"
@@ -19,19 +19,22 @@ RUN rake install --trace
 RUN chmod -R a+r /usr/local/bundle
 
 
-FROM ruby:2.6.2-alpine3.9
+FROM ruby:2.6.3-alpine
 LABEL maintainer="WPScan Team <team@wpscan.org>"
 
 RUN adduser -h /wpscan -g WPScan -D wpscan
 
 COPY --from=builder /usr/local/bundle /usr/local/bundle
+
 RUN chown -R wpscan:wpscan /wpscan
 
 # runtime dependencies
 RUN apk add --no-cache libcurl procps sqlite-libs
 
+WORKDIR /wpscan
 
 USER wpscan
+
 RUN /usr/local/bundle/bin/wpscan --update --verbose
 
 ENTRYPOINT ["/usr/local/bundle/bin/wpscan"]

Gemfile

@@ -2,3 +2,5 @@
 
 source 'https://rubygems.org'
 gemspec
+
+# gem 'cms_scanner', branch: 'xxx', git: 'https://github.com/wpscanteam/CMSScanner.git'

README.md

@@ -17,7 +17,6 @@
   <a href="https://badge.fury.io/rb/wpscan" target="_blank"><img src="https://badge.fury.io/rb/wpscan.svg"></a>
   <a href="https://travis-ci.org/wpscanteam/wpscan" target="_blank"><img src="https://travis-ci.org/wpscanteam/wpscan.svg?branch=master"></a>
   <a href="https://codeclimate.com/github/wpscanteam/wpscan" target="_blank"><img src="https://codeclimate.com/github/wpscanteam/wpscan/badges/gpa.svg"></a>
-  <a href="https://www.patreon.com/wpscan" target="_blank"><img src="https://img.shields.io/badge/patreon-donate-green.svg"></a>
 </p>
 
 # INSTALL
@@ -30,6 +29,7 @@
 - Curl >= 7.21  - Recommended: latest
   - The 7.29 has a segfault
 - RubyGems      - Recommended: latest
+- Nokogiri might require packages to be installed via your package manager depending on your OS, see https://nokogiri.org/tutorials/installing_nokogiri.html
 
 ### From RubyGems (Recommended)
 
@@ -84,33 +84,46 @@ For more options, open a terminal and type ```wpscan --help``` (if you built wps
 
 The DB is located at ~/.wpscan/db
 
+## Load CLI options from file/s
+
 WPScan can load all options (including the --url) from configuration files, the following locations are checked (order: first to last):
 
-- ~/.wpscan/cli_options.json
-- ~/.wpscan/cli_options.yml
-- pwd/.wpscan/cli_options.json
-- pwd/.wpscan/cli_options.yml
+- ~/.wpscan/scan.json
+- ~/.wpscan/scan.yml
+- pwd/.wpscan/scan.json
+- pwd/.wpscan/scan.yml
 
-If those files exist, options from them will be loaded and overridden if found twice.
+If those files exist, options from the `cli_options` key will be loaded and overridden if found twice.
 
 e.g:
 
-~/.wpscan/cli_options.yml:
+~/.wpscan/scan.yml:
 
 ```yml
-proxy: 'http://127.0.0.1:8080'
-verbose: true
+cli_options:
+  proxy: 'http://127.0.0.1:8080'
+  verbose: true
 ```
 
-pwd/.wpscan/cli_options.yml:
+pwd/.wpscan/scan.yml:
 
 ```yml
-proxy: 'socks5://127.0.0.1:9090'
-url: 'http://target.tld'
+cli_options:
+  proxy: 'socks5://127.0.0.1:9090'
+  url: 'http://target.tld'
 ```
 
 Running ```wpscan``` in the current directory (pwd), is the same as ```wpscan -v --proxy socks5://127.0.0.1:9090 --url http://target.tld```
 
+## Save API Token in a file
+
+The feature mentioned above is useful to keep the API Token in a config file and not have to supply it via the CLI each time. To do so, create the ~/.wpscan/scan.yml file containing the below:
+
+```yml
+cli_options:
+  api_token: YOUR_API_TOKEN
+```
+
 Enumerating usernames
 
 ```shell

app/controllers.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require_relative 'controllers/core'
+require_relative 'controllers/vuln_api'
 require_relative 'controllers/custom_directories'
 require_relative 'controllers/wp_version'
 require_relative 'controllers/main_theme'

app/controllers/core.rb

@@ -27,38 +27,41 @@ module WPScan
       # @return [ Boolean ]
       def update_db_required?
         if local_db.missing_files?
-          raise Error::MissingDatabaseFile if parsed_options[:update] == false
+          raise Error::MissingDatabaseFile if ParsedCli.update == false
 
           return true
         end
 
-        return parsed_options[:update] unless parsed_options[:update].nil?
+        return ParsedCli.update unless ParsedCli.update.nil?
 
         return false unless user_interaction? && local_db.outdated?
 
         output('@notice', msg: 'It seems like you have not updated the database for some time.')
         print '[?] Do you want to update now? [Y]es [N]o, default: [N]'
 
-        Readline.readline =~ /^y/i ? true : false
+        /^y/i.match?(Readline.readline) ? true : false
       end
 
       def update_db
         output('db_update_started')
-        output('db_update_finished', updated: local_db.update, verbose: parsed_options[:verbose])
+        output('db_update_finished', updated: local_db.update, verbose: ParsedCli.verbose)
 
-        exit(0) unless parsed_options[:url]
+        exit(0) unless ParsedCli.url
       end
 
       def before_scan
         @last_update = local_db.last_update
 
-        maybe_output_banner_help_and_version # From CMS Scanner
+        maybe_output_banner_help_and_version # From CMSScanner
 
         update_db if update_db_required?
         setup_cache
         check_target_availability
         load_server_module
         check_wordpress_state
+      rescue Error::NotWordPress => e
+        target.maybe_add_cookies
+        raise e unless target.wordpress?(ParsedCli.detection_mode)
       end
 
       # Raises errors if the target is hosted on wordpress.com or is not running WordPress
@@ -66,14 +69,14 @@ module WPScan
       def check_wordpress_state
         raise Error::WordPressHosted if target.wordpress_hosted?
 
-        if Addressable::URI.parse(target.homepage_url).path =~ %r{/wp-admin/install.php$}i
+        if %r{/wp-admin/install.php$}i.match?(Addressable::URI.parse(target.homepage_url).path)
 
           output('not_fully_configured', url: target.homepage_url)
 
           exit(WPScan::ExitCode::VULNERABLE)
         end
 
-        raise Error::NotWordPress unless target.wordpress?(parsed_options[:detection_mode]) || parsed_options[:force]
+        raise Error::NotWordPress unless target.wordpress?(ParsedCli.detection_mode) || ParsedCli.force
       end
 
       # Loads the related server module in the target
@@ -85,7 +88,7 @@ module WPScan
         server = target.server || :Apache # Tries to auto detect the server
 
         # Force a specific server module to be loaded if supplied
-        case parsed_options[:server]
+        case ParsedCli.server
         when :apache
           server = :Apache
         when :iis

app/controllers/custom_directories.rb

@@ -7,16 +7,18 @@ module WPScan
     class CustomDirectories < CMSScanner::Controller::Base
       def cli_options
         [
-          OptString.new(['--wp-content-dir DIR']),
-          OptString.new(['--wp-plugins-dir DIR'])
+          OptString.new(['--wp-content-dir DIR',
+                         'The wp-content directory if custom or not detected, such as "wp-content"']),
+          OptString.new(['--wp-plugins-dir DIR',
+                         'The plugins directory if custom or not detected, such as "wp-content/plugins"'])
         ]
       end
 
       def before_scan
-        target.content_dir = parsed_options[:wp_content_dir] if parsed_options[:wp_content_dir]
-        target.plugins_dir = parsed_options[:wp_plugins_dir] if parsed_options[:wp_plugins_dir]
+        target.content_dir = ParsedCli.wp_content_dir if ParsedCli.wp_content_dir
+        target.plugins_dir = ParsedCli.wp_plugins_dir if ParsedCli.wp_plugins_dir
 
-        return if target.content_dir
+        return if target.content_dir(ParsedCli.detection_mode)
 
         raise Error::WpContentDirNotDetected
       end

app/controllers/enumeration.rb

@@ -7,17 +7,8 @@ module WPScan
   module Controller
     # Enumeration Controller
     class Enumeration < CMSScanner::Controller::Base
-      def before_scan
-        DB::DynamicFinders::Plugin.create_versions_finders
-        DB::DynamicFinders::Theme.create_versions_finders
-
-        # Force the Garbage Collector to run due to the above method being
-        # quite heavy in objects allocation
-        GC.start
-      end
-
       def run
-        enum = parsed_options[:enumerate] || {}
+        enum = ParsedCli.enumerate || {}
 
         enum_plugins if enum_plugins?(enum)
         enum_themes  if enum_themes?(enum)

app/controllers/enumeration/cli_options.rb

@@ -11,7 +11,6 @@ module WPScan
       end
 
       # @return [ Array<OptParseValidator::OptBase> ]
-      # rubocop:disable Metrics/MethodLength
       def cli_enum_choices
         [
           OptMultiChoices.new(
@@ -45,7 +44,6 @@ module WPScan
           )
         ]
       end
-      # rubocop:enable Metrics/MethodLength
 
       # @return [ Array<OptParseValidator::OptBase> ]
       def cli_plugins_opts
@@ -67,6 +65,11 @@ module WPScan
              'Use the supplied mode to check plugins versions instead of the --detection-mode ' \
              'or --plugins-detection modes.'],
             choices: %w[mixed passive aggressive], normalize: :to_sym, default: :mixed
+          ),
+          OptInteger.new(
+            ['--plugins-threshold THRESHOLD',
+             'Raise an error when the number of detected plugins via known locations reaches the threshold. ' \
+             'Set to 0 to ignore the threshold.'], default: 100
           )
         ]
       end
@@ -91,6 +94,11 @@ module WPScan
              'Use the supplied mode to check themes versions instead of the --detection-mode ' \
              'or --themes-detection modes.'],
             choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true
+          ),
+          OptInteger.new(
+            ['--themes-threshold THRESHOLD',
+             'Raise an error when the number of detected themes via known locations reaches the threshold. ' \
+             'Set to 0 to ignore the threshold.'], default: 20
           )
         ]
       end

app/controllers/enumeration/enum_methods.rb

@@ -7,13 +7,13 @@ module WPScan
       # @param [ String ] type (plugins or themes)
       # @param [ Symbol ] detection_mode
       #
-      # @return [ String ] The related enumration message depending on the parsed_options and type supplied
+      # @return [ String ] The related enumration message depending on the ParsedCli and type supplied
       def enum_message(type, detection_mode)
         return unless %w[plugins themes].include?(type)
 
-        details = if parsed_options[:enumerate][:"vulnerable_#{type}"]
+        details = if ParsedCli.enumerate[:"vulnerable_#{type}"]
                     'Vulnerable'
-                  elsif parsed_options[:enumerate][:"all_#{type}"]
+                  elsif ParsedCli.enumerate[:"all_#{type}"]
                     'All'
                   else
                     'Most Popular'
@@ -39,15 +39,15 @@ module WPScan
       #
       # @return [ Hash ]
       def default_opts(type)
-        mode = parsed_options[:"#{type}_detection"] || parsed_options[:detection_mode]
+        mode = ParsedCli.options[:"#{type}_detection"] || ParsedCli.detection_mode
 
         {
           mode: mode,
-          exclude_content: parsed_options[:exclude_content_based],
+          exclude_content: ParsedCli.exclude_content_based,
           show_progression: user_interaction?,
           version_detection: {
-            mode: parsed_options[:"#{type}_version_detection"] || mode,
-            confidence_threshold: parsed_options[:"#{type}_version_all"] ? 0 : 100
+            mode: ParsedCli.options[:"#{type}_version_detection"] || mode,
+            confidence_threshold: ParsedCli.options[:"#{type}_version_all"] ? 0 : 100
           }
         }
       end
@@ -61,7 +61,8 @@ module WPScan
 
       def enum_plugins
         opts = default_opts('plugins').merge(
-          list: plugins_list_from_opts(parsed_options),
+          list: plugins_list_from_opts(ParsedCli.options),
+          threshold: ParsedCli.plugins_threshold,
           sort: true
         )
 
@@ -77,7 +78,7 @@ module WPScan
 
         plugins.each(&:version)
 
-        plugins.select!(&:vulnerable?) if parsed_options[:enumerate][:vulnerable_plugins]
+        plugins.select!(&:vulnerable?) if ParsedCli.enumerate[:vulnerable_plugins]
 
         output('plugins', plugins: plugins)
       end
@@ -107,7 +108,8 @@ module WPScan
 
       def enum_themes
         opts = default_opts('themes').merge(
-          list: themes_list_from_opts(parsed_options),
+          list: themes_list_from_opts(ParsedCli.options),
+          threshold: ParsedCli.themes_threshold,
           sort: true
         )
 
@@ -123,7 +125,7 @@ module WPScan
 
         themes.each(&:version)
 
-        themes.select!(&:vulnerable?) if parsed_options[:enumerate][:vulnerable_themes]
+        themes.select!(&:vulnerable?) if ParsedCli.enumerate[:vulnerable_themes]
 
         output('themes', themes: themes)
       end
@@ -145,28 +147,28 @@ module WPScan
       end
 
       def enum_timthumbs
-        opts = default_opts('timthumbs').merge(list: parsed_options[:timthumbs_list])
+        opts = default_opts('timthumbs').merge(list: ParsedCli.timthumbs_list)
 
         output('@info', msg: "Enumerating Timthumbs #{enum_detection_message(opts[:mode])}") if user_interaction?
         output('timthumbs', timthumbs: target.timthumbs(opts))
       end
 
       def enum_config_backups
-        opts = default_opts('config_backups').merge(list: parsed_options[:config_backups_list])
+        opts = default_opts('config_backups').merge(list: ParsedCli.config_backups_list)
 
         output('@info', msg: "Enumerating Config Backups #{enum_detection_message(opts[:mode])}") if user_interaction?
         output('config_backups', config_backups: target.config_backups(opts))
       end
 
       def enum_db_exports
-        opts = default_opts('db_exports').merge(list: parsed_options[:db_exports_list])
+        opts = default_opts('db_exports').merge(list: ParsedCli.db_exports_list)
 
         output('@info', msg: "Enumerating DB Exports #{enum_detection_message(opts[:mode])}") if user_interaction?
         output('db_exports', db_exports: target.db_exports(opts))
       end
 
       def enum_medias
-        opts = default_opts('medias').merge(range: parsed_options[:enumerate][:medias])
+        opts = default_opts('medias').merge(range: ParsedCli.enumerate[:medias])
 
         if user_interaction?
           output('@info',
@@ -181,13 +183,13 @@ module WPScan
       #
       # @return [ Boolean ] Wether or not to enumerate the users
       def enum_users?(opts)
-        opts[:users] || (parsed_options[:passwords] && !parsed_options[:username] && !parsed_options[:usernames])
+        opts[:users] || (ParsedCli.passwords && !ParsedCli.username && !ParsedCli.usernames)
       end
 
       def enum_users
         opts = default_opts('users').merge(
           range: enum_users_range,
-          list: parsed_options[:users_list]
+          list: ParsedCli.users_list
         )
 
         output('@info', msg: "Enumerating Users #{enum_detection_message(opts[:mode])}") if user_interaction?
@@ -198,7 +200,7 @@ module WPScan
       # If the --enumerate is used, the default value is handled by the Option
       # However, when using --passwords alone, the default has to be set by the code below
       def enum_users_range
-        parsed_options[:enumerate][:users] || cli_enum_choices[0].choices[:u].validate(nil)
+        ParsedCli.enumerate[:users] || cli_enum_choices[0].choices[:u].validate(nil)
       end
     end
   end

app/controllers/main_theme.rb

@@ -18,9 +18,9 @@ module WPScan
         output(
           'theme',
           theme: target.main_theme(
-            mode: parsed_options[:main_theme_detection] || parsed_options[:detection_mode]
+            mode: ParsedCli.main_theme_detection || ParsedCli.detection_mode
           ),
-          verbose: parsed_options[:verbose]
+          verbose: ParsedCli.verbose
         )
       end
     end

app/controllers/password_attack.rb

@@ -24,7 +24,7 @@ module WPScan
       end
 
       def run
-        return unless parsed_options[:passwords]
+        return unless ParsedCli.passwords
 
         if user_interaction?
           output('@info',
@@ -33,13 +33,13 @@ module WPScan
 
         attack_opts = {
           show_progression: user_interaction?,
-          multicall_max_passwords: parsed_options[:multicall_max_passwords]
+          multicall_max_passwords: ParsedCli.multicall_max_passwords
         }
 
         begin
           found = []
 
-          attacker.attack(users, passwords(parsed_options[:passwords]), attack_opts) do |user|
+          attacker.attack(users, passwords(ParsedCli.passwords), attack_opts) do |user|
             found << user
 
             attacker.progress_bar.log("[SUCCESS] - #{user.username} / #{user.password}")
@@ -61,42 +61,55 @@ module WPScan
 
       # @return [ CMSScanner::Finders::Finder ]
       def attacker_from_cli_options
-        return unless parsed_options[:password_attack]
+        return unless ParsedCli.password_attack
 
-        case parsed_options[:password_attack]
+        case ParsedCli.password_attack
         when :wp_login
-          WPScan::Finders::Passwords::WpLogin.new(target)
+          Finders::Passwords::WpLogin.new(target)
         when :xmlrpc
           raise Error::XMLRPCNotDetected unless xmlrpc
 
-          WPScan::Finders::Passwords::XMLRPC.new(xmlrpc)
+          Finders::Passwords::XMLRPC.new(xmlrpc)
         when :xmlrpc_multicall
           raise Error::XMLRPCNotDetected unless xmlrpc
 
-          WPScan::Finders::Passwords::XMLRPCMulticall.new(xmlrpc)
+          Finders::Passwords::XMLRPCMulticall.new(xmlrpc)
+        end
+      end
+
+      # @return [ Boolean ]
+      def xmlrpc_get_users_blogs_enabled?
+        if xmlrpc&.enabled? &&
+           xmlrpc.available_methods.include?('wp.getUsersBlogs') &&
+           xmlrpc.method_call('wp.getUsersBlogs', [SecureRandom.hex[0, 6], SecureRandom.hex[0, 4]])
+                 .run.body !~ /XML\-RPC services are disabled/
+
+          true
+        else
+          false
         end
       end
 
       # @return [ CMSScanner::Finders::Finder ]
       def attacker_from_automatic_detection
-        if xmlrpc&.enabled? && xmlrpc.available_methods.include?('wp.getUsersBlogs')
+        if xmlrpc_get_users_blogs_enabled?
           wp_version = target.wp_version
 
           if wp_version && wp_version < '4.4'
-            WPScan::Finders::Passwords::XMLRPCMulticall.new(xmlrpc)
+            Finders::Passwords::XMLRPCMulticall.new(xmlrpc)
           else
-            WPScan::Finders::Passwords::XMLRPC.new(xmlrpc)
+            Finders::Passwords::XMLRPC.new(xmlrpc)
           end
         else
-          WPScan::Finders::Passwords::WpLogin.new(target)
+          Finders::Passwords::WpLogin.new(target)
         end
       end
 
       # @return [ Array<Users> ] The users to brute force
       def users
-        return target.users unless parsed_options[:usernames]
+        return target.users unless ParsedCli.usernames
 
-        parsed_options[:usernames].reduce([]) do |acc, elem|
+        ParsedCli.usernames.reduce([]) do |acc, elem|
           acc << Model::User.new(elem.chomp)
         end
       end

app/controllers/vuln_api.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Controller
+    # Controller to handle the API token
+    class VulnApi < CMSScanner::Controller::Base
+      def cli_options
+        [
+          OptString.new(['--api-token TOKEN', 'The WPVulnDB API Token to display vulnerability data'])
+        ]
+      end
+
+      def before_scan
+        return unless ParsedCli.api_token
+
+        DB::VulnApi.token = ParsedCli.api_token
+
+        api_status = DB::VulnApi.status
+
+        raise Error::InvalidApiToken if api_status['error']
+        raise Error::ApiLimitReached if api_status['requests_remaining'] == 0
+        raise api_status['http_error'] if api_status['http_error']
+      end
+
+      def after_scan
+        output('status', status: DB::VulnApi.status, api_requests: WPScan.api_requests)
+      end
+    end
+  end
+end

app/controllers/wp_version.rb

@@ -17,15 +17,15 @@ module WPScan
       end
 
       def before_scan
-        WPScan::DB::DynamicFinders::Wordpress.create_versions_finders
+        DB::DynamicFinders::Wordpress.create_versions_finders
       end
 
       def run
         output(
           'version',
           version: target.wp_version(
-            mode: parsed_options[:wp_version_detection] || parsed_options[:detection_mode],
-            confidence_threshold: parsed_options[:wp_version_all] ? 0 : 100,
+            mode: ParsedCli.wp_version_detection || ParsedCli.detection_mode,
+            confidence_threshold: ParsedCli.wp_version_all ? 0 : 100,
             show_progression: user_interaction?
           )
         )

app/finders/db_exports/known_locations.rb

@@ -20,9 +20,9 @@ module WPScan
 
           enumerate(potential_urls(opts), opts.merge(check_full_response: 200)) do |res|
             if res.effective_url.end_with?('.zip')
-              next unless res.headers['Content-Type'] =~ %r{\Aapplication/zip}i
+              next unless %r{\Aapplication/zip}i.match?(res.headers['Content-Type'])
             else
-              next unless res.body =~ SQL_PATTERN
+              next unless SQL_PATTERN.match?(res.body)
             end
 
             found << Model::DbExport.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100)

app/finders/interesting_findings/duplicator_installer_log.rb

@@ -9,7 +9,7 @@ module WPScan
         def aggressive(_opts = {})
           path = 'installer-log.txt'
 
-          return unless target.head_and_get(path).body =~ /DUPLICATOR INSTALL-LOG/
+          return unless /DUPLICATOR INSTALL-LOG/.match?(target.head_and_get(path).body)
 
           Model::DuplicatorInstallerLog.new(
             target.url(path),

app/finders/interesting_findings/emergency_pwd_reset_script.rb

@@ -14,7 +14,7 @@ module WPScan
 
           Model::EmergencyPwdResetScript.new(
             target.url(path),
-            confidence: res.body =~ /password/i ? 100 : 40,
+            confidence: /password/i.match?(res.body) ? 100 : 40,
             found_by: DIRECT_ACCESS,
             references: {
               url: 'https://codex.wordpress.org/Resetting_Your_Password#Using_the_Emergency_Password_Reset_Script'

app/finders/interesting_findings/mu_plugins.rb

@@ -9,11 +9,13 @@ module WPScan
         def passive(_opts = {})
           pattern = %r{#{target.content_dir}/mu\-plugins/}i
 
-          target.in_scope_urls(target.homepage_res) do |url|
-            next unless Addressable::URI.parse(url).path =~ pattern
+          target.in_scope_uris(target.homepage_res) do |uri|
+            next unless uri.path&.match?(pattern)
 
             url = target.url('wp-content/mu-plugins/')
 
+            target.mu_plugins = true
+
             return Model::MuPlugins.new(
               url,
               confidence: 70,
@@ -33,8 +35,6 @@ module WPScan
           return unless [200, 401, 403].include?(res.code)
           return if target.homepage_or_404?(res)
 
-          # TODO: add the check for --exclude-content once implemented ?
-
           target.mu_plugins = true
 
           Model::MuPlugins.new(

app/finders/interesting_findings/upload_sql_dump.rb

@@ -12,7 +12,7 @@ module WPScan
           path = 'wp-content/uploads/dump.sql'
           res  = target.head_and_get(path, [200], get: { headers: { 'Range' => 'bytes=0-3000' } })
 
-          return unless res.body =~ SQL_PATTERN
+          return unless SQL_PATTERN.match?(res.body)
 
           Model::UploadSQLDump.new(
             target.url(path),

app/finders/main_theme/css_style.rb

@@ -20,10 +20,10 @@ module WPScan
         end
 
         def passive_from_css_href(res, opts)
-          target.in_scope_urls(res, '//style/@src|//link/@href') do |url|
-            next unless Addressable::URI.parse(url).path =~ %r{/themes/([^\/]+)/style.css\z}i
+          target.in_scope_uris(res, '//style/@src|//link/@href') do |uri|
+            next unless uri.path =~ %r{/themes/([^\/]+)/style.css\z}i
 
-            return create_theme(Regexp.last_match[1], url, opts)
+            return create_theme(Regexp.last_match[1], uri.to_s, opts)
           end
           nil
         end

app/finders/passwords/wp_login.rb

@@ -13,7 +13,7 @@ module WPScan
 
         def valid_credentials?(response)
           response.code == 302 &&
-            response.headers['Set-Cookie']&.any? { |cookie| cookie =~ /wordpress_logged_in_/i }
+            [*response.headers['Set-Cookie']]&.any? { |cookie| cookie =~ /wordpress_logged_in_/i }
         end
 
         def errored_response?(response)

app/finders/plugin_version.rb

@@ -13,25 +13,15 @@ module WPScan
         def initialize(plugin)
           finders << PluginVersion::Readme.new(plugin)
 
-          load_specific_finders(plugin)
+          create_and_load_dynamic_versions_finders(plugin)
         end
 
-        # Load the finders associated with the plugin
+        # Create the dynamic version finders related to the plugin and register them
         #
         # @param [ Model::Plugin ] plugin
-        def load_specific_finders(plugin)
-          module_name = plugin.classify
-
-          return unless Finders::PluginVersion.constants.include?(module_name)
-
-          mod = Finders::PluginVersion.const_get(module_name)
-
-          mod.constants.each do |constant|
-            c = mod.const_get(constant)
-
-            next unless c.is_a?(Class)
-
-            finders << c.new(plugin)
+        def create_and_load_dynamic_versions_finders(plugin)
+          DB::DynamicFinders::Plugin.create_versions_finders(plugin.slug).each do |finder|
+            finders << finder.new(plugin)
           end
         end
       end

app/finders/plugin_version/readme.rb

@@ -11,7 +11,7 @@ module WPScan
 
           # The target(plugin)#readme_url can't be used directly here
           # as if the --detection-mode is passive, it will always return nil
-          Model::WpItem::READMES.each do |file|
+          target.potential_readme_filenames.each do |file|
             res = target.head_and_get(file)
 
             next unless res.code == 200 && !(numbers = version_numbers(res.body)).empty?
@@ -52,7 +52,7 @@ module WPScan
 
           number = Regexp.last_match[1]
 
-          number if number =~ /[0-9]+/
+          number if /[0-9]+/.match?(number)
         end
 
         # @param [ String ] body

app/finders/plugins/body_pattern.rb

@@ -4,7 +4,7 @@ module WPScan
   module Finders
     module Plugins
       # Plugins finder from Dynamic Finder 'BodyPattern'
-      class BodyPattern < WPScan::Finders::DynamicFinder::WpItems::Finder
+      class BodyPattern < Finders::DynamicFinder::WpItems::Finder
         DEFAULT_CONFIDENCE = 30
 
         # @param [ Hash ] opts The options from the #passive, #aggressive methods
@@ -15,7 +15,7 @@ module WPScan
         #
         # @return [ Plugin ] The detected plugin in the response, related to the config
         def process_response(opts, response, slug, klass, config)
-          return unless response.body =~ config['pattern']
+          return unless response.body&.match?(config['pattern'])
 
           Model::Plugin.new(
             slug,

app/finders/plugins/comment.rb

@@ -4,7 +4,7 @@ module WPScan
   module Finders
     module Plugins
       # Plugins finder from the Dynamic Finder 'Comment'
-      class Comment < WPScan::Finders::DynamicFinder::WpItems::Finder
+      class Comment < Finders::DynamicFinder::WpItems::Finder
         DEFAULT_CONFIDENCE = 30
 
         # @param [ Hash ] opts The options from the #passive, #aggressive methods
@@ -18,7 +18,7 @@ module WPScan
           response.html.xpath(config['xpath'] || '//comment()').each do |node|
             comment = node.text.to_s.strip
 
-            next unless comment =~ config['pattern']
+            next unless comment&.match?(config['pattern'])
 
             return Model::Plugin.new(
               slug,

app/finders/plugins/config_parser.rb

@@ -4,7 +4,7 @@ module WPScan
   module Finders
     module Plugins
       # Plugins finder from Dynamic Finder 'ConfigParser'
-      class ConfigParser < WPScan::Finders::DynamicFinder::WpItems::Finder
+      class ConfigParser < Finders::DynamicFinder::WpItems::Finder
         DEFAULT_CONFIDENCE = 40
 
         # @param [ Hash ] opts The options from the #passive, #aggressive methods

app/finders/plugins/header_pattern.rb

@@ -4,7 +4,7 @@ module WPScan
   module Finders
     module Plugins
       # Plugins finder from Dynamic Finder 'HeaderPattern'
-      class HeaderPattern < WPScan::Finders::DynamicFinder::WpItems::Finder
+      class HeaderPattern < Finders::DynamicFinder::WpItems::Finder
         DEFAULT_CONFIDENCE = 30
 
         # @param [ Hash ] opts

app/finders/plugins/javascript_var.rb

@@ -4,7 +4,7 @@ module WPScan
   module Finders
     module Plugins
       # Plugins finder from the Dynamic Finder 'JavascriptVar'
-      class JavascriptVar < WPScan::Finders::DynamicFinder::WpItems::Finder
+      class JavascriptVar < Finders::DynamicFinder::WpItems::Finder
         DEFAULT_CONFIDENCE = 60
 
         # @param [ Hash ] opts The options from the #passive, #aggressive methods

app/finders/plugins/known_locations.rb

@@ -9,7 +9,7 @@ module WPScan
 
         # @return [ Array<Integer> ]
         def valid_response_codes
-          @valid_response_codes ||= [200, 401, 403, 301, 500].freeze
+          @valid_response_codes ||= [200, 401, 403, 500].freeze
         end
 
         # @param [ Hash ] opts
@@ -19,8 +19,10 @@ module WPScan
         def aggressive(opts = {})
           found = []
 
-          enumerate(target_urls(opts), opts.merge(check_full_response: [200, 401, 403, 500])) do |_res, slug|
+          enumerate(target_urls(opts), opts.merge(check_full_response: true)) do |_res, slug|
             found << Model::Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
+
+            raise Error::PluginsThresholdReached if opts[:threshold].positive? && found.size >= opts[:threshold]
           end
 
           found

app/finders/plugins/query_parameter.rb

@@ -4,7 +4,7 @@ module WPScan
   module Finders
     module Plugins
       # Plugins finder from Dynamic Finder 'QueryParameter'
-      class QueryParameter < WPScan::Finders::DynamicFinder::WpItems::Finder
+      class QueryParameter < Finders::DynamicFinder::WpItems::Finder
         DEFAULT_CONFIDENCE = 10
 
         def passive(_opts = {})

app/finders/plugins/xpath.rb

@@ -4,7 +4,7 @@ module WPScan
   module Finders
     module Plugins
       # Plugins finder from the Dynamic Finder 'Xpath'
-      class Xpath < WPScan::Finders::DynamicFinder::WpItems::Finder
+      class Xpath < Finders::DynamicFinder::WpItems::Finder
         DEFAULT_CONFIDENCE = 40
 
         # @param [ Hash ] opts The options from the #passive, #aggressive methods

app/finders/theme_version.rb

@@ -16,25 +16,15 @@ module WPScan
             ThemeVersion::Style.new(theme) <<
             ThemeVersion::WooFrameworkMetaGenerator.new(theme)
 
-          load_specific_finders(theme)
+          create_and_load_dynamic_versions_finders(theme)
         end
 
-        # Load the finders associated with the theme
+        # Create the dynamic version finders related to the theme and register them
         #
         # @param [ Model::Theme ] theme
-        def load_specific_finders(theme)
-          module_name = theme.classify
-
-          return unless Finders::ThemeVersion.constants.include?(module_name)
-
-          mod = Finders::ThemeVersion.const_get(module_name)
-
-          mod.constants.each do |constant|
-            c = mod.const_get(constant)
-
-            next unless c.is_a?(Class)
-
-            finders << c.new(theme)
+        def create_and_load_dynamic_versions_finders(theme)
+          DB::DynamicFinders::Theme.create_versions_finders(theme.slug).each do |finder|
+            finders << finder.new(theme)
           end
         end
       end

app/finders/themes/known_locations.rb

@@ -9,7 +9,7 @@ module WPScan
 
         # @return [ Array<Integer> ]
         def valid_response_codes
-          @valid_response_codes ||= [200, 401, 403, 301, 500].freeze
+          @valid_response_codes ||= [200, 401, 403, 500].freeze
         end
 
         # @param [ Hash ] opts
@@ -19,8 +19,10 @@ module WPScan
         def aggressive(opts = {})
           found = []
 
-          enumerate(target_urls(opts), opts.merge(check_full_response: [200, 401, 403, 500])) do |_res, slug|
+          enumerate(target_urls(opts), opts.merge(check_full_response: true)) do |_res, slug|
             found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
+
+            raise Error::ThemesThresholdReached if opts[:threshold].positive? && found.size >= opts[:threshold]
           end
 
           found

app/finders/timthumbs/known_locations.rb

@@ -22,7 +22,7 @@ module WPScan
           found = []
 
           enumerate(target_urls(opts), opts.merge(check_full_response: 400)) do |res|
-            next unless res.body =~ /no image specified/i
+            next unless /no image specified/i.match?(res.body)
 
             found << Model::Timthumb.new(res.request.url, opts.merge(found_by: found_by, confidence: 100))
           end

app/finders/users/author_id_brute_forcing.rb

@@ -7,6 +7,11 @@ module WPScan
       class AuthorIdBruteForcing < CMSScanner::Finders::Finder
         include CMSScanner::Finders::Finder::Enumerator
 
+        # @return [ Array<Integer> ]
+        def valid_response_codes
+          @valid_response_codes ||= [200, 301, 302]
+        end
+
         # @param [ Hash ] opts
         # @option opts [ Range ] :range Mandatory
         #
@@ -15,7 +20,7 @@ module WPScan
           found = []
           found_by_msg = 'Author Id Brute Forcing - %s (Aggressive Detection)'
 
-          enumerate(target_urls(opts), opts) do |res, id|
+          enumerate(target_urls(opts), opts.merge(check_full_response: true)) do |res, id|
             username, found_by, confidence = potential_username(res)
 
             next unless username
@@ -49,7 +54,7 @@ module WPScan
           super(opts.merge(title: ' Brute Forcing Author IDs -'))
         end
 
-        def request_params
+        def full_request_params
           { followlocation: true }
         end
 
@@ -78,8 +83,8 @@ module WPScan
         # @return [ String, nil ] The username found
         def username_from_response(res)
           # Permalink enabled
-          target.in_scope_urls(res, '//link/@href|//a/@href') do |url|
-            username = username_from_author_url(url)
+          target.in_scope_uris(res, '//link/@href|//a/@href') do |uri|
+            username = username_from_author_url(uri.to_s)
             return username if username
           end
 

app/finders/users/author_posts.rb

@@ -45,12 +45,10 @@ module WPScan
         def potential_usernames(res)
           usernames = []
 
-          target.in_scope_urls(res, '//a/@href') do |url, node|
-            uri = Addressable::URI.parse(url)
-
+          target.in_scope_uris(res, '//a/@href') do |uri, node|
             if uri.path =~ %r{/author/([^/\b]+)/?\z}i
               usernames << [Regexp.last_match[1], 'Author Pattern', 100]
-            elsif uri.query =~ /author=[0-9]+/
+            elsif /author=[0-9]+/.match?(uri.query)
               usernames << [node.text.to_s.strip, 'Display Name', 30]
             end
           end

app/finders/users/login_error_messages.rb

@@ -24,7 +24,7 @@ module WPScan
 
             return found if error.empty? # Protection plugin / error disabled
 
-            next unless error =~ /The password you entered for the username|Incorrect Password/i
+            next unless /The password you entered for the username|Incorrect Password/i.match?(error)
 
             found << Model::User.new(username, found_by: found_by, confidence: 100)
           end

app/finders/users/rss_generator.rb

@@ -6,7 +6,7 @@ module WPScan
       # Users disclosed from the dc:creator field in the RSS
       # The names disclosed are display names, however depending on the configuration of the blog,
       # they can be the same than usernames
-      class RSSGenerator < WPScan::Finders::WpVersion::RSSGenerator
+      class RSSGenerator < Finders::WpVersion::RSSGenerator
         def process_urls(urls, _opts = {})
           found = []
 

app/finders/users/wp_json_api.rb

@@ -57,9 +57,7 @@ module WPScan
         def api_url
           return @api_url if @api_url
 
-          target.in_scope_urls(target.homepage_res, "//link[@rel='https://api.w.org/']/@href").each do |url, _tag|
-            uri = Addressable::URI.parse(url.strip)
-
+          target.in_scope_uris(target.homepage_res, "//link[@rel='https://api.w.org/']/@href").each do |uri|
             return @api_url = uri.join('wp/v2/users/').to_s if uri.path.include?('wp-json')
           end
 

app/finders/wp_items/urls_in_homepage.rb

@@ -12,8 +12,8 @@ module WPScan
         def items_from_links(type, uniq = true)
           found = []
 
-          target.in_scope_urls(target.homepage_res) do |url|
-            next unless url =~ item_attribute_pattern(type)
+          target.in_scope_uris(target.homepage_res) do |uri|
+            next unless uri.to_s =~ item_attribute_pattern(type)
 
             found << Regexp.last_match[1]
           end

app/finders/wp_version.rb

@@ -28,7 +28,7 @@ module WPScan
         # @param [ WPScan::Target ] target
         def initialize(target)
           (%w[RSSGenerator AtomGenerator RDFGenerator] +
-           WPScan::DB::DynamicFinders::Wordpress.versions_finders_configs.keys +
+           DB::DynamicFinders::Wordpress.versions_finders_configs.keys +
            %w[Readme UniqueFingerprinting]
           ).each do |finder_name|
             finders << WpVersion.const_get(finder_name.to_sym).new(target)

app/models/plugin.rb

@@ -15,9 +15,16 @@ module WPScan
         @uri = Addressable::URI.parse(blog.url(path_from_blog))
       end
 
-      # @return [ JSON ]
+      # Retrieve the metadata from the vuln API if available (and a valid token is given),
+      # or the local metadata db otherwise
+      # @return [ Hash ]
+      def metadata
+        @metadata ||= db_data.empty? ? DB::Plugin.metadata_at(slug) : db_data
+      end
+
+      # @return [ Hash ]
       def db_data
-        @db_data ||= DB::Plugin.db_data(slug)
+        @db_data ||= DB::VulnApi.plugin_data(slug)
       end
 
       # @param [ Hash ] opts
@@ -28,6 +35,11 @@ module WPScan
 
         @version
       end
+
+      # @return [ Array<String> ]
+      def potential_readme_filenames
+        @potential_readme_filenames ||= [*(DB::DynamicFinders::Plugin.df_data.dig(slug, 'Readme', 'path') || super)]
+      end
     end
   end
 end

app/models/theme.rb

@@ -21,9 +21,16 @@ module WPScan
         parse_style
       end
 
+      # Retrieve the metadata from the vuln API if available (and a valid token is given),
+      # or the local metadata db otherwise
       # @return [ JSON ]
+      def metadata
+        @metadata ||= db_data.empty? ? DB::Theme.metadata_at(slug) : db_data
+      end
+
+      # @return [ Hash ]
       def db_data
-        @db_data ||= DB::Theme.db_data(slug)
+        @db_data ||= DB::VulnApi.theme_data(slug)
       end
 
       # @param [ Hash ] opts

app/models/timthumb.rb

@@ -63,7 +63,7 @@ module WPScan
       def webshot_enabled?
         res = Browser.get(url, params: { webshot: 1, src: "http://#{default_allowed_domains.sample}" })
 
-        res.body =~ /WEBSHOT_ENABLED == true/ ? false : true
+        /WEBSHOT_ENABLED == true/.match?(res.body) ? false : true
       end
 
       # @return [ Array<String> ] The default allowed domains (between the 2.0 and 2.8.13)

app/models/wp_item.rb

@@ -9,11 +9,12 @@ module WPScan
       include CMSScanner::Target::Platform::PHP
       include CMSScanner::Target::Server::Generic
 
+      # Most common readme filenames, based on checking all public plugins and themes.
       READMES = %w[readme.txt README.txt README.md readme.md Readme.txt].freeze
 
       attr_reader :uri, :slug, :detection_opts, :version_detection_opts, :blog, :path_from_blog, :db_data
 
-      delegate :homepage_res, :xpath_pattern_from_page, :in_scope_urls, :head_or_get_params, to: :blog
+      delegate :homepage_res, :xpath_pattern_from_page, :in_scope_uris, :head_or_get_params, to: :blog
 
       # @param [ String ] slug The plugin/theme slug
       # @param [ Target ] blog The targeted blog
@@ -59,18 +60,18 @@ module WPScan
 
       # @return [ String ]
       def latest_version
-        @latest_version ||= db_data['latest_version'] ? Model::Version.new(db_data['latest_version']) : nil
+        @latest_version ||= metadata['latest_version'] ? Model::Version.new(metadata['latest_version']) : nil
       end
 
       # Not used anywhere ATM
       # @return [ Boolean ]
       def popular?
-        @popular ||= db_data['popular']
+        @popular ||= metadata['popular'] ? true : false
       end
 
       # @return [ String ]
       def last_updated
-        @last_updated ||= db_data['last_updated']
+        @last_updated ||= metadata['last_updated']
       end
 
       # @return [ Boolean ]
@@ -117,7 +118,7 @@ module WPScan
 
         return @readme_url unless @readme_url.nil?
 
-        READMES.each do |path|
+        potential_readme_filenames.each do |path|
           t_url = url(path)
 
           return @readme_url = t_url if Browser.forge_request(t_url, blog.head_or_get_params).run.code == 200
@@ -126,6 +127,10 @@ module WPScan
         @readme_url = false
       end
 
+      def potential_readme_filenames
+        @potential_readme_filenames ||= READMES
+      end
+
       # @param [ String ] path
       # @param [ Hash ] params The request params
       #

app/models/wp_version.rb

@@ -35,9 +35,16 @@ module WPScan
         @all_numbers.sort! { |a, b| Gem::Version.new(b) <=> Gem::Version.new(a) }
       end
 
-      # @return [ JSON ]
+      # Retrieve the metadata from the vuln API if available (and a valid token is given),
+      # or the local metadata db otherwise
+      # @return [ Hash ]
+      def metadata
+        @metadata ||= db_data.empty? ? DB::Version.metadata_at(number) : db_data
+      end
+
+      # @return [ Hash ]
       def db_data
-        @db_data ||= DB::Version.db_data(number)
+        @db_data ||= DB::VulnApi.wordpress_data(number)
       end
 
       # @return [ Array<Vulnerability> ]
@@ -55,12 +62,12 @@ module WPScan
 
       # @return [ String ]
       def release_date
-        @release_date ||= db_data['release_date'] || 'Unknown'
+        @release_date ||= metadata['release_date'] || 'Unknown'
       end
 
       # @return [ String ]
       def status
-        @status ||= db_data['status'] || 'Unknown'
+        @status ||= metadata['status'] || 'Unknown'
       end
     end
   end

app/views/cli/core/banner.erb

@@ -8,7 +8,7 @@ _______________________________________________________________
 
         WordPress Security Scanner by the WPScan Team
                        Version <%= WPScan::VERSION %>
-          Sponsored by Sucuri - https://sucuri.net
+<%= ' ' * ((63 - WPScan::DB::Sponsor.text.length)/2) + WPScan::DB::Sponsor.text %>
       @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
 _______________________________________________________________
 

app/views/cli/enumeration/config_backups.erb

@@ -5,7 +5,7 @@
 <%= notice_icon %> Config Backup(s) Identified:
 <% @config_backups.each do |config_backup| -%>
 
-<%= info_icon %> <%= config_backup %>
+<%= critical_icon %> <%= config_backup %>
 <%= render('@finding', item: config_backup) -%>
 <% end -%>
 <% end %>

app/views/cli/enumeration/db_exports.erb

@@ -5,7 +5,7 @@
 <%= notice_icon %> Db Export(s) Identified:
 <% @db_exports.each do |db_export| -%>
 
-<%= info_icon %> <%= db_export %>
+<%= critical_icon %> <%= db_export %>
 <%= render('@finding', item: db_export) -%>
 <% end -%>
 <% end %>

app/views/cli/vuln_api/status.erb

@@ -0,0 +1,13 @@
+<% unless @status.empty? -%>
+<% if @status['http_error'] -%>
+<%= critical_icon %> WPVulnDB API, <%= @status['http_error'].to_s %>
+<% else -%>
+<%= info_icon %> WPVulnDB API OK
+ | Plan: <%= @status['plan'] %>
+ | Requests Done (during the scan): <%= @api_requests %>
+ | Requests Remaining: <%= @status['requests_remaining'] %>
+<% end -%>
+<% else -%>
+<%= warning_icon %> No WPVulnDB API Token given, as a result vulnerability data has not been output.
+<%= warning_icon %> You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/register.
+<% end -%>

app/views/json/core/banner.erb

@@ -7,5 +7,5 @@
     "@erwan_lr",
     "@_FireFart_"
   ],
-  "sponsored_by": "Sucuri - https://sucuri.net"
+  "sponsor": <%= WPScan::DB::Sponsor.text.to_json %>
 },

app/views/json/finding.erb

@@ -11,9 +11,10 @@
   }<% unless index == last_index %>,<% end -%>
 <% end -%>
 <% end -%>
-},
-"vulnerabilities": [
-<% if @item.respond_to?(:vulnerabilities) && !(vulns = @item.vulnerabilities).empty? -%>
+}
+<% if @item.respond_to?(:vulnerabilities) -%>
+,"vulnerabilities": [
+<% unless (vulns = @item.vulnerabilities).empty? -%>
   <% last_index = vulns.size - 1 -%>
   <% vulns.each_with_index do |v, index| -%>
   {
@@ -23,4 +24,5 @@
   }<% unless index == last_index -%>,<% end -%>
   <% end -%>
 <% end -%>
-]
+]
+<% end -%>

app/views/json/vuln_api/status.erb

@@ -0,0 +1,13 @@
+"vuln_api": {
+<% unless @status.empty? -%>
+<% if @status['http_error'] -%>
+"http_error": <%= @status['http_error'].to_s.to_json %>
+<% else -%>
+"plan": <%= @status['plan'].to_json %>,
+"requests_done_during_scan": <%= @api_requests.to_json %>,
+"requests_remaining": <%= @status['requests_remaining'].to_json %>
+<% end -%>
+<% else -%>
+"error": "No WPVulnDB API Token given, as a result vulnerability data has not been output.\nYou can get a free API token with 50 daily requests by registering at https://wpvulndb.com/register."
+<% end -%>
+},

bin/wpscan

@@ -5,6 +5,7 @@ require 'wpscan'
 
 WPScan::Scan.new do |s|
   s.controllers <<
+    WPScan::Controller::VulnApi.new <<
     WPScan::Controller::CustomDirectories.new <<
     WPScan::Controller::InterestingFindings.new <<
     WPScan::Controller::WpVersion.new <<

bin/wpscan-memprof

@@ -7,6 +7,7 @@ require 'wpscan'
 report = MemoryProfiler.report(top: 15) do
   WPScan::Scan.new do |s|
     s.controllers <<
+      WPScan::Controller::VulnApi.new <<
       WPScan::Controller::CustomDirectories.new <<
       WPScan::Controller::InterestingFindings.new <<
       WPScan::Controller::WpVersion.new <<

bin/wpscan-stackprof

@@ -12,6 +12,7 @@ StackProf.run(mode: :cpu, out: '/tmp/stackprof-cpu.dump', interval: 500) do
   # require_relative 'wpscan' doesn't work
   WPScan::Scan.new do |s|
     s.controllers <<
+      WPScan::Controller::VulnApi.new <<
       WPScan::Controller::CustomDirectories.new <<
       WPScan::Controller::InterestingFindings.new <<
       WPScan::Controller::WpVersion.new <<

lib/wpscan.rb

@@ -13,12 +13,14 @@ require 'uri'
 require 'time'
 require 'readline'
 require 'securerandom'
-
+# Monkey Patches/Fixes/Override
+require 'wpscan/typhoeus/response' # Adds a from_vuln_api? method
 # Custom Libs
 require 'wpscan/helper'
 require 'wpscan/db'
 require 'wpscan/version'
 require 'wpscan/errors'
+require 'wpscan/parsed_cli'
 require 'wpscan/browser'
 require 'wpscan/target'
 require 'wpscan/finders'
@@ -37,12 +39,28 @@ module WPScan
   APP_DIR = Pathname.new(__FILE__).dirname.join('..', 'app').expand_path
   DB_DIR  = Pathname.new(Dir.home).join('.wpscan', 'db')
 
+  Typhoeus.on_complete do |response|
+    next if response.cached? || !response.from_vuln_api?
+
+    self.api_requests += 1
+  end
+
   # Override, otherwise it would be returned as 'wp_scan'
   #
   # @return [ String ]
   def self.app_name
     'wpscan'
   end
+
+  # @return [ Integer ]
+  def self.api_requests
+    @@api_requests ||= 0
+  end
+
+  # @param [ Integer ] value
+  def self.api_requests=(value)
+    @@api_requests = value
+  end
 end
 
 require "#{WPScan::APP_DIR}/app"

lib/wpscan/browser.rb

@@ -5,14 +5,9 @@ module WPScan
   class Browser < CMSScanner::Browser
     extend Actions
 
-    # @return [ String ] The path to the user agents list
-    def user_agents_list
-      @user_agents_list ||= DB_DIR.join('user-agents.txt').to_s
-    end
-
     # @return [ String ]
     def default_user_agent
-      "WPScan v#{VERSION} (https://wpscan.org/)"
+      @default_user_agent ||= "WPScan v#{VERSION} (https://wpscan.org/)"
     end
   end
 end

lib/wpscan/db.rb

@@ -7,9 +7,12 @@ require_relative 'db/plugins'
 require_relative 'db/themes'
 require_relative 'db/plugin'
 require_relative 'db/theme'
+require_relative 'db/sponsor'
 require_relative 'db/wp_version'
 require_relative 'db/fingerprints'
 
+require_relative 'db/vuln_api'
+
 require_relative 'db/dynamic_finders/base'
 require_relative 'db/dynamic_finders/plugin'
 require_relative 'db/dynamic_finders/theme'

lib/wpscan/db/dynamic_finders/base.rb

@@ -5,18 +5,19 @@ module WPScan
     module DynamicFinders
       class Base
         # @return [ String ]
-        def self.db_file
-          @db_file ||= DB_DIR.join('dynamic_finders.yml').to_s
+        def self.df_file
+          @df_file ||= DB_DIR.join('dynamic_finders.yml').to_s
         end
 
         # @return [ Hash ]
-        def self.db_data
-          # true allows aliases to be loaded
-          @db_data ||= YAML.safe_load(File.read(db_file), [Regexp], [], true)
+        def self.all_df_data
+          @all_df_data ||= YAML.safe_load(File.read(df_file), [Regexp])
         end
 
         # @return [ Array<Symbol> ]
         def self.allowed_classes
+          # The Readme is not put in there as it's not a Real DF, but rather using the DF system
+          # to get the list of potential filenames for a given slug
           @allowed_classes ||= %i[Comment Xpath HeaderPattern BodyPattern JavascriptVar QueryParameter ConfigParser]
         end
 

lib/wpscan/db/dynamic_finders/plugin.rb

@@ -5,8 +5,8 @@ module WPScan
     module DynamicFinders
       class Plugin < Base
         # @return [ Hash ]
-        def self.db_data
-          @db_data ||= super['plugins'] || {}
+        def self.df_data
+          @df_data ||= all_df_data['plugins'] || {}
         end
 
         def self.version_finder_module
@@ -21,7 +21,7 @@ module WPScan
 
           return configs unless allowed_classes.include?(finder_class)
 
-          db_data.each do |slug, finders|
+          df_data.each do |slug, finders|
             # Quite sure better can be done with some kind of logic statement in the select
             fs = if aggressive
                    finders.reject { |_f, c| c['path'].nil? }
@@ -48,7 +48,7 @@ module WPScan
 
           @versions_finders_configs = {}
 
-          db_data.each do |slug, finders|
+          df_data.each do |slug, finders|
             finders.each do |finder_name, config|
               next unless config.key?('version')
 
@@ -73,23 +73,33 @@ module WPScan
           version_finder_module.const_get(constant_name)
         end
 
-        def self.create_versions_finders
-          versions_finders_configs.each do |slug, finders|
-            mod = maybe_create_module(slug)
+        # Create the dynamic finders related to the given slug, and return the created classes
+        #
+        # @param [ String ] slug
+        #
+        # @return [ Array<Class> ] The created classes
+        def self.create_versions_finders(slug)
+          created = []
+          mod     = maybe_create_module(slug)
 
-            finders.each do |finder_class, config|
-              klass = config['class'] || finder_class
+          versions_finders_configs[slug]&.each do |finder_class, config|
+            klass = config['class'] || finder_class
 
-              # Instead of raising exceptions, skip unallowed/already defined finders
-              # So that, when new DF configs are put in the .yml
-              # users with old version of WPScan will still be able to scan blogs
-              # when updating the DB but not the tool
-              next if mod.constants.include?(finder_class.to_sym) ||
-                      !allowed_classes.include?(klass.to_sym)
+            # Instead of raising exceptions, skip unallowed/already defined finders
+            # So that, when new DF configs are put in the .yml
+            # users with old version of WPScan will still be able to scan blogs
+            # when updating the DB but not the tool
 
-              version_finder_super_class(klass).create_child_class(mod, finder_class.to_sym, config)
-            end
+            next unless allowed_classes.include?(klass.to_sym)
+
+            created << if mod.constants.include?(finder_class.to_sym)
+                         mod.const_get(finder_class.to_sym)
+                       else
+                         version_finder_super_class(klass).create_child_class(mod, finder_class.to_sym, config)
+                       end
           end
+
+          created
         end
 
         # The idea here would be to check if the class exist in

lib/wpscan/db/dynamic_finders/theme.rb

@@ -5,8 +5,8 @@ module WPScan
     module DynamicFinders
       class Theme < Plugin
         # @return [ Hash ]
-        def self.db_data
-          @db_data ||= super['themes'] || {}
+        def self.df_data
+          @df_data ||= all_df_data['themes'] || {}
         end
 
         def self.version_finder_module

lib/wpscan/db/dynamic_finders/wordpress.rb

@@ -5,8 +5,8 @@ module WPScan
     module DynamicFinders
       class Wordpress < Base
         # @return [ Hash ]
-        def self.db_data
-          @db_data ||= super['wordpress'] || {}
+        def self.df_data
+          @df_data ||= all_df_data['wordpress'] || {}
         end
 
         # @return [ Constant ]
@@ -30,9 +30,9 @@ module WPScan
           return configs unless allowed_classes.include?(finder_class)
 
           finders = if aggressive
-                      db_data.reject { |_f, c| c['path'].nil? }
+                      df_data.reject { |_f, c| c['path'].nil? }
                     else
-                      db_data.select { |_f, c| c['path'].nil? }
+                      df_data.select { |_f, c| c['path'].nil? }
                     end
 
           finders.each do |finder_name, config|
@@ -48,7 +48,7 @@ module WPScan
 
         # @return [ Hash ]
         def self.versions_finders_configs
-          @versions_finders_configs ||= db_data.select { |_finder_name, config| config.key?('version') }
+          @versions_finders_configs ||= df_data.select { |_finder_name, config| config.key?('version') }
         end
 
         def self.create_versions_finders

lib/wpscan/db/plugin.rb

@@ -4,9 +4,9 @@ module WPScan
   module DB
     # Plugin DB
     class Plugin < WpItem
-      # @return [ String ]
-      def self.db_file
-        @db_file ||= DB_DIR.join('plugins.json').to_s
+      # @return [ Hash ]
+      def self.metadata
+        @metadata ||= super['plugins'] || {}
       end
     end
   end

lib/wpscan/db/plugins.rb

@@ -5,8 +5,8 @@ module WPScan
     # WP Plugins
     class Plugins < WpItems
       # @return [ JSON ]
-      def self.db
-        Plugin.db
+      def self.metadata
+        Plugin.metadata
       end
     end
   end

lib/wpscan/db/sponsor.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module WPScan
+  module DB
+    class Sponsor
+      # @return [ Hash ]
+      def self.text
+        @text ||= file_path.exist? ? File.read(file_path).chomp : ''
+      end
+
+      def self.file_path
+        @file_path ||= DB_DIR.join('sponsor.txt')
+      end
+    end
+  end
+end

lib/wpscan/db/theme.rb

@@ -4,9 +4,9 @@ module WPScan
   module DB
     # Theme DB
     class Theme < WpItem
-      # @return [ String ]
-      def self.db_file
-        @db_file ||= DB_DIR.join('themes.json').to_s
+      # @return [ Hash ]
+      def self.metadata
+        @metadata ||= super['themes'] || {}
       end
     end
   end

lib/wpscan/db/themes.rb

@@ -5,8 +5,8 @@ module WPScan
     # WP Themes
     class Themes < WpItems
       # @return [ JSON ]
-      def self.db
-        Theme.db
+      def self.metadata
+        Theme.metadata
       end
     end
   end

lib/wpscan/db/updater.rb

@@ -7,12 +7,15 @@ module WPScan
     class Updater
       # /!\ Might want to also update the Enumeration#cli_options when some filenames are changed here
       FILES = %w[
-        plugins.json themes.json wordpresses.json
-        timthumbs-v3.txt user-agents.txt config_backups.txt
-        db_exports.txt dynamic_finders.yml wp_fingerprints.json LICENSE
+        metadata.json wp_fingerprints.json
+        timthumbs-v3.txt config_backups.txt db_exports.txt
+        dynamic_finders.yml LICENSE sponsor.txt
       ].freeze
 
-      OLD_FILES = %w[wordpress.db dynamic_finders_01.yml].freeze
+      OLD_FILES = %w[
+        wordpress.db user-agents.txt dynamic_finders_01.yml
+        wordpresses.json plugins.json themes.json
+      ].freeze
 
       attr_reader :repo_directory
 
@@ -64,11 +67,12 @@ module WPScan
       # @return [ Hash ] The params for Typhoeus::Request
       # @note Those params can't be overriden by CLI options
       def request_params
-        {
+        @request_params ||= {
           timeout: 600,
           connecttimeout: 300,
           accept_encoding: 'gzip, deflate',
-          cache_ttl: 0
+          cache_ttl: 0,
+          headers: { 'User-Agent' => Browser.instance.default_user_agent, 'Referer' => nil }
         }
       end
 

lib/wpscan/db/vuln_api.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+module WPScan
+  module DB
+    # WPVulnDB API
+    class VulnApi
+      NON_ERROR_CODES = [200, 401, 404].freeze
+
+      class << self
+        attr_accessor :token
+      end
+
+      # @return [ Addressable::URI ]
+      def self.uri
+        @uri ||= Addressable::URI.parse('https://wpvulndb.com/api/v3/')
+      end
+
+      # @param [ String ] path
+      # @param [ Hash ] params
+      #
+      # @return [ Hash ]
+      def self.get(path, params = {})
+        return {} unless token
+
+        res = Browser.get(uri.join(path), params.merge(request_params))
+
+        return JSON.parse(res.body) if NON_ERROR_CODES.include?(res.code)
+
+        raise Error::HTTP, res
+      rescue Error::HTTP => e
+        retries ||= 0
+
+        if (retries += 1) <= 3
+          sleep(1)
+          retry
+        end
+
+        { 'http_error' => e }
+      end
+
+      # @return [ Hash ]
+      def self.plugin_data(slug)
+        get("plugins/#{slug}")&.dig(slug) || {}
+      end
+
+      # @return [ Hash ]
+      def self.theme_data(slug)
+        get("themes/#{slug}")&.dig(slug) || {}
+      end
+
+      # @return [ Hash ]
+      def self.wordpress_data(version_number)
+        get("wordpresses/#{version_number.tr('.', '')}")&.dig(version_number) || {}
+      end
+
+      # @return [ Hash ]
+      def self.status
+        json = get('status', params: { version: WPScan::VERSION }, cache_ttl: 0)
+
+        json['requests_remaining'] = 'Unlimited' if json['requests_remaining'] == -1
+
+        json
+      end
+
+      # @return [ Hash ]
+      def self.request_params
+        {
+          headers: {
+            'Host' => uri.host, # Reset in case user provided a --vhost for the target
+            'Referer' => nil, # Removes referer set by the cmsscanner to the target url
+            'User-Agent' => Browser.instance.default_user_agent,
+            'Authorization' => "Token token=#{token}"
+          }
+        }
+      end
+    end
+  end
+end

lib/wpscan/db/wp_item.rb

@@ -6,14 +6,19 @@ module WPScan
     class WpItem
       # @param [ String ] identifier The plugin/theme slug or version number
       #
-      # @return [ Hash ] The JSON data from the DB associated to the identifier
-      def self.db_data(identifier)
-        db[identifier] || {}
+      # @return [ Hash ] The JSON data from the metadata associated to the identifier
+      def self.metadata_at(identifier)
+        metadata[identifier] || {}
       end
 
       # @return [ JSON ]
-      def self.db
-        @db ||= read_json_file(db_file)
+      def self.metadata
+        @metadata ||= read_json_file(metadata_file)
+      end
+
+      # @return [ String ]
+      def self.metadata_file
+        @metadata_file ||= DB_DIR.join('metadata.json').to_s
       end
     end
   end

lib/wpscan/db/wp_items.rb

@@ -6,17 +6,17 @@ module WPScan
     class WpItems
       # @return [ Array<String> ] The slug of all items
       def self.all_slugs
-        db.keys
+        metadata.keys
       end
 
       # @return [ Array<String> ] The slug of all popular items
       def self.popular_slugs
-        db.select { |_key, item| item['popular'] == true }.keys
+        metadata.select { |_key, item| item['popular'] == true }.keys
       end
 
       # @return [ Array<String> ] The slug of all vulnerable items
       def self.vulnerable_slugs
-        db.reject { |_key, item| item['vulnerabilities'].empty? }.keys
+        metadata.select { |_key, item| item['vulnerabilities'] == true }.keys
       end
     end
   end

lib/wpscan/db/wp_version.rb

@@ -4,9 +4,9 @@ module WPScan
   module DB
     # WP Version
     class Version < WpItem
-      # @return [ String ]
-      def self.db_file
-        @db_file ||= DB_DIR.join('wordpresses.json').to_s
+      # @return [ Hash ]
+      def self.metadata
+        @metadata ||= super['wordpress'] || {}
       end
     end
   end

lib/wpscan/errors.rb

@@ -9,7 +9,9 @@ module WPScan
   end
 end
 
+require_relative 'errors/enumeration'
 require_relative 'errors/http'
 require_relative 'errors/update'
+require_relative 'errors/vuln_api'
 require_relative 'errors/wordpress'
 require_relative 'errors/xmlrpc'

lib/wpscan/errors/enumeration.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Error
+    class PluginsThresholdReached < Standard
+      def to_s
+        "The number of plugins detected reached the threshold of #{ParsedCli.plugins_threshold} " \
+        'which might indicate False Positive. It would be recommended to use the --exclude-content-based ' \
+        'option to ignore the bad responses.'
+      end
+    end
+
+    class ThemesThresholdReached < Standard
+      def to_s
+        "The number of themes detected reached the threshold of #{ParsedCli.themes_threshold} " \
+        'which might indicate False Positive. It would be recommended to use the --exclude-content-based ' \
+        'option to ignore the bad responses.'
+      end
+    end
+  end
+end

lib/wpscan/errors/vuln_api.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Error
+    # Error raised when the token given via --api-token is invalid
+    class InvalidApiToken < Standard
+      def to_s
+        'The API token provided is invalid'
+      end
+    end
+
+    # Error raised when the number of API requests has been reached
+    # currently not implemented on the API side
+    class ApiLimitReached < Standard
+      def to_s
+        'Your API limit has been reached'
+      end
+    end
+  end
+end

lib/wpscan/errors/wordpress.rb

@@ -5,7 +5,7 @@ module WPScan
     # WordPress hosted (*.wordpress.com)
     class WordPressHosted < Standard
       def to_s
-        'Scanning *.wordpress.com hosted blogs is not supported.'
+        'The target appears to be hosted on WordPress.com. Scanning such site is not supported.'
       end
     end
 
@@ -25,7 +25,8 @@ module WPScan
 
     class WpContentDirNotDetected < Standard
       def to_s
-        'Unable to identify the wp-content dir, please supply it with --wp-content-dir'
+        'Unable to identify the wp-content dir, please supply it with --wp-content-dir,' \
+        ' use the --scope option or make sure the --url value given is the correct one'
       end
     end
   end

lib/wpscan/finders/dynamic_finder/version/body_pattern.rb

@@ -4,9 +4,9 @@ module WPScan
   module Finders
     module DynamicFinder
       module Version
-        # Version finder using Body Pattern method. Tipically used when the response is not
+        # Version finder using Body Pattern method. Typically used when the response is not
         # an HTML doc and Xpath can't be used
-        class BodyPattern < WPScan::Finders::DynamicFinder::Version::Finder
+        class BodyPattern < Finders::DynamicFinder::Version::Finder
           # @return [ Hash ]
           def self.child_class_constants
             @child_class_constants ||= super().merge(PATTERN: nil, CONFIDENCE: 60)
@@ -16,7 +16,7 @@ module WPScan
           # @param [ Hash ] opts
           # @return [ Version ]
           def find(response, _opts = {})
-            return unless response.body =~ self.class::PATTERN
+            return unless response.code != 404 && response.body =~ self.class::PATTERN
 
             create_version(
               Regexp.last_match[:v],

lib/wpscan/finders/dynamic_finder/version/comment.rb

@@ -6,7 +6,7 @@ module WPScan
       module Version
         # Version finder in Comment, which is basically an Xpath one with a default
         # Xpath of //comment()
-        class Comment < WPScan::Finders::DynamicFinder::Version::Xpath
+        class Comment < Finders::DynamicFinder::Version::Xpath
           # @return [ Hash ]
           def self.child_class_constants
             @child_class_constants ||= super().merge(PATTERN: nil, XPATH: '//comment()')

lib/wpscan/finders/dynamic_finder/version/config_parser.rb

@@ -6,7 +6,7 @@ module WPScan
       module Version
         # Version finder using by parsing config files, such as composer.json
         # and so on
-        class ConfigParser < WPScan::Finders::DynamicFinder::Version::Finder
+        class ConfigParser < Finders::DynamicFinder::Version::Finder
           ALLOWED_PARSERS = [JSON, YAML].freeze
 
           def self.child_class_constants

lib/wpscan/finders/dynamic_finder/version/header_pattern.rb

@@ -5,7 +5,7 @@ module WPScan
     module DynamicFinder
       module Version
         # Version finder using Header Pattern method
-        class HeaderPattern < WPScan::Finders::DynamicFinder::Version::Finder
+        class HeaderPattern < Finders::DynamicFinder::Version::Finder
           # @return [ Hash ]
           def self.child_class_constants
             @child_class_constants ||= super().merge(HEADER: nil, PATTERN: nil, CONFIDENCE: 60)

lib/wpscan/finders/dynamic_finder/version/javascript_var.rb

@@ -5,7 +5,7 @@ module WPScan
     module DynamicFinder
       module Version
         # Version finder using JavaScript Variable method
-        class JavascriptVar < WPScan::Finders::DynamicFinder::Version::Finder
+        class JavascriptVar < Finders::DynamicFinder::Version::Finder
           # @return [ Hash ]
           def self.child_class_constants
             @child_class_constants ||= super().merge(

lib/wpscan/finders/dynamic_finder/version/query_parameter.rb

@@ -5,7 +5,7 @@ module WPScan
     module DynamicFinder
       module Version
         # Version finder using QueryParameter method
-        class QueryParameter < WPScan::Finders::DynamicFinder::Version::Finder
+        class QueryParameter < Finders::DynamicFinder::Version::Finder
           # @return [ Hash ]
           def self.child_class_constants
             @child_class_constants ||= super().merge(
@@ -35,15 +35,13 @@ module WPScan
           def scan_response(response)
             found = {}
 
-            target.in_scope_urls(response, xpath) do |url, _tag|
-              uri = Addressable::URI.parse(url)
-
+            target.in_scope_uris(response, xpath) do |uri|
               next unless uri.path =~ path_pattern && uri.query&.match(self.class::PATTERN)
 
               version = Regexp.last_match[:v].to_s
 
               found[version] ||= []
-              found[version] << url
+              found[version] << uri.to_s
             end
 
             found

lib/wpscan/finders/dynamic_finder/version/xpath.rb

@@ -5,7 +5,7 @@ module WPScan
     module DynamicFinder
       module Version
         # Version finder using Xpath method
-        class Xpath < WPScan::Finders::DynamicFinder::Version::Finder
+        class Xpath < Finders::DynamicFinder::Version::Finder
           # @return [ Hash ]
           def self.child_class_constants
             @child_class_constants ||= super().merge(

lib/wpscan/finders/dynamic_finder/wp_item_version.rb

@@ -4,22 +4,22 @@ module WPScan
   module Finders
     module DynamicFinder
       module WpItemVersion
-        class BodyPattern < WPScan::Finders::DynamicFinder::Version::BodyPattern
+        class BodyPattern < Finders::DynamicFinder::Version::BodyPattern
         end
 
-        class Comment < WPScan::Finders::DynamicFinder::Version::Comment
+        class Comment < Finders::DynamicFinder::Version::Comment
         end
 
-        class ConfigParser < WPScan::Finders::DynamicFinder::Version::ConfigParser
+        class ConfigParser < Finders::DynamicFinder::Version::ConfigParser
         end
 
-        class HeaderPattern < WPScan::Finders::DynamicFinder::Version::HeaderPattern
+        class HeaderPattern < Finders::DynamicFinder::Version::HeaderPattern
         end
 
-        class JavascriptVar < WPScan::Finders::DynamicFinder::Version::JavascriptVar
+        class JavascriptVar < Finders::DynamicFinder::Version::JavascriptVar
         end
 
-        class QueryParameter < WPScan::Finders::DynamicFinder::Version::QueryParameter
+        class QueryParameter < Finders::DynamicFinder::Version::QueryParameter
           # @return [ Regexp ]
           def path_pattern
             # TODO: consider the target.blog.themes_dir if the target is a Theme (maybe implement a WpItem#item_dir ?)
@@ -37,7 +37,7 @@ module WPScan
           end
         end
 
-        class Xpath < WPScan::Finders::DynamicFinder::Version::Xpath
+        class Xpath < Finders::DynamicFinder::Version::Xpath
         end
       end
     end

lib/wpscan/finders/dynamic_finder/wp_version.rb

@@ -12,23 +12,23 @@ module WPScan
           end
         end
 
-        class BodyPattern < WPScan::Finders::DynamicFinder::Version::BodyPattern
+        class BodyPattern < Finders::DynamicFinder::Version::BodyPattern
           include Finder
         end
 
-        class Comment < WPScan::Finders::DynamicFinder::Version::Comment
+        class Comment < Finders::DynamicFinder::Version::Comment
           include Finder
         end
 
-        class HeaderPattern < WPScan::Finders::DynamicFinder::Version::HeaderPattern
+        class HeaderPattern < Finders::DynamicFinder::Version::HeaderPattern
           include Finder
         end
 
-        class JavascriptVar < WPScan::Finders::DynamicFinder::Version::JavascriptVar
+        class JavascriptVar < Finders::DynamicFinder::Version::JavascriptVar
           include Finder
         end
 
-        class QueryParameter < WPScan::Finders::DynamicFinder::Version::QueryParameter
+        class QueryParameter < Finders::DynamicFinder::Version::QueryParameter
           include Finder
 
           # @return [ Hash ]

lib/wpscan/helper.rb

@@ -6,13 +6,15 @@ rescue StandardError => e
   raise "JSON parsing error in #{file} #{e}"
 end
 
-# @return [ Symbol ]
+# Sanitize and classify a slug
 # @note As a class can not start with a digit or underscore, a D_ is
-# put as a prefix in such case. Ugly but well :x
-# Not only used to classify slugs though, but Dynamic Finder names as well
+#       put as a prefix in such case. Ugly but well :x
+#       Not only used to classify slugs though, but Dynamic Finder names as well
+#
+# @return [ Symbol ]
 def classify_slug(slug)
-  classified = slug.to_s.tr('-', '_').camelize.to_s
-  classified = "D_#{classified}" if classified[0] =~ /\d/
+  classified = slug.to_s.gsub(/[^a-z\d\-]/i, '-').gsub(/\-{1,}/, '_').camelize.to_s
+  classified = "D_#{classified}" if /\d/.match?(classified[0])
 
   classified.to_sym
 end

lib/wpscan/parsed_cli.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module WPScan
+  # To be able to use ParsedCli directly, rather than having to access it via WPscan::ParsedCli
+  class ParsedCli < CMSScanner::ParsedCli
+  end
+end

lib/wpscan/target/platform/wordpress.rb

@@ -24,20 +24,20 @@ module WPScan
         #
         # @return [ Boolean ]
         def wordpress?(detection_mode)
-          in_scope_urls(homepage_res) do |url|
-            return true if Addressable::URI.parse(url).path.match(WORDPRESS_PATTERN)
+          in_scope_uris(homepage_res) do |uri|
+            return true if uri.path.match(WORDPRESS_PATTERN)
           end
 
           homepage_res.html.css('meta[name="generator"]').each do |node|
-            return true if node['content'] =~ /wordpress/i
+            return true if /wordpress/i.match?(node['content'])
           end
 
           return true unless comments_from_page(/wordpress/i, homepage_res).empty?
 
           if %i[mixed aggressive].include?(detection_mode)
             %w[wp-admin/install.php wp-login.php].each do |path|
-              in_scope_urls(Browser.get_and_follow_location(url(path))).each do |url|
-                return true if Addressable::URI.parse(url).path.match(WORDPRESS_PATTERN)
+              in_scope_uris(Browser.get_and_follow_location(url(path))).each do |uri|
+                return true if uri.path.match(WORDPRESS_PATTERN)
               end
             end
           end
@@ -45,13 +45,52 @@ module WPScan
           false
         end
 
+        COOKIE_PATTERNS = {
+          'vjs' => /createCookie\('vjs','(?<c_value>\d+)',\d+\);/i
+        }.freeze
+
+        # Sometimes there is a mechanism in place on the blog, which requires a specific
+        # cookie and value to be added to requests. Lets try to detect and add them
+        def maybe_add_cookies
+          COOKIE_PATTERNS.each do |cookie_key, pattern|
+            next unless homepage_res.body =~ pattern
+
+            browser = Browser.instance
+
+            cookie_string = "#{cookie_key}=#{Regexp.last_match[:c_value]}"
+
+            cookie_string += "; #{browser.cookie_string}" if browser.cookie_string
+
+            browser.cookie_string = cookie_string
+
+            # Force recheck of the homepage when retying wordpress?
+            # No need to clear the cache, as the request (which will contain the cookies)
+            # will be different
+            @homepage_res = nil
+            @homepage_url = nil
+
+            break
+          end
+        end
+
         # @return [ String ]
         def registration_url
           multisite? ? url('wp-signup.php') : url('wp-login.php?action=register')
         end
 
+        # @return [ Boolean ] Whether or not the target is hosted on wordpress.com
         def wordpress_hosted?
-          uri.host =~ /\.wordpress\.com$/i ? true : false
+          return true if /\.wordpress\.com$/i.match?(uri.host)
+
+          unless content_dir(:passive)
+            pattern = %r{https?://s\d\.wp\.com#{WORDPRESS_PATTERN}}i.freeze
+
+            uris_from_page(homepage_res) do |uri|
+              return true if uri.to_s.match?(pattern)
+            end
+          end
+
+          false
         end
 
         # @param [ String ] username

lib/wpscan/target/platform/wordpress/custom_directories.rb

@@ -13,24 +13,36 @@ module WPScan
           @plugins_dir = dir.chomp('/')
         end
 
+        # @param [ Symbol ] detection_mode
         # @return [ String ] The wp-content directory
-        def content_dir
+        def content_dir(detection_mode = :mixed)
           unless @content_dir
-            escaped_url = Regexp.escape(url).gsub(/https?/i, 'https?')
-            pattern     = %r{#{escaped_url}([\w\s\-\/]+)\/(?:themes|plugins|uploads|cache)\/}i
+            # scope_url_pattern is from CMSScanner::Target
+            pattern = %r{#{scope_url_pattern}([\w\s\-/]+)\\?/(?:themes|plugins|uploads|cache)\\?/}i
 
-            in_scope_urls(homepage_res) do |url|
-              return @content_dir = Regexp.last_match[1] if url.match(pattern)
+            in_scope_uris(homepage_res) do |uri|
+              return @content_dir = Regexp.last_match[1] if uri.to_s.match(pattern)
             end
 
-            xpath_pattern_from_page('//script[not(@src)]', pattern, homepage_res) do |match|
+            # Checks for the pattern in raw JS code, as well as @content attributes of meta tags
+            xpath_pattern_from_page('//script[not(@src)]|//meta/@content', pattern, homepage_res) do |match|
               return @content_dir = match[1]
             end
+
+            unless detection_mode == :passive
+              return @content_dir = 'wp-content' if default_content_dir_exists?
+            end
           end
 
           @content_dir
         end
 
+        def default_content_dir_exists?
+          # url('wp-content') can't be used here as the folder has not yet been identified
+          # and the method would try to replace it by nil which would raise an error
+          [200, 401, 403].include?(Browser.forge_request(uri.join('wp-content/').to_s, head_or_get_params).run.code)
+        end
+
         # @return [ Addressable::URI ]
         def content_uri
           uri.join("#{content_dir}/")
@@ -85,23 +97,21 @@ module WPScan
           themes_uri.join("#{URI.encode(slug)}/").to_s
         end
 
-        # TODO: Factorise the code and the content_dir one ?
         # @return [ String, False ] String of the sub_dir found, false otherwise
         # @note: nil can not be returned here, otherwise if there is no sub_dir
-        #        the check would be done each time
+        #        the check would be done each time, which would make enumeration of
+        #        long list of items very slow to generate
         def sub_dir
-          unless @sub_dir
-            escaped_url = Regexp.escape(url).gsub(/https?/i, 'https?')
-            pattern     = %r{#{escaped_url}(.+?)\/(?:xmlrpc\.php|wp\-includes\/)}i
+          return @sub_dir unless @sub_dir.nil?
 
-            in_scope_urls(homepage_res) do |url|
-              return @sub_dir = Regexp.last_match[1] if url.match(pattern)
-            end
+          # url_pattern is from CMSScanner::Target
+          pattern = %r{#{url_pattern}(.+?)/(?:xmlrpc\.php|wp\-includes/)}i
 
-            @sub_dir = false
+          in_scope_uris(homepage_res) do |uri|
+            return @sub_dir = Regexp.last_match[1] if uri.to_s.match(pattern)
           end
 
-          @sub_dir
+          @sub_dir = false
         end
 
         # Override of the WebSite#url to consider the custom WP directories
@@ -112,9 +122,9 @@ module WPScan
         def url(path = nil)
           return @uri.to_s unless path
 
-          if path =~ %r{wp\-content/plugins}i
+          if %r{wp\-content/plugins}i.match?(path)
             path = +path.gsub('wp-content/plugins', plugins_dir)
-          elsif path =~ /wp\-content/i
+          elsif /wp\-content/i.match?(path)
             path = +path.gsub('wp-content', content_dir)
           elsif path[0] != '/' && sub_dir
             path = "#{sub_dir}/#{path}"

lib/wpscan/typhoeus/response.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Typhoeus
+  # Custom Response class
+  class Response
+    # @note: Ignores requests done to the /status endpoint of the API
+    #
+    # @return [ Boolean ]
+    def from_vuln_api?
+      effective_url.start_with?(WPScan::DB::VulnApi.uri.to_s) && !effective_url.include?('/status')
+    end
+  end
+end

lib/wpscan/version.rb

@@ -2,5 +2,5 @@
 
 # Version
 module WPScan
-  VERSION = '3.5.0'
+  VERSION = '3.7.0'
 end

spec/app/controllers/aliases_spec.rb

@@ -3,12 +3,10 @@
 describe WPScan::Controller::Aliases do
   subject(:controller) { described_class.new }
   let(:target_url)     { 'http://ex.lo/' }
-  let(:parsed_options) { rspec_parsed_options(cli_args) }
   let(:cli_args)       { "--url #{target_url}" }
 
   before do
-    WPScan::Browser.reset
-    described_class.parsed_options = parsed_options
+    WPScan::ParsedCli.options = rspec_parsed_options(cli_args)
   end
 
   describe '#cli_options' do
@@ -22,14 +20,18 @@ describe WPScan::Controller::Aliases do
 
   describe 'parsed_options' do
     context 'when no --stealthy supplied' do
-      its(:parsed_options) { should eql parsed_options }
+      it 'contains the correct options' do
+        expect(WPScan::ParsedCli.options).to include(
+          detection_mode: :mixed, plugins_version_detection: :mixed
+        )
+      end
     end
 
     context 'when --stealthy supplied' do
       let(:cli_args) { "#{super()} --stealthy" }
 
       it 'contains the correct options' do
-        expect(controller.parsed_options).to include(
+        expect(WPScan::ParsedCli.options).to include(
           random_user_agent: true, detection_mode: :passive, plugins_version_detection: :passive
         )
       end

spec/app/controllers/core_spec.rb

@@ -3,13 +3,11 @@
 describe WPScan::Controller::Core do
   subject(:core)       { described_class.new }
   let(:target_url)     { 'http://ex.lo/' }
-  let(:parsed_options) { rspec_parsed_options(cli_args) }
   let(:cli_args)       { "--url #{target_url}" }
 
   before do
-    WPScan::Browser.reset
     described_class.reset
-    described_class.parsed_options = parsed_options
+    WPScan::ParsedCli.options = rspec_parsed_options(cli_args)
   end
 
   describe '#cli_options' do
@@ -140,7 +138,7 @@ describe WPScan::Controller::Core do
 
       expect(core.formatter).to receive(:output).with('banner', hash_including(verbose: nil), 'core')
 
-      expect(core).to receive(:update_db_required?).and_return(false) unless parsed_options[:update]
+      expect(core).to receive(:update_db_required?).and_return(false) unless WPScan::ParsedCli.update
     end
 
     context 'when --update' do
@@ -218,7 +216,7 @@ describe WPScan::Controller::Core do
 
         context 'when not wordpress' do
           it 'raises an error' do
-            expect(core.target).to receive(:wordpress?).with(:mixed).and_return(false)
+            expect(core.target).to receive(:wordpress?).twice.with(:mixed).and_return(false)
 
             expect { core.before_scan }.to raise_error(WPScan::Error::NotWordPress)
           end
@@ -250,12 +248,26 @@ describe WPScan::Controller::Core do
     context 'when not wordpress' do
       before do
         expect(core).to receive(:load_server_module)
-        expect(core.target).to receive(:wordpress?).with(:mixed).and_return(false)
       end
 
       context 'when no --force' do
-        it 'raises an error' do
-          expect { core.before_scan }.to raise_error(WPScan::Error::NotWordPress)
+        before { expect(core.target).to receive(:maybe_add_cookies) }
+
+        context 'when no cookies added or still not wordpress after being added' do
+          it 'raises an error' do
+            expect(core.target).to receive(:wordpress?).twice.with(:mixed).and_return(false)
+
+            expect { core.before_scan }.to raise_error(WPScan::Error::NotWordPress)
+          end
+        end
+
+        context 'when the added cookies solved it' do
+          it 'does not raise an error' do
+            expect(core.target).to receive(:wordpress?).with(:mixed).and_return(false).ordered
+            expect(core.target).to receive(:wordpress?).with(:mixed).and_return(true).ordered
+
+            expect { core.before_scan }.to_not raise_error
+          end
         end
       end
 
@@ -263,6 +275,8 @@ describe WPScan::Controller::Core do
         let(:cli_args) { "#{super()} --force" }
 
         it 'does not raise any error' do
+          expect(core.target).to receive(:wordpress?).with(:mixed).and_return(false)
+
           expect { core.before_scan }.to_not raise_error
         end
       end

spec/app/controllers/custom_directories_spec.rb

@@ -3,12 +3,10 @@
 describe WPScan::Controller::CustomDirectories do
   subject(:controller) { described_class.new }
   let(:target_url)     { 'http://ex.lo/' }
-  let(:parsed_options) { rspec_parsed_options(cli_args) }
   let(:cli_args)       { "--url #{target_url}" }
 
   before do
-    WPScan::Browser.reset
-    described_class.parsed_options = parsed_options
+    WPScan::ParsedCli.options = rspec_parsed_options(cli_args)
   end
 
   describe '#cli_options' do
@@ -21,8 +19,8 @@ describe WPScan::Controller::CustomDirectories do
   end
 
   describe '#before_scan' do
-    context 'when the content_dir is not found and not supply' do
-      before { expect(controller.target).to receive(:content_dir) }
+    context 'when the content_dir is not found and not supplied' do
+      before { expect(controller.target).to receive(:content_dir).with(:mixed) }
 
       it 'raises an exception' do
         expect { controller.before_scan }.to raise_error(WPScan::Error::WpContentDirNotDetected)
@@ -34,7 +32,7 @@ describe WPScan::Controller::CustomDirectories do
 
       it 'does not raise any error' do
         expect { controller.before_scan }.to_not raise_error
-        expect(controller.target.content_dir).to eq parsed_options[:wp_content_dir]
+        expect(controller.target.content_dir).to eq WPScan::ParsedCli.wp_content_dir
       end
     end
   end

spec/app/controllers/enumeration_spec.rb

@@ -3,16 +3,13 @@
 describe WPScan::Controller::Enumeration do
   subject(:controller) { described_class.new }
   let(:target_url)     { 'http://wp.lab/' }
-  let(:parsed_options) { rspec_parsed_options(cli_args) }
   let(:cli_args)       { "--url #{target_url}" }
 
   before do
-    WPScan::Browser.reset
-
     ## For the --passwords options
     allow_any_instance_of(OptParseValidator::OptPath).to receive(:check_file)
 
-    described_class.parsed_options = parsed_options
+    WPScan::ParsedCli.options = rspec_parsed_options(cli_args)
   end
 
   describe '#enum_message' do
@@ -73,8 +70,8 @@ describe WPScan::Controller::Enumeration do
     it 'contains the correct options' do
       expect(controller.cli_options.map(&:to_sym)).to eql(
         %i[enumerate exclude_content_based
-           plugins_list plugins_detection plugins_version_all plugins_version_detection
-           themes_list themes_detection themes_version_all themes_version_detection
+           plugins_list plugins_detection plugins_version_all plugins_version_detection plugins_threshold
+           themes_list themes_detection themes_version_all themes_version_detection themes_threshold
            timthumbs_list timthumbs_detection
            config_backups_list config_backups_detection
            db_exports_list db_exports_detection
@@ -105,22 +102,13 @@ describe WPScan::Controller::Enumeration do
     end
   end
 
-  describe '#before_scan' do
-    it 'creates the Dynamic Finders' do
-      expect(WPScan::DB::DynamicFinders::Plugin).to receive(:create_versions_finders)
-      expect(WPScan::DB::DynamicFinders::Theme).to receive(:create_versions_finders)
-
-      controller.before_scan
-    end
-  end
-
   describe '#run' do
     context 'when no :enumerate' do
       before do
         expect(controller).to receive(:enum_plugins)
         expect(controller).to receive(:enum_config_backups)
 
-        expect(parsed_options[:plugins_detection]).to eql :passive
+        expect(WPScan::ParsedCli.plugins_detection).to eql :passive
       end
 
       it 'calls enum_plugins and enum_config_backups' do