Bumps version

Fixes #1411
Adds additional specs related to previous commit
2019-10-11 15:07:50 +01:00 · 2019-10-11 14:32:00 +01:00 · 2019-10-10 22:57:26 +01:00 · 2019-10-10 22:33:19 +01:00 · 2019-10-10 21:15:59 +01:00 · 2019-10-10 21:03:54 +01:00
287 changed files with 82182 additions and 605 deletions
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -4,12 +4,6 @@ AllCops:
  Exclude:
  - '*.gemspec'
  - 'vendor/**/*'
 ClassVars:
  Enabled: false
 LineLength:
  Max: 120
 MethodLength:
  Max: 20
 Lint/UriEscapeUnescape:
  Enabled: false
 Metrics/AbcSize:
@@ -19,9 +13,22 @@ Metrics/BlockLength:
  - 'spec/**/*'
 Metrics/ClassLength:
  Max: 150
  Exclude:
  - 'app/controllers/enumeration/cli_options.rb'
 Metrics/CyclomaticComplexity:
  Max: 8
 Metrics/LineLength:
  Max: 120
 Metrics/MethodLength:
  Max: 20
  Exclude:
  - 'app/controllers/enumeration/cli_options.rb'
 Style/ClassVars:
  Enabled: false
 Style/Documentation:
  Enabled: false
 Style/FormatStringToken:
  Enabled: false
 Style/NumericPredicate:
  Exclude:
  - 'app/controllers/vuln_api.rb'
--- a/4
+++ b/4
@@ -1,4 +1,4 @@
-FROM ruby:2.6.2-alpine3.9 AS builder
+FROM ruby:2.6.3-alpine AS builder
 LABEL maintainer="WPScan Team <team@wpscan.org>"
 ARG BUNDLER_ARGS="--jobs=8 --without test development"
@@ -19,7 +19,7 @@ RUN rake install --trace
 RUN chmod -R a+r /usr/local/bundle
-FROM ruby:2.6.2-alpine3.9
+FROM ruby:2.6.3-alpine
 LABEL maintainer="WPScan Team <team@wpscan.org>"
 RUN adduser -h /wpscan -g WPScan -D wpscan
--- a/README.md
+++ b/README.md
@@ -17,7 +17,6 @@
  <a href="https://badge.fury.io/rb/wpscan" target="_blank"><img src="https://badge.fury.io/rb/wpscan.svg"></a>
  <a href="https://travis-ci.org/wpscanteam/wpscan" target="_blank"><img src="https://travis-ci.org/wpscanteam/wpscan.svg?branch=master"></a>
  <a href="https://codeclimate.com/github/wpscanteam/wpscan" target="_blank"><img src="https://codeclimate.com/github/wpscanteam/wpscan/badges/gpa.svg"></a>
  <a href="https://www.patreon.com/wpscan" target="_blank"><img src="https://img.shields.io/badge/patreon-donate-green.svg"></a>
 </p>
 # INSTALL
@@ -78,41 +77,60 @@ docker run -it --rm wpscanteam/wpscan --url https://target.tld/ --enumerate u1-1
 # Usage
-```wpscan --url blog.tld``` This will scan the blog using default options with a good compromise between speed and accuracy. For example, the plugins will be checked passively but their version with a mixed detection mode (passively + aggressively). Potential config backup files will also be checked, along with other interesting findings. If a more stealthy approach is required, then ```wpscan --stealthy --url blog.tld``` can be used.
+```wpscan --url blog.tld``` This will scan the blog using default options with a good compromise between speed and accuracy. For example, the plugins will be checked passively but their version with a mixed detection mode (passively + aggressively). Potential config backup files will also be checked, along with other interesting findings.
 If a more stealthy approach is required, then ```wpscan --stealthy --url blog.tld``` can be used.
 As a result, when using the ```--enumerate``` option, don't forget to set the ```--plugins-detection``` accordingly, as its default is 'passive'.
 For more options, open a terminal and type ```wpscan --help``` (if you built wpscan from the source, you should type the command outside of the git repo)
 The DB is located at ~/.wpscan/db
 ## Vulnerability Database
 The WPScan CLI tool uses the [WPVulnDB API](https://wpvulndb.com/api) to retrieve WordPress vulnerability data in real time. For WPScan to retrieve the vulnerability data an API token must be supplied via the `--api-token` option, or via a configuration file, as discussed below. An API token can be obtained by registering an account on [WPVulnDB](https://wpvulndb.com/users/sign_up). Up to 50 API requests per day are given free of charge to registered users. Once the 50 API requests are exhausted, WPScan will continue to work as normal but without any vulnerability data. Users can upgrade to paid API usage to increase their API limits within their user profile on [WPVulnDB](https://wpvulndb.com/).
 ## Load CLI options from file/s
 WPScan can load all options (including the --url) from configuration files, the following locations are checked (order: first to last):
- ~/.wpscan/cli_options.json
+- ~/.wpscan/scan.json
- ~/.wpscan/cli_options.yml
+- ~/.wpscan/scan.yml
- pwd/.wpscan/cli_options.json
+- pwd/.wpscan/scan.json
- pwd/.wpscan/cli_options.yml
+- pwd/.wpscan/scan.yml
-If those files exist, options from them will be loaded and overridden if found twice.
+If those files exist, options from the `cli_options` key will be loaded and overridden if found twice.
 e.g:
-~/.wpscan/cli_options.yml:
+~/.wpscan/scan.yml:
 ```yml
-proxy: 'http://127.0.0.1:8080'
+cli_options:
-verbose: true
+  proxy: 'http://127.0.0.1:8080'
  verbose: true
 ```
-pwd/.wpscan/cli_options.yml:
+pwd/.wpscan/scan.yml:
 ```yml
-proxy: 'socks5://127.0.0.1:9090'
+cli_options:
-url: 'http://target.tld'
+  proxy: 'socks5://127.0.0.1:9090'
  url: 'http://target.tld'
 ```
 Running ```wpscan``` in the current directory (pwd), is the same as ```wpscan -v --proxy socks5://127.0.0.1:9090 --url http://target.tld```
-Enumerating usernames
+## Save API Token in a file
 The feature mentioned above is useful to keep the API Token in a config file and not have to supply it via the CLI each time. To do so, create the ~/.wpscan/scan.yml file containing the below:
 ```yml
 cli_options:
  api_token: YOUR_API_TOKEN
 ```
 ## Enumerating usernames
 ```shell
 wpscan --url https://target.tld/ --enumerate u
--- a/app/controllers.rb
+++ b/app/controllers.rb
@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 require_relative 'controllers/core'
 require_relative 'controllers/vuln_api'
 require_relative 'controllers/custom_directories'
 require_relative 'controllers/wp_version'
 require_relative 'controllers/main_theme'
--- a/app/controllers/custom_directories.rb
+++ b/app/controllers/custom_directories.rb
@@ -18,7 +18,7 @@ module WPScan
        target.content_dir = ParsedCli.wp_content_dir if ParsedCli.wp_content_dir
        target.plugins_dir = ParsedCli.wp_plugins_dir if ParsedCli.wp_plugins_dir
-        return if target.content_dir(ParsedCli.detection_mode)
+        return if target.content_dir
        raise Error::WpContentDirNotDetected
      end
--- a/app/controllers/enumeration.rb
+++ b/app/controllers/enumeration.rb
@@ -7,15 +7,6 @@ module WPScan
  module Controller
    # Enumeration Controller
    class Enumeration < CMSScanner::Controller::Base
      def before_scan
        DB::DynamicFinders::Plugin.create_versions_finders
        DB::DynamicFinders::Theme.create_versions_finders
        # Force the Garbage Collector to run due to the above method being
        # quite heavy in objects allocation
        GC.start
      end
      def run
        enum = ParsedCli.enumerate || {}
--- a/app/controllers/enumeration/cli_options.rb
+++ b/app/controllers/enumeration/cli_options.rb
@@ -11,7 +11,6 @@ module WPScan
      end
      # @return [ Array<OptParseValidator::OptBase> ]
      # rubocop:disable Metrics/MethodLength
      def cli_enum_choices
        [
          OptMultiChoices.new(
@@ -19,10 +18,10 @@ module WPScan
            choices: {
              vp: OptBoolean.new(['--vulnerable-plugins']),
              ap: OptBoolean.new(['--all-plugins']),
-              p: OptBoolean.new(['--plugins']),
+              p: OptBoolean.new(['--popular-plugins']),
              vt: OptBoolean.new(['--vulnerable-themes']),
              at: OptBoolean.new(['--all-themes']),
-              t: OptBoolean.new(['--themes']),
+              t: OptBoolean.new(['--popular-themes']),
              tt: OptBoolean.new(['--timthumbs']),
              cb: OptBoolean.new(['--config-backups']),
              dbe: OptBoolean.new(['--db-exports']),
@@ -45,7 +44,6 @@ module WPScan
          )
        ]
      end
      # rubocop:enable Metrics/MethodLength
      # @return [ Array<OptParseValidator::OptBase> ]
      def cli_plugins_opts
@@ -67,6 +65,11 @@ module WPScan
             'Use the supplied mode to check plugins versions instead of the --detection-mode ' \
             'or --plugins-detection modes.'],
            choices: %w[mixed passive aggressive], normalize: :to_sym, default: :mixed
          ),
          OptInteger.new(
            ['--plugins-threshold THRESHOLD',
             'Raise an error when the number of detected plugins via known locations reaches the threshold. ' \
             'Set to 0 to ignore the threshold.'], default: 100, advanced: true
          )
        ]
      end
@@ -91,6 +94,11 @@ module WPScan
             'Use the supplied mode to check themes versions instead of the --detection-mode ' \
             'or --themes-detection modes.'],
            choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true
          ),
          OptInteger.new(
            ['--themes-threshold THRESHOLD',
             'Raise an error when the number of detected themes via known locations reaches the threshold. ' \
             'Set to 0 to ignore the threshold.'], default: 20, advanced: true
          )
        ]
      end
--- a/app/controllers/enumeration/enum_methods.rb
+++ b/app/controllers/enumeration/enum_methods.rb
@@ -56,12 +56,13 @@ module WPScan
      #
      # @return [ Boolean ] Wether or not to enumerate the plugins
      def enum_plugins?(opts)
-        opts[:plugins] || opts[:all_plugins] || opts[:vulnerable_plugins]
+        opts[:popular_plugins] || opts[:all_plugins] || opts[:vulnerable_plugins]
      end
      def enum_plugins
        opts = default_opts('plugins').merge(
          list: plugins_list_from_opts(ParsedCli.options),
          threshold: ParsedCli.plugins_threshold,
          sort: true
        )
@@ -91,7 +92,7 @@ module WPScan
        if opts[:enumerate][:all_plugins]
          DB::Plugins.all_slugs
-        elsif opts[:enumerate][:plugins]
+        elsif opts[:enumerate][:popular_plugins]
          DB::Plugins.popular_slugs
        else
          DB::Plugins.vulnerable_slugs
@@ -102,12 +103,13 @@ module WPScan
      #
      # @return [ Boolean ] Wether or not to enumerate the themes
      def enum_themes?(opts)
-        opts[:themes] || opts[:all_themes] || opts[:vulnerable_themes]
+        opts[:popular_themes] || opts[:all_themes] || opts[:vulnerable_themes]
      end
      def enum_themes
        opts = default_opts('themes').merge(
          list: themes_list_from_opts(ParsedCli.options),
          threshold: ParsedCli.themes_threshold,
          sort: true
        )
@@ -137,7 +139,7 @@ module WPScan
        if opts[:enumerate][:all_themes]
          DB::Themes.all_slugs
-        elsif opts[:enumerate][:themes]
+        elsif opts[:enumerate][:popular_themes]
          DB::Themes.popular_slugs
        else
          DB::Themes.vulnerable_slugs
--- a/app/controllers/vuln_api.rb
+++ b/app/controllers/vuln_api.rb
@@ -0,0 +1,30 @@
 # frozen_string_literal: true
 module WPScan
  module Controller
    # Controller to handle the API token
    class VulnApi < CMSScanner::Controller::Base
      def cli_options
        [
          OptString.new(['--api-token TOKEN', 'The WPVulnDB API Token to display vulnerability data'])
        ]
      end
      def before_scan
        return unless ParsedCli.api_token
        DB::VulnApi.token = ParsedCli.api_token
        api_status = DB::VulnApi.status
        raise Error::InvalidApiToken if api_status['error']
        raise Error::ApiLimitReached if api_status['requests_remaining'] == 0
        raise api_status['http_error'] if api_status['http_error']
      end
      def after_scan
        output('status', status: DB::VulnApi.status, api_requests: WPScan.api_requests)
      end
    end
  end
 end
--- a/app/finders/db_exports/known_locations.rb
+++ b/app/finders/db_exports/known_locations.rb
@@ -20,9 +20,9 @@ module WPScan
          enumerate(potential_urls(opts), opts.merge(check_full_response: 200)) do |res|
            if res.effective_url.end_with?('.zip')
-              next unless res.headers['Content-Type'] =~ %r{\Aapplication/zip}i
+              next unless %r{\Aapplication/zip}i.match?(res.headers['Content-Type'])
            else
-              next unless res.body =~ SQL_PATTERN
+              next unless SQL_PATTERN.match?(res.body)
            end
            found << Model::DbExport.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100)
--- a/app/finders/interesting_findings/duplicator_installer_log.rb
+++ b/app/finders/interesting_findings/duplicator_installer_log.rb
@@ -9,7 +9,7 @@ module WPScan
        def aggressive(_opts = {})
          path = 'installer-log.txt'
-          return unless target.head_and_get(path).body =~ /DUPLICATOR INSTALL-LOG/
+          return unless /DUPLICATOR INSTALL-LOG/.match?(target.head_and_get(path).body)
          Model::DuplicatorInstallerLog.new(
            target.url(path),
--- a/app/finders/interesting_findings/mu_plugins.rb
+++ b/app/finders/interesting_findings/mu_plugins.rb
@@ -10,7 +10,7 @@ module WPScan
          pattern = %r{#{target.content_dir}/mu\-plugins/}i
          target.in_scope_uris(target.homepage_res) do |uri|
-            next unless uri.path =~ pattern
+            next unless uri.path&.match?(pattern)
            url = target.url('wp-content/mu-plugins/')
--- a/app/finders/interesting_findings/upload_sql_dump.rb
+++ b/app/finders/interesting_findings/upload_sql_dump.rb
@@ -12,7 +12,7 @@ module WPScan
          path = 'wp-content/uploads/dump.sql'
          res  = target.head_and_get(path, [200], get: { headers: { 'Range' => 'bytes=0-3000' } })
-          return unless res.body =~ SQL_PATTERN
+          return unless SQL_PATTERN.match?(res.body)
          Model::UploadSQLDump.new(
            target.url(path),
--- a/app/finders/passwords/wp_login.rb
+++ b/app/finders/passwords/wp_login.rb
@@ -13,7 +13,7 @@ module WPScan
        def valid_credentials?(response)
          response.code == 302 &&
-            response.headers['Set-Cookie']&.any? { |cookie| cookie =~ /wordpress_logged_in_/i }
+            [*response.headers['Set-Cookie']]&.any? { |cookie| cookie =~ /wordpress_logged_in_/i }
        end
        def errored_response?(response)
--- a/app/finders/passwords/xml_rpc.rb
+++ b/app/finders/passwords/xml_rpc.rb
@@ -8,7 +8,7 @@ module WPScan
        include CMSScanner::Finders::Finder::BreadthFirstDictionaryAttack
        def login_request(username, password)
-          target.method_call('wp.getUsersBlogs', [username, password])
+          target.method_call('wp.getUsersBlogs', [username, password], cache_ttl: 0)
        end
        def valid_credentials?(response)
--- a/app/finders/passwords/xml_rpc_multicall.rb
+++ b/app/finders/passwords/xml_rpc_multicall.rb
@@ -19,7 +19,7 @@ module WPScan
            end
          end
-          target.multi_call(methods).run
+          target.multi_call(methods, cache_ttl: 0).run
        end
        # @param [ Array<Model::User> ] users
--- a/app/finders/plugin_version.rb
+++ b/app/finders/plugin_version.rb
@@ -13,25 +13,15 @@ module WPScan
        def initialize(plugin)
          finders << PluginVersion::Readme.new(plugin)
-          load_specific_finders(plugin)
+          create_and_load_dynamic_versions_finders(plugin)
        end
-        # Load the finders associated with the plugin
+        # Create the dynamic version finders related to the plugin and register them
        #
        # @param [ Model::Plugin ] plugin
-        def load_specific_finders(plugin)
+        def create_and_load_dynamic_versions_finders(plugin)
-          module_name = plugin.classify
+          DB::DynamicFinders::Plugin.create_versions_finders(plugin.slug).each do |finder|
-
+            finders << finder.new(plugin)
          return unless Finders::PluginVersion.constants.include?(module_name)
          mod = Finders::PluginVersion.const_get(module_name)
          mod.constants.each do |constant|
            c = mod.const_get(constant)
            next unless c.is_a?(Class)
            finders << c.new(plugin)
          end
        end
      end
--- a/app/finders/plugin_version/readme.rb
+++ b/app/finders/plugin_version/readme.rb
@@ -11,7 +11,7 @@ module WPScan
          # The target(plugin)#readme_url can't be used directly here
          # as if the --detection-mode is passive, it will always return nil
-          Model::WpItem::READMES.each do |file|
+          target.potential_readme_filenames.each do |file|
            res = target.head_and_get(file)
            next unless res.code == 200 && !(numbers = version_numbers(res.body)).empty?
@@ -52,7 +52,7 @@ module WPScan
          number = Regexp.last_match[1]
-          number if number =~ /[0-9]+/
+          number if /[0-9]+/.match?(number)
        end
        # @param [ String ] body
--- a/app/finders/plugins/body_pattern.rb
+++ b/app/finders/plugins/body_pattern.rb
@@ -15,7 +15,7 @@ module WPScan
        #
        # @return [ Plugin ] The detected plugin in the response, related to the config
        def process_response(opts, response, slug, klass, config)
-          return unless response.body =~ config['pattern']
+          return unless response.body&.match?(config['pattern'])
          Model::Plugin.new(
            slug,
--- a/app/finders/plugins/comment.rb
+++ b/app/finders/plugins/comment.rb
@@ -18,7 +18,7 @@ module WPScan
          response.html.xpath(config['xpath'] || '//comment()').each do |node|
            comment = node.text.to_s.strip
-            next unless comment =~ config['pattern']
+            next unless comment&.match?(config['pattern'])
            return Model::Plugin.new(
              slug,
--- a/app/finders/plugins/known_locations.rb
+++ b/app/finders/plugins/known_locations.rb
@@ -21,6 +21,8 @@ module WPScan
          enumerate(target_urls(opts), opts.merge(check_full_response: true)) do |_res, slug|
            found << Model::Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
            raise Error::PluginsThresholdReached if opts[:threshold].positive? && found.size >= opts[:threshold]
          end
          found
--- a/app/finders/theme_version.rb
+++ b/app/finders/theme_version.rb
@@ -16,25 +16,15 @@ module WPScan
            ThemeVersion::Style.new(theme) <<
            ThemeVersion::WooFrameworkMetaGenerator.new(theme)
-          load_specific_finders(theme)
+          create_and_load_dynamic_versions_finders(theme)
        end
-        # Load the finders associated with the theme
+        # Create the dynamic version finders related to the theme and register them
        #
        # @param [ Model::Theme ] theme
-        def load_specific_finders(theme)
+        def create_and_load_dynamic_versions_finders(theme)
-          module_name = theme.classify
+          DB::DynamicFinders::Theme.create_versions_finders(theme.slug).each do |finder|
-
+            finders << finder.new(theme)
          return unless Finders::ThemeVersion.constants.include?(module_name)
          mod = Finders::ThemeVersion.const_get(module_name)
          mod.constants.each do |constant|
            c = mod.const_get(constant)
            next unless c.is_a?(Class)
            finders << c.new(theme)
          end
        end
      end
--- a/app/finders/themes/known_locations.rb
+++ b/app/finders/themes/known_locations.rb
@@ -21,6 +21,8 @@ module WPScan
          enumerate(target_urls(opts), opts.merge(check_full_response: true)) do |_res, slug|
            found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
            raise Error::ThemesThresholdReached if opts[:threshold].positive? && found.size >= opts[:threshold]
          end
          found
--- a/app/finders/timthumbs/known_locations.rb
+++ b/app/finders/timthumbs/known_locations.rb
@@ -22,7 +22,7 @@ module WPScan
          found = []
          enumerate(target_urls(opts), opts.merge(check_full_response: 400)) do |res|
-            next unless res.body =~ /no image specified/i
+            next unless /no image specified/i.match?(res.body)
            found << Model::Timthumb.new(res.request.url, opts.merge(found_by: found_by, confidence: 100))
          end
--- a/app/finders/users/author_id_brute_forcing.rb
+++ b/app/finders/users/author_id_brute_forcing.rb
@@ -97,9 +97,12 @@ module WPScan
        # @return [ String, nil ]
        def display_name_from_body(body)
          page = Nokogiri::HTML.parse(body)
          # WP >= 3.0
          page.css('h1.page-title span').each do |node|
-            return node.text.to_s
+            text = node.text.to_s.strip
            return text unless text.empty?
          end
          # WP < 3.0
--- a/app/finders/users/login_error_messages.rb
+++ b/app/finders/users/login_error_messages.rb
@@ -24,7 +24,7 @@ module WPScan
            return found if error.empty? # Protection plugin / error disabled
-            next unless error =~ /The password you entered for the username|Incorrect Password/i
+            next unless /The password you entered for the username|Incorrect Password/i.match?(error)
            found << Model::User.new(username, found_by: found_by, confidence: 100)
          end
--- a/app/finders/users/oembed_api.rb
+++ b/app/finders/users/oembed_api.rb
@@ -34,6 +34,8 @@ module WPScan
        def user_details_from_oembed_data(oembed_data)
          return unless oembed_data
          oembed_data = oembed_data.first if oembed_data.is_a?(Array)
          if oembed_data['author_url'] =~ %r{/author/([^/]+)/?\z}
            details = [Regexp.last_match[1], 'Author URL', 90]
          elsif oembed_data['author_name'] && !oembed_data['author_name'].empty?
--- a/app/finders/wp_items/urls_in_homepage.rb
+++ b/app/finders/wp_items/urls_in_homepage.rb
@@ -15,7 +15,9 @@ module WPScan
          target.in_scope_uris(target.homepage_res) do |uri|
            next unless uri.to_s =~ item_attribute_pattern(type)
-            found << Regexp.last_match[1]
+            slug = Regexp.last_match[1]&.strip
            found << slug unless slug&.empty?
          end
          uniq ? found.uniq.sort : found.sort
@@ -28,7 +30,7 @@ module WPScan
        def items_from_codes(type, uniq = true)
          found = []
-          target.homepage_res.html.css('script,style').each do |tag|
+          target.homepage_res.html.xpath('//script[not(@src)]|//style[not(@src)]').each do |tag|
            code = tag.text.to_s
            next if code.empty?
@@ -42,7 +44,7 @@ module WPScan
        #
        # @return [ Regexp ]
        def item_attribute_pattern(type)
-          @item_attribute_pattern ||= %r{\A#{item_url_pattern(type)}([^/]+)/}i
+          @item_attribute_pattern ||= %r{#{item_url_pattern(type)}([^/]+)/}i
        end
        # @param [ String ] type
@@ -59,7 +61,7 @@ module WPScan
          item_dir = type == 'plugins' ? target.plugins_dir : target.content_dir
          item_url = type == 'plugins' ? target.plugins_url : target.content_url
-          url = /#{item_url.gsub(/\A(?:http|https)/i, 'https?').gsub('/', '\\\\\?\/')}/i
+          url = /#{item_url.gsub(/\A(?:https?)/i, 'https?').gsub('/', '\\\\\?\/')}/i
          item_dir = %r{(?:#{url}|\\?\/#{item_dir.gsub('/', '\\\\\?\/')}\\?/)}i
          type == 'plugins' ? item_dir : %r{#{item_dir}#{type}\\?\/}i
--- a/app/models/plugin.rb
+++ b/app/models/plugin.rb
@@ -15,9 +15,16 @@ module WPScan
        @uri = Addressable::URI.parse(blog.url(path_from_blog))
      end
-      # @return [ JSON ]
+      # Retrieve the metadata from the vuln API if available (and a valid token is given),
      # or the local metadata db otherwise
      # @return [ Hash ]
      def metadata
        @metadata ||= db_data.empty? ? DB::Plugin.metadata_at(slug) : db_data
      end
      # @return [ Hash ]
      def db_data
-        @db_data ||= DB::Plugin.db_data(slug)
+        @db_data ||= DB::VulnApi.plugin_data(slug)
      end
      # @param [ Hash ] opts
@@ -28,6 +35,11 @@ module WPScan
        @version
      end
      # @return [ Array<String> ]
      def potential_readme_filenames
        @potential_readme_filenames ||= [*(DB::DynamicFinders::Plugin.df_data.dig(slug, 'Readme', 'path') || super)]
      end
    end
  end
 end
--- a/app/models/theme.rb
+++ b/app/models/theme.rb
@@ -21,9 +21,16 @@ module WPScan
        parse_style
      end
      # Retrieve the metadata from the vuln API if available (and a valid token is given),
      # or the local metadata db otherwise
      # @return [ JSON ]
      def metadata
        @metadata ||= db_data.empty? ? DB::Theme.metadata_at(slug) : db_data
      end
      # @return [ Hash ]
      def db_data
-        @db_data ||= DB::Theme.db_data(slug)
+        @db_data ||= DB::VulnApi.theme_data(slug)
      end
      # @param [ Hash ] opts
@@ -94,7 +101,7 @@ module WPScan
      #
      # @return [ String ]
      def parse_style_tag(body, tag)
-        value = body[/^\s*#{Regexp.escape(tag)}:[\t ]*([^\r\n]+)/i, 1]
+        value = body[/#{Regexp.escape(tag)}:[\t ]*([^\r\n\*]+)/i, 1]
        value && !value.strip.empty? ? value.strip : nil
      end
--- a/app/models/wp_item.rb
+++ b/app/models/wp_item.rb
@@ -9,6 +9,7 @@ module WPScan
      include CMSScanner::Target::Platform::PHP
      include CMSScanner::Target::Server::Generic
      # Most common readme filenames, based on checking all public plugins and themes.
      READMES = %w[readme.txt README.txt README.md readme.md Readme.txt].freeze
      attr_reader :uri, :slug, :detection_opts, :version_detection_opts, :blog, :path_from_blog, :db_data
@@ -59,18 +60,18 @@ module WPScan
      # @return [ String ]
      def latest_version
-        @latest_version ||= db_data['latest_version'] ? Model::Version.new(db_data['latest_version']) : nil
+        @latest_version ||= metadata['latest_version'] ? Model::Version.new(metadata['latest_version']) : nil
      end
      # Not used anywhere ATM
      # @return [ Boolean ]
      def popular?
-        @popular ||= db_data['popular']
+        @popular ||= metadata['popular'] ? true : false
      end
      # @return [ String ]
      def last_updated
-        @last_updated ||= db_data['last_updated']
+        @last_updated ||= metadata['last_updated']
      end
      # @return [ Boolean ]
@@ -117,7 +118,7 @@ module WPScan
        return @readme_url unless @readme_url.nil?
-        READMES.each do |path|
+        potential_readme_filenames.each do |path|
          t_url = url(path)
          return @readme_url = t_url if Browser.forge_request(t_url, blog.head_or_get_params).run.code == 200
@@ -126,6 +127,10 @@ module WPScan
        @readme_url = false
      end
      def potential_readme_filenames
        @potential_readme_filenames ||= READMES
      end
      # @param [ String ] path
      # @param [ Hash ] params The request params
      #
--- a/app/models/wp_version.rb
+++ b/app/models/wp_version.rb
@@ -35,9 +35,16 @@ module WPScan
        @all_numbers.sort! { |a, b| Gem::Version.new(b) <=> Gem::Version.new(a) }
      end
-      # @return [ JSON ]
+      # Retrieve the metadata from the vuln API if available (and a valid token is given),
      # or the local metadata db otherwise
      # @return [ Hash ]
      def metadata
        @metadata ||= db_data.empty? ? DB::Version.metadata_at(number) : db_data
      end
      # @return [ Hash ]
      def db_data
-        @db_data ||= DB::Version.db_data(number)
+        @db_data ||= DB::VulnApi.wordpress_data(number)
      end
      # @return [ Array<Vulnerability> ]
@@ -55,12 +62,12 @@ module WPScan
      # @return [ String ]
      def release_date
-        @release_date ||= db_data['release_date'] || 'Unknown'
+        @release_date ||= metadata['release_date'] || 'Unknown'
      end
      # @return [ String ]
      def status
-        @status ||= db_data['status'] || 'Unknown'
+        @status ||= metadata['status'] || 'Unknown'
      end
    end
  end
--- a/app/views/cli/core/banner.erb
+++ b/app/views/cli/core/banner.erb
@@ -8,7 +8,7 @@ _______________________________________________________________
        WordPress Security Scanner by the WPScan Team
                       Version <%= WPScan::VERSION %>
-          Sponsored by Sucuri - https://sucuri.net
+<%= ' ' * ((63 - WPScan::DB::Sponsor.text.length)/2) + WPScan::DB::Sponsor.text %>
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
 _______________________________________________________________
--- a/app/views/cli/vuln_api/status.erb
+++ b/app/views/cli/vuln_api/status.erb
@@ -0,0 +1,13 @@
 <% unless @status.empty? -%>
 <% if @status['http_error'] -%>
 <%= critical_icon %> WPVulnDB API, <%= @status['http_error'].to_s %>
 <% else -%>
 <%= info_icon %> WPVulnDB API OK
 | Plan: <%= @status['plan'] %>
 | Requests Done (during the scan): <%= @api_requests %>
 | Requests Remaining: <%= @status['requests_remaining'] %>
 <% end -%>
 <% else -%>
 <%= warning_icon %> No WPVulnDB API Token given, as a result vulnerability data has not been output.
 <%= warning_icon %> You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up.
 <% end -%>
--- a/app/views/json/core/banner.erb
+++ b/app/views/json/core/banner.erb
@@ -7,5 +7,5 @@
    "@erwan_lr",
    "@_FireFart_"
  ],
-  "sponsored_by": "Sucuri - https://sucuri.net"
+  "sponsor": <%= WPScan::DB::Sponsor.text.to_json %>
 },
--- a/app/views/json/vuln_api/status.erb
+++ b/app/views/json/vuln_api/status.erb
@@ -0,0 +1,13 @@
 "vuln_api": {
 <% unless @status.empty? -%>
 <% if @status['http_error'] -%>
 "http_error": <%= @status['http_error'].to_s.to_json %>
 <% else -%>
 "plan": <%= @status['plan'].to_json %>,
 "requests_done_during_scan": <%= @api_requests.to_json %>,
 "requests_remaining": <%= @status['requests_remaining'].to_json %>
 <% end -%>
 <% else -%>
 "error": "No WPVulnDB API Token given, as a result vulnerability data has not been output.\nYou can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up."
 <% end -%>
 },
--- a/bin/wpscan
+++ b/bin/wpscan
@@ -5,6 +5,7 @@ require 'wpscan'
 WPScan::Scan.new do |s|
  s.controllers <<
    WPScan::Controller::VulnApi.new <<
    WPScan::Controller::CustomDirectories.new <<
    WPScan::Controller::InterestingFindings.new <<
    WPScan::Controller::WpVersion.new <<
--- a/bin/wpscan-memprof
+++ b/bin/wpscan-memprof
@@ -7,6 +7,7 @@ require 'wpscan'
 report = MemoryProfiler.report(top: 15) do
  WPScan::Scan.new do |s|
    s.controllers <<
      WPScan::Controller::VulnApi.new <<
      WPScan::Controller::CustomDirectories.new <<
      WPScan::Controller::InterestingFindings.new <<
      WPScan::Controller::WpVersion.new <<
--- a/bin/wpscan-stackprof
+++ b/bin/wpscan-stackprof
@@ -12,6 +12,7 @@ StackProf.run(mode: :cpu, out: '/tmp/stackprof-cpu.dump', interval: 500) do
  # require_relative 'wpscan' doesn't work
  WPScan::Scan.new do |s|
    s.controllers <<
      WPScan::Controller::VulnApi.new <<
      WPScan::Controller::CustomDirectories.new <<
      WPScan::Controller::InterestingFindings.new <<
      WPScan::Controller::WpVersion.new <<
--- a/lib/wpscan.rb
+++ b/lib/wpscan.rb
@@ -13,7 +13,8 @@ require 'uri'
 require 'time'
 require 'readline'
 require 'securerandom'
-
+# Monkey Patches/Fixes/Override
 require 'wpscan/typhoeus/response' # Adds a from_vuln_api? method
 # Custom Libs
 require 'wpscan/helper'
 require 'wpscan/db'
@@ -38,12 +39,28 @@ module WPScan
  APP_DIR = Pathname.new(__FILE__).dirname.join('..', 'app').expand_path
  DB_DIR  = Pathname.new(Dir.home).join('.wpscan', 'db')
  Typhoeus.on_complete do |response|
    next if response.cached? || !response.from_vuln_api?
    self.api_requests += 1
  end
  # Override, otherwise it would be returned as 'wp_scan'
  #
  # @return [ String ]
  def self.app_name
    'wpscan'
  end
  # @return [ Integer ]
  def self.api_requests
    @@api_requests ||= 0
  end
  # @param [ Integer ] value
  def self.api_requests=(value)
    @@api_requests = value
  end
 end
 require "#{WPScan::APP_DIR}/app"
--- a/lib/wpscan/browser.rb
+++ b/lib/wpscan/browser.rb
@@ -7,7 +7,7 @@ module WPScan
    # @return [ String ]
    def default_user_agent
-      "WPScan v#{VERSION} (https://wpscan.org/)"
+      @default_user_agent ||= "WPScan v#{VERSION} (https://wpscan.org/)"
    end
  end
 end
--- a/lib/wpscan/db.rb
+++ b/lib/wpscan/db.rb
@@ -7,9 +7,12 @@ require_relative 'db/plugins'
 require_relative 'db/themes'
 require_relative 'db/plugin'
 require_relative 'db/theme'
 require_relative 'db/sponsor'
 require_relative 'db/wp_version'
 require_relative 'db/fingerprints'
 require_relative 'db/vuln_api'
 require_relative 'db/dynamic_finders/base'
 require_relative 'db/dynamic_finders/plugin'
 require_relative 'db/dynamic_finders/theme'
--- a/lib/wpscan/db/dynamic_finders/base.rb
+++ b/lib/wpscan/db/dynamic_finders/base.rb
@@ -5,18 +5,19 @@ module WPScan
    module DynamicFinders
      class Base
        # @return [ String ]
-        def self.db_file
+        def self.df_file
-          @db_file ||= DB_DIR.join('dynamic_finders.yml').to_s
+          @df_file ||= DB_DIR.join('dynamic_finders.yml').to_s
        end
        # @return [ Hash ]
-        def self.db_data
+        def self.all_df_data
-          # true allows aliases to be loaded
+          @all_df_data ||= YAML.safe_load(File.read(df_file), [Regexp])
          @db_data ||= YAML.safe_load(File.read(db_file), [Regexp], [], true)
        end
        # @return [ Array<Symbol> ]
        def self.allowed_classes
          # The Readme is not put in there as it's not a Real DF, but rather using the DF system
          # to get the list of potential filenames for a given slug
          @allowed_classes ||= %i[Comment Xpath HeaderPattern BodyPattern JavascriptVar QueryParameter ConfigParser]
        end
--- a/lib/wpscan/db/dynamic_finders/plugin.rb
+++ b/lib/wpscan/db/dynamic_finders/plugin.rb
@@ -5,8 +5,8 @@ module WPScan
    module DynamicFinders
      class Plugin < Base
        # @return [ Hash ]
-        def self.db_data
+        def self.df_data
-          @db_data ||= super['plugins'] || {}
+          @df_data ||= all_df_data['plugins'] || {}
        end
        def self.version_finder_module
@@ -21,7 +21,7 @@ module WPScan
          return configs unless allowed_classes.include?(finder_class)
-          db_data.each do |slug, finders|
+          df_data.each do |slug, finders|
            # Quite sure better can be done with some kind of logic statement in the select
            fs = if aggressive
                   finders.reject { |_f, c| c['path'].nil? }
@@ -48,7 +48,7 @@ module WPScan
          @versions_finders_configs = {}
-          db_data.each do |slug, finders|
+          df_data.each do |slug, finders|
            finders.each do |finder_name, config|
              next unless config.key?('version')
@@ -73,23 +73,33 @@ module WPScan
          version_finder_module.const_get(constant_name)
        end
-        def self.create_versions_finders
+        # Create the dynamic finders related to the given slug, and return the created classes
-          versions_finders_configs.each do |slug, finders|
+        #
        # @param [ String ] slug
        #
        # @return [ Array<Class> ] The created classes
        def self.create_versions_finders(slug)
          created = []
          mod     = maybe_create_module(slug)
-            finders.each do |finder_class, config|
+          versions_finders_configs[slug]&.each do |finder_class, config|
            klass = config['class'] || finder_class
            # Instead of raising exceptions, skip unallowed/already defined finders
            # So that, when new DF configs are put in the .yml
            # users with old version of WPScan will still be able to scan blogs
            # when updating the DB but not the tool
              next if mod.constants.include?(finder_class.to_sym) ||
                      !allowed_classes.include?(klass.to_sym)
            next unless allowed_classes.include?(klass.to_sym)
            created << if mod.constants.include?(finder_class.to_sym)
                         mod.const_get(finder_class.to_sym)
                       else
                         version_finder_super_class(klass).create_child_class(mod, finder_class.to_sym, config)
                       end
          end
          created
        end
        # The idea here would be to check if the class exist in
--- a/lib/wpscan/db/dynamic_finders/theme.rb
+++ b/lib/wpscan/db/dynamic_finders/theme.rb
@@ -5,8 +5,8 @@ module WPScan
    module DynamicFinders
      class Theme < Plugin
        # @return [ Hash ]
-        def self.db_data
+        def self.df_data
-          @db_data ||= super['themes'] || {}
+          @df_data ||= all_df_data['themes'] || {}
        end
        def self.version_finder_module
--- a/lib/wpscan/db/dynamic_finders/wordpress.rb
+++ b/lib/wpscan/db/dynamic_finders/wordpress.rb
@@ -5,8 +5,8 @@ module WPScan
    module DynamicFinders
      class Wordpress < Base
        # @return [ Hash ]
-        def self.db_data
+        def self.df_data
-          @db_data ||= super['wordpress'] || {}
+          @df_data ||= all_df_data['wordpress'] || {}
        end
        # @return [ Constant ]
@@ -30,9 +30,9 @@ module WPScan
          return configs unless allowed_classes.include?(finder_class)
          finders = if aggressive
-                      db_data.reject { |_f, c| c['path'].nil? }
+                      df_data.reject { |_f, c| c['path'].nil? }
                    else
-                      db_data.select { |_f, c| c['path'].nil? }
+                      df_data.select { |_f, c| c['path'].nil? }
                    end
          finders.each do |finder_name, config|
@@ -48,7 +48,7 @@ module WPScan
        # @return [ Hash ]
        def self.versions_finders_configs
-          @versions_finders_configs ||= db_data.select { |_finder_name, config| config.key?('version') }
+          @versions_finders_configs ||= df_data.select { |_finder_name, config| config.key?('version') }
        end
        def self.create_versions_finders
--- a/lib/wpscan/db/plugin.rb
+++ b/lib/wpscan/db/plugin.rb
@@ -4,9 +4,9 @@ module WPScan
  module DB
    # Plugin DB
    class Plugin < WpItem
-      # @return [ String ]
+      # @return [ Hash ]
-      def self.db_file
+      def self.metadata
-        @db_file ||= DB_DIR.join('plugins.json').to_s
+        @metadata ||= super['plugins'] || {}
      end
    end
  end
--- a/lib/wpscan/db/plugins.rb
+++ b/lib/wpscan/db/plugins.rb
@@ -5,8 +5,8 @@ module WPScan
    # WP Plugins
    class Plugins < WpItems
      # @return [ JSON ]
-      def self.db
+      def self.metadata
-        Plugin.db
+        Plugin.metadata
      end
    end
  end
--- a/lib/wpscan/db/sponsor.rb
+++ b/lib/wpscan/db/sponsor.rb
@@ -0,0 +1,16 @@
 # frozen_string_literal: true
 module WPScan
  module DB
    class Sponsor
      # @return [ Hash ]
      def self.text
        @text ||= file_path.exist? ? File.read(file_path).chomp : ''
      end
      def self.file_path
        @file_path ||= DB_DIR.join('sponsor.txt')
      end
    end
  end
 end
--- a/lib/wpscan/db/theme.rb
+++ b/lib/wpscan/db/theme.rb
@@ -4,9 +4,9 @@ module WPScan
  module DB
    # Theme DB
    class Theme < WpItem
-      # @return [ String ]
+      # @return [ Hash ]
-      def self.db_file
+      def self.metadata
-        @db_file ||= DB_DIR.join('themes.json').to_s
+        @metadata ||= super['themes'] || {}
      end
    end
  end
--- a/lib/wpscan/db/themes.rb
+++ b/lib/wpscan/db/themes.rb
@@ -5,8 +5,8 @@ module WPScan
    # WP Themes
    class Themes < WpItems
      # @return [ JSON ]
-      def self.db
+      def self.metadata
-        Theme.db
+        Theme.metadata
      end
    end
  end
--- a/lib/wpscan/db/updater.rb
+++ b/lib/wpscan/db/updater.rb
@@ -7,12 +7,15 @@ module WPScan
    class Updater
      # /!\ Might want to also update the Enumeration#cli_options when some filenames are changed here
      FILES = %w[
-        plugins.json themes.json wordpresses.json
+        metadata.json wp_fingerprints.json
        timthumbs-v3.txt config_backups.txt db_exports.txt
-        dynamic_finders.yml wp_fingerprints.json LICENSE
+        dynamic_finders.yml LICENSE sponsor.txt
      ].freeze
-      OLD_FILES = %w[wordpress.db user-agents.txt dynamic_finders_01.yml].freeze
+      OLD_FILES = %w[
        wordpress.db user-agents.txt dynamic_finders_01.yml
        wordpresses.json plugins.json themes.json
      ].freeze
      attr_reader :repo_directory
@@ -64,11 +67,12 @@ module WPScan
      # @return [ Hash ] The params for Typhoeus::Request
      # @note Those params can't be overriden by CLI options
      def request_params
-        {
+        @request_params ||= {
          timeout: 600,
          connecttimeout: 300,
          accept_encoding: 'gzip, deflate',
-          cache_ttl: 0
+          cache_ttl: 0,
          headers: { 'User-Agent' => Browser.instance.default_user_agent, 'Referer' => nil }
        }
      end
--- a/lib/wpscan/db/vuln_api.rb
+++ b/lib/wpscan/db/vuln_api.rb
@@ -0,0 +1,79 @@
 # frozen_string_literal: true
 module WPScan
  module DB
    # WPVulnDB API
    class VulnApi
      NON_ERROR_CODES = [200, 401].freeze
      class << self
        attr_accessor :token
      end
      # @return [ Addressable::URI ]
      def self.uri
        @uri ||= Addressable::URI.parse('https://wpvulndb.com/api/v3/')
      end
      # @param [ String ] path
      # @param [ Hash ] params
      #
      # @return [ Hash ]
      def self.get(path, params = {})
        return {} unless token
        res = Browser.get(uri.join(path), params.merge(request_params))
        return {} if res.code == 404 # This is for API inconsistencies when dots in path
        return JSON.parse(res.body) if NON_ERROR_CODES.include?(res.code)
        raise Error::HTTP, res
      rescue Error::HTTP => e
        retries ||= 0
        if (retries += 1) <= 3
          sleep(1)
          retry
        end
        { 'http_error' => e }
      end
      # @return [ Hash ]
      def self.plugin_data(slug)
        get("plugins/#{slug}")&.dig(slug) || {}
      end
      # @return [ Hash ]
      def self.theme_data(slug)
        get("themes/#{slug}")&.dig(slug) || {}
      end
      # @return [ Hash ]
      def self.wordpress_data(version_number)
        get("wordpresses/#{version_number.tr('.', '')}")&.dig(version_number) || {}
      end
      # @return [ Hash ]
      def self.status
        json = get('status', params: { version: WPScan::VERSION }, cache_ttl: 0)
        json['requests_remaining'] = 'Unlimited' if json['requests_remaining'] == -1
        json
      end
      # @return [ Hash ]
      def self.request_params
        {
          headers: {
            'Host' => uri.host, # Reset in case user provided a --vhost for the target
            'Referer' => nil, # Removes referer set by the cmsscanner to the target url
            'User-Agent' => Browser.instance.default_user_agent,
            'Authorization' => "Token token=#{token}"
          }
        }
      end
    end
  end
 end
--- a/lib/wpscan/db/wp_item.rb
+++ b/lib/wpscan/db/wp_item.rb
@@ -6,14 +6,19 @@ module WPScan
    class WpItem
      # @param [ String ] identifier The plugin/theme slug or version number
      #
-      # @return [ Hash ] The JSON data from the DB associated to the identifier
+      # @return [ Hash ] The JSON data from the metadata associated to the identifier
-      def self.db_data(identifier)
+      def self.metadata_at(identifier)
-        db[identifier] || {}
+        metadata[identifier] || {}
      end
      # @return [ JSON ]
-      def self.db
+      def self.metadata
-        @db ||= read_json_file(db_file)
+        @metadata ||= read_json_file(metadata_file)
      end
      # @return [ String ]
      def self.metadata_file
        @metadata_file ||= DB_DIR.join('metadata.json').to_s
      end
    end
  end
--- a/lib/wpscan/db/wp_items.rb
+++ b/lib/wpscan/db/wp_items.rb
@@ -6,17 +6,17 @@ module WPScan
    class WpItems
      # @return [ Array<String> ] The slug of all items
      def self.all_slugs
-        db.keys
+        metadata.keys
      end
      # @return [ Array<String> ] The slug of all popular items
      def self.popular_slugs
-        db.select { |_key, item| item['popular'] == true }.keys
+        metadata.select { |_key, item| item['popular'] == true }.keys
      end
      # @return [ Array<String> ] The slug of all vulnerable items
      def self.vulnerable_slugs
-        db.reject { |_key, item| item['vulnerabilities'].empty? }.keys
+        metadata.select { |_key, item| item['vulnerabilities'] == true }.keys
      end
    end
  end
--- a/lib/wpscan/db/wp_version.rb
+++ b/lib/wpscan/db/wp_version.rb
@@ -4,9 +4,9 @@ module WPScan
  module DB
    # WP Version
    class Version < WpItem
-      # @return [ String ]
+      # @return [ Hash ]
-      def self.db_file
+      def self.metadata
-        @db_file ||= DB_DIR.join('wordpresses.json').to_s
+        @metadata ||= super['wordpress'] || {}
      end
    end
  end
--- a/lib/wpscan/errors.rb
+++ b/lib/wpscan/errors.rb
@@ -9,7 +9,9 @@ module WPScan
  end
 end
 require_relative 'errors/enumeration'
 require_relative 'errors/http'
 require_relative 'errors/update'
 require_relative 'errors/vuln_api'
 require_relative 'errors/wordpress'
 require_relative 'errors/xmlrpc'
--- a/lib/wpscan/errors/enumeration.rb
+++ b/lib/wpscan/errors/enumeration.rb
@@ -0,0 +1,21 @@
 # frozen_string_literal: true
 module WPScan
  module Error
    class PluginsThresholdReached < Standard
      def to_s
        "The number of plugins detected reached the threshold of #{ParsedCli.plugins_threshold} " \
        'which might indicate False Positive. It would be recommended to use the --exclude-content-based ' \
        'option to ignore the bad responses.'
      end
    end
    class ThemesThresholdReached < Standard
      def to_s
        "The number of themes detected reached the threshold of #{ParsedCli.themes_threshold} " \
        'which might indicate False Positive. It would be recommended to use the --exclude-content-based ' \
        'option to ignore the bad responses.'
      end
    end
  end
 end
--- a/lib/wpscan/errors/vuln_api.rb
+++ b/lib/wpscan/errors/vuln_api.rb
@@ -0,0 +1,20 @@
 # frozen_string_literal: true
 module WPScan
  module Error
    # Error raised when the token given via --api-token is invalid
    class InvalidApiToken < Standard
      def to_s
        'The API token provided is invalid'
      end
    end
    # Error raised when the number of API requests has been reached
    # currently not implemented on the API side
    class ApiLimitReached < Standard
      def to_s
        'Your API limit has been reached'
      end
    end
  end
 end
--- a/lib/wpscan/finders/dynamic_finder/version/body_pattern.rb
+++ b/lib/wpscan/finders/dynamic_finder/version/body_pattern.rb
@@ -4,7 +4,7 @@ module WPScan
  module Finders
    module DynamicFinder
      module Version
-        # Version finder using Body Pattern method. Tipically used when the response is not
+        # Version finder using Body Pattern method. Typically used when the response is not
        # an HTML doc and Xpath can't be used
        class BodyPattern < Finders::DynamicFinder::Version::Finder
          # @return [ Hash ]
@@ -16,7 +16,7 @@ module WPScan
          # @param [ Hash ] opts
          # @return [ Version ]
          def find(response, _opts = {})
-            return unless response.body =~ self.class::PATTERN
+            return unless response.code != 404 && response.body =~ self.class::PATTERN
            create_version(
              Regexp.last_match[:v],
--- a/lib/wpscan/helper.rb
+++ b/lib/wpscan/helper.rb
@@ -6,13 +6,15 @@ rescue StandardError => e
  raise "JSON parsing error in #{file} #{e}"
 end
-# @return [ Symbol ]
+# Sanitize and classify a slug
 # @note As a class can not start with a digit or underscore, a D_ is
 #       put as a prefix in such case. Ugly but well :x
 #       Not only used to classify slugs though, but Dynamic Finder names as well
 #
 # @return [ Symbol ]
 def classify_slug(slug)
-  classified = slug.to_s.tr('-', '_').camelize.to_s
+  classified = slug.to_s.gsub(/[^a-z\d\-]/i, '-').gsub(/\-{1,}/, '_').camelize.to_s
-  classified = "D_#{classified}" if classified[0] =~ /\d/
+  classified = "D_#{classified}" if /\d/.match?(classified[0])
  classified.to_sym
 end
--- a/lib/wpscan/target/platform/wordpress.rb
+++ b/lib/wpscan/target/platform/wordpress.rb
@@ -12,6 +12,8 @@ module WPScan
        include CMSScanner::Target::Platform::PHP
        WORDPRESS_PATTERN      = %r{/(?:(?:wp-content/(?:themes|(?:mu\-)?plugins|uploads))|wp-includes)/}i.freeze
        WP_JSON_OEMBED_PATTERN = %r{/wp\-json/oembed/}i.freeze
        WP_ADMIN_AJAX_PATTERN  = %r{\\?/wp\-admin\\?/admin\-ajax\.php}i.freeze
        # These methods are used in the associated interesting_findings finders
        # to keep the boolean state of the finding rather than re-check the whole thing again
@@ -23,27 +25,33 @@ module WPScan
        # @param [ Symbol ] detection_mode
        #
        # @return [ Boolean ]
        # rubocop:disable Metrics/AbcSize, Metrics/PerceivedComplexity
        def wordpress?(detection_mode)
          in_scope_uris(homepage_res) do |uri|
-            return true if uri.path.match(WORDPRESS_PATTERN)
+            return true if WORDPRESS_PATTERN.match?(uri.path) || WP_JSON_OEMBED_PATTERN.match?(uri.path)
          end
-          homepage_res.html.css('meta[name="generator"]').each do |node|
+          return true if homepage_res.html.css('meta[name="generator"]').any? do |node|
-            return true if node['content'] =~ /wordpress/i
+            /wordpress/i.match?(node['content'])
          end
          return true unless comments_from_page(/wordpress/i, homepage_res).empty?
          return true if homepage_res.html.xpath('//script[not(@src)]').any? do |node|
            WP_ADMIN_AJAX_PATTERN.match?(node.text)
          end
          if %i[mixed aggressive].include?(detection_mode)
            %w[wp-admin/install.php wp-login.php].each do |path|
-              in_scope_uris(Browser.get_and_follow_location(url(path))).each do |uri|
+              return true if in_scope_uris(Browser.get_and_follow_location(url(path))).any? do |uri|
-                return true if uri.path.match(WORDPRESS_PATTERN)
+                WORDPRESS_PATTERN.match?(uri.path)
              end
            end
          end
          false
        end
        # rubocop:enable Metrics/AbcSize, Metrics/PerceivedComplexity
        COOKIE_PATTERNS = {
          'vjs' => /createCookie\('vjs','(?<c_value>\d+)',\d+\);/i
@@ -82,7 +90,7 @@ module WPScan
        def wordpress_hosted?
          return true if /\.wordpress\.com$/i.match?(uri.host)
-          unless content_dir(:passive)
+          unless content_dir
            pattern = %r{https?://s\d\.wp\.com#{WORDPRESS_PATTERN}}i.freeze
            uris_from_page(homepage_res) do |uri|
@@ -109,6 +117,7 @@ module WPScan
          Browser.instance.forge_request(
            login_url,
            method: :post,
            cache_ttl: 0,
            body: { log: username, pwd: password }
          )
        end
--- a/lib/wpscan/target/platform/wordpress/custom_directories.rb
+++ b/lib/wpscan/target/platform/wordpress/custom_directories.rb
@@ -13,12 +13,11 @@ module WPScan
          @plugins_dir = dir.chomp('/')
        end
        # @param [ Symbol ] detection_mode
        # @return [ String ] The wp-content directory
-        def content_dir(detection_mode = :mixed)
+        def content_dir
          unless @content_dir
            # scope_url_pattern is from CMSScanner::Target
-            pattern = %r{#{scope_url_pattern}([\w\s\-/]+)\\?/(?:themes|plugins|uploads|cache)\\?/}i
+            pattern = %r{#{scope_url_pattern}([\w\s\-/]+?)\\?/(?:themes|plugins|uploads|cache)\\?/}i
            in_scope_uris(homepage_res) do |uri|
              return @content_dir = Regexp.last_match[1] if uri.to_s.match(pattern)
@@ -29,10 +28,8 @@ module WPScan
              return @content_dir = match[1]
            end
            unless detection_mode == :passive
            return @content_dir = 'wp-content' if default_content_dir_exists?
          end
          end
          @content_dir
        end
@@ -99,9 +96,11 @@ module WPScan
        # @return [ String, False ] String of the sub_dir found, false otherwise
        # @note: nil can not be returned here, otherwise if there is no sub_dir
-        #        the check would be done each time
+        #        the check would be done each time, which would make enumeration of
        #        long list of items very slow to generate
        def sub_dir
-          unless @sub_dir
+          return @sub_dir unless @sub_dir.nil?
          # url_pattern is from CMSScanner::Target
          pattern = %r{#{url_pattern}(.+?)/(?:xmlrpc\.php|wp\-includes/)}i
@@ -112,9 +111,6 @@ module WPScan
          @sub_dir = false
        end
          @sub_dir
        end
        # Override of the WebSite#url to consider the custom WP directories
        #
        # @param [ String ] path Optional path to merge with the uri
--- a/lib/wpscan/typhoeus/response.rb
+++ b/lib/wpscan/typhoeus/response.rb
@@ -0,0 +1,13 @@
 # frozen_string_literal: true
 module Typhoeus
  # Custom Response class
  class Response
    # @note: Ignores requests done to the /status endpoint of the API
    #
    # @return [ Boolean ]
    def from_vuln_api?
      effective_url.start_with?(WPScan::DB::VulnApi.uri.to_s) && !effective_url.include?('/status')
    end
  end
 end
--- a/lib/wpscan/version.rb
+++ b/lib/wpscan/version.rb
@@ -2,5 +2,5 @@
 # Version
 module WPScan
-  VERSION = '3.5.5'
+  VERSION = '3.7.3'
 end
--- a/spec/app/controllers/core_spec.rb
+++ b/spec/app/controllers/core_spec.rb
@@ -166,6 +166,7 @@ describe WPScan::Controller::Core do
        before do
          expect(core).to receive(:load_server_module)
          expect(core.target).to receive(:wordpress?).with(:mixed).and_return(true)
          expect(core.target).to receive(:wordpress_hosted?).and_return(false)
        end
        it 'calls the formatter when started and finished to update the db' do
@@ -174,6 +175,19 @@ describe WPScan::Controller::Core do
      end
    end
    context 'when hosted on wordpress.com' do
      let(:target_url) { 'http://ex.wordpress.com' }
      before { expect(core).to receive(:load_server_module) }
      it 'raises an error' do
        expect { core.before_scan }.to raise_error(WPScan::Error::WordPressHosted)
      end
    end
    context 'when not hosted on wordpress.com' do
      before { allow(core.target).to receive(:wordpress_hosted?).and_return(false) }
      context 'when a redirect occurs' do
        before do
          stub_request(:any, target_url)
@@ -224,16 +238,6 @@ describe WPScan::Controller::Core do
        end
      end
    context 'when hosted on wordpress.com' do
      let(:target_url) { 'http://ex.wordpress.com' }
      before { expect(core).to receive(:load_server_module) }
      it 'raises an error' do
        expect { core.before_scan }.to raise_error(WPScan::Error::WordPressHosted)
      end
    end
      context 'when wordpress' do
        before do
          expect(core).to receive(:load_server_module)
@@ -282,4 +286,5 @@ describe WPScan::Controller::Core do
        end
      end
    end
  end
 end
--- a/spec/app/controllers/custom_directories_spec.rb
+++ b/spec/app/controllers/custom_directories_spec.rb
@@ -20,7 +20,7 @@ describe WPScan::Controller::CustomDirectories do
  describe '#before_scan' do
    context 'when the content_dir is not found and not supplied' do
-      before { expect(controller.target).to receive(:content_dir).with(:mixed) }
+      before { expect(controller.target).to receive(:content_dir).and_return(nil) }
      it 'raises an exception' do
        expect { controller.before_scan }.to raise_error(WPScan::Error::WpContentDirNotDetected)
--- a/spec/app/controllers/enumeration_spec.rb
+++ b/spec/app/controllers/enumeration_spec.rb
@@ -70,8 +70,8 @@ describe WPScan::Controller::Enumeration do
    it 'contains the correct options' do
      expect(controller.cli_options.map(&:to_sym)).to eql(
        %i[enumerate exclude_content_based
-           plugins_list plugins_detection plugins_version_all plugins_version_detection
+           plugins_list plugins_detection plugins_version_all plugins_version_detection plugins_threshold
-           themes_list themes_detection themes_version_all themes_version_detection
+           themes_list themes_detection themes_version_all themes_version_detection themes_threshold
           timthumbs_list timthumbs_detection
           config_backups_list config_backups_detection
           db_exports_list db_exports_detection
@@ -102,15 +102,6 @@ describe WPScan::Controller::Enumeration do
    end
  end
  describe '#before_scan' do
    it 'creates the Dynamic Finders' do
      expect(WPScan::DB::DynamicFinders::Plugin).to receive(:create_versions_finders)
      expect(WPScan::DB::DynamicFinders::Theme).to receive(:create_versions_finders)
      controller.before_scan
    end
  end
  describe '#run' do
    context 'when no :enumerate' do
      before do
--- a/spec/app/controllers/vuln_api_spec.rb
+++ b/spec/app/controllers/vuln_api_spec.rb
@@ -0,0 +1,93 @@
 # frozen_string_literal: true
 describe WPScan::Controller::VulnApi do
  subject(:controller) { described_class.new }
  let(:target_url)     { 'http://ex.lo/' }
  let(:cli_args)       { "--url #{target_url}" }
  before do
    WPScan::ParsedCli.options = rspec_parsed_options(cli_args)
  end
  describe '#cli_options' do
    its(:cli_options) { should_not be_empty }
    its(:cli_options) { should be_a Array }
    it 'contains to correct options' do
      expect(controller.cli_options.map(&:to_sym)).to eq %i[api_token]
    end
  end
  describe '#before_scan' do
    context 'when no --api-token provided' do
      its(:before_scan) { should be nil }
    end
    context 'when --api-token given' do
      let(:cli_args) { "#{super()} --api-token token" }
      context 'when the token is invalid' do
        before { expect(WPScan::DB::VulnApi).to receive(:status).and_return('error' => 'HTTP Token: Access denied.') }
        it 'raise an InvalidApiToken error' do
          expect { controller.before_scan }.to raise_error(WPScan::Error::InvalidApiToken)
        end
      end
      context 'when the token is valid' do
        context 'when the limit has been reached' do
          before do
            expect(WPScan::DB::VulnApi)
              .to receive(:status)
              .and_return('success' => true, 'plan' => 'free', 'requests_remaining' => 0)
          end
          it 'raises an ApiLimitReached error' do
            expect { controller.before_scan }.to raise_error(WPScan::Error::ApiLimitReached)
          end
        end
        context 'when a HTTP error, like a timeout' do
          before do
            expect(WPScan::DB::VulnApi)
              .to receive(:status)
              .and_return(
                'http_error' => WPScan::Error::HTTP.new(
                  Typhoeus::Response.new(effective_url: 'mock-url', return_code: 28)
                )
              )
          end
          it 'raises an HTTP error' do
            expect { controller.before_scan }
              .to raise_error(WPScan::Error::HTTP, 'HTTP Error: mock-url (Timeout was reached)')
          end
        end
        context 'when the token is valid and no HTTP error' do
          before do
            expect(WPScan::DB::VulnApi)
              .to receive(:status)
              .and_return('success' => true, 'plan' => 'free', 'requests_remaining' => requests)
          end
          context 'when limited requests' do
            let(:requests) { 100 }
            it 'does not raise an error' do
              expect { controller.before_scan }.to_not raise_error
            end
            context 'when unlimited requests' do
              let(:requests) { 'Unlimited' }
              it 'does not raise an error' do
                expect { controller.before_scan }.to_not raise_error
              end
            end
          end
        end
      end
    end
  end
 end
--- a/spec/app/finders/passwords/wp_login_spec.rb
+++ b/spec/app/finders/passwords/wp_login_spec.rb
@@ -0,0 +1,61 @@
 # frozen_string_literal: true
 describe WPScan::Finders::Passwords::WpLogin do
  subject(:finder) { described_class.new(target) }
  let(:target)     { WPScan::Target.new(url) }
  let(:url)        { 'http://ex.lo/' }
  describe '#valid_credentials?' do
    context 'when a non 302' do
      it 'returns false' do
        expect(finder.valid_credentials?(Typhoeus::Response.new(code: 200, headers: {}))).to be_falsey
      end
    end
    context 'when a 302' do
      let(:response) { Typhoeus::Response.new(code: 302, headers: headers) }
      context 'when no cookies set' do
        let(:headers) { {} }
        it 'returns false' do
          expect(finder.valid_credentials?(response)).to be_falsey
        end
      end
      context 'when no logged_in cookie set' do
        context 'when only one cookie set' do
          let(:headers) { 'Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/' }
          it 'returns false' do
            expect(finder.valid_credentials?(response)).to be_falsey
          end
        end
        context 'when multiple cookies set' do
          let(:headers) do
            "Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/\r\n" \
            'Set-Cookie: something=value; path=/'
          end
          it 'returns false' do
            expect(finder.valid_credentials?(response)).to be_falsey
          end
        end
      end
      context 'when logged_in cookie set' do
        let(:headers) do
          "Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/\r\r" \
          "Set-Cookie: wordpress_xxx=yyy; path=/wp-content/plugins; httponly\r\n" \
          "Set-Cookie: wordpress_xxx=yyy; path=/wp-admin; httponly\r\n" \
          'Set-Cookie: wordpress_logged_in_xxx=yyy; path=/; httponly'
        end
        it 'returns false' do
          expect(finder.valid_credentials?(response)).to eql true
        end
      end
    end
  end
 end
--- a/spec/app/finders/plugin_version_spec.rb
+++ b/spec/app/finders/plugin_version_spec.rb
@@ -1,8 +1,5 @@
 # frozen_string_literal: true
 # If this file is tested alone (rspec path-to-this-file), then there will be an error about
 # constants not being intilialized. This is due to the Dynamic Finders.
 describe WPScan::Finders::PluginVersion::Base do
  subject(:plugin_version) { described_class.new(plugin) }
  let(:plugin)             { WPScan::Model::Plugin.new(slug, target) }
@@ -15,7 +12,7 @@ describe WPScan::Finders::PluginVersion::Base do
      expect(plugin_version.finders.map { |f| f.class.to_s.demodulize }).to match_array @expected
    end
-    context 'when no related specific finders' do
+    context 'when no related dynamic finders' do
      let(:slug) { 'spec' }
      it 'contains the default finders' do
@@ -25,19 +22,13 @@ describe WPScan::Finders::PluginVersion::Base do
    # Dynamic Version Finders are not tested here, they are in
    # spec/lib/finders/dynamic_finder/plugin_versions_spec
-    context 'when specific finders' do
+    context 'when dynamic finders' do
      let(:specific) do
        {
          # None so far
        }
      end
      WPScan::DB::DynamicFinders::Plugin.versions_finders_configs.each do |plugin_slug, configs|
        context "when #{plugin_slug} plugin" do
          let(:slug) { plugin_slug }
-          it 'contains the expected finders (default + specific + the dynamic ones)' do
+          it 'contains the expected finders (default + the dynamic ones)' do
-            @expected = default_finders + [*specific[plugin_slug]] + configs.keys
+            @expected = default_finders + configs.keys
          end
        end
      end
--- a/spec/app/finders/plugins/urls_in_homepage_spec.rb
+++ b/spec/app/finders/plugins/urls_in_homepage_spec.rb
@@ -3,14 +3,16 @@
 describe WPScan::Finders::Plugins::UrlsInHomepage do
  subject(:finder) { described_class.new(target) }
  let(:target)     { WPScan::Target.new(url) }
-  let(:url)        { 'http://wp.lab/' }
+  let(:url)        { 'https://wp.lab/' }
  let(:fixtures)   { FINDERS_FIXTURES.join('plugins', 'urls_in_homepage') }
  before { target.scope << 'sub.lab' }
  it_behaves_like 'App::Finders::WpItems::URLsInHomepage' do
    let(:type)                { 'plugins' }
    let(:uniq_links)          { true }
    let(:uniq_codes)          { true }
-    let(:expected_from_links) { (1..4).map { |i| "dl-#{i}" } }
+    let(:expected_from_links) { (1..5).map { |i| "dl-#{i}" } }
    let(:expected_from_codes) { (1..6).map { |i| "dc-#{i}" } }
  end
--- a/spec/app/finders/theme_version_spec.rb
+++ b/spec/app/finders/theme_version_spec.rb
@@ -13,20 +13,21 @@ describe WPScan::Finders::ThemeVersion::Base do
      expect(theme_version.finders.map { |f| f.class.to_s.demodulize }).to eql @expected
    end
-    context 'when no related specific finders' do
+    context 'when no related dynamic finders' do
      it 'contains the default finders' do
        @expected = default_finders
      end
    end
-    context 'when specific finders' do
+    # Dynamic Version Finders are not tested here, they are in
-      {
+    # spec/lib/finders/dynamic_finder/theme_versions_spec
-      }.each do |theme_slug, specific_finders|
+    context 'when dynamic finders' do
      WPScan::DB::DynamicFinders::Theme.versions_finders_configs.each do |theme_slug, configs|
        context "when #{theme_slug} theme" do
          let(:slug) { theme_slug }
-          it 'contains the expected finders' do
+          it 'contains the expected finders (default + the dynamic ones)' do
-            @expected = default_finders + specific_finders
+            @expected = default_finders + configs.keys
          end
        end
      end
--- a/spec/app/finders/themes/urls_in_homepage_spec.rb
+++ b/spec/app/finders/themes/urls_in_homepage_spec.rb
@@ -6,6 +6,8 @@ describe WPScan::Finders::Themes::UrlsInHomepage do
  let(:url)        { 'http://wp.lab/' }
  let(:fixtures)   { FINDERS_FIXTURES.join('themes', 'urls_in_homepage') }
  # before { target.scope << 'sub.lab' }
  it_behaves_like 'App::Finders::WpItems::URLsInHomepage' do
    let(:type)                { 'themes' }
    let(:uniq_links)          { true }
--- a/spec/app/finders/users/author_id_brute_forcing_spec.rb
+++ b/spec/app/finders/users/author_id_brute_forcing_spec.rb
@@ -50,7 +50,7 @@ describe WPScan::Finders::Users::AuthorIdBruteForcing do
    end
    context 'when no display_name' do
-      ['4.1.1', '3.0', '2.9.2'].each do |file|
+      %w[4.9-span-tag 4.1.1 3.0 2.9.2].each do |file|
        it "returns nil for #{file}-empty.html" do
          body = File.read(fixtures.join("#{file}-empty.html"))
--- a/spec/app/finders/users/oembed_api_spec.rb
+++ b/spec/app/finders/users/oembed_api_spec.rb
@@ -19,15 +19,17 @@ describe WPScan::Finders::Users::OembedApi do
    end
    context 'when a JSON response' do
      let(:body) { File.read(fixture) }
      context 'when 404' do
-        let(:body) { File.read(fixtures.join('404.json')) }
+        let(:fixture) { fixtures.join('404.json') }
        its(:aggressive) { should eql([]) }
      end
      context 'when 200' do
        context 'when author_url present' do
-          let(:body) { File.read(fixtures.join('200_author_url.json')) }
+          let(:fixture) { fixtures.join('200_author_url.json') }
          it 'returns the expected array of users' do
            users = finder.aggressive
@@ -44,7 +46,7 @@ describe WPScan::Finders::Users::OembedApi do
        end
        context 'when author_url not present but author_name' do
-          let(:body) { File.read(fixtures.join('200_author_name.json')) }
+          let(:fixture) { fixtures.join('200_author_name.json') }
          it 'returns the expected array of users' do
            users = finder.aggressive
@@ -59,6 +61,12 @@ describe WPScan::Finders::Users::OembedApi do
            expect(user.interesting_entries).to eql ['http://wp.lab/wp-json/oembed/1.0/embed?url=http://wp.lab/&format=json']
          end
        end
        context 'when body is an array' do
          let(:fixture) { fixtures.join('array.json') }
          its(:aggressive) { should eql([]) }
        end
      end
    end
  end
--- a/spec/app/models/plugin_spec.rb
+++ b/spec/app/models/plugin_spec.rb
@@ -60,25 +60,60 @@ describe WPScan::Model::Plugin do
    end
  end
  describe 'potential_readme_filenames' do
    context 'when not set in the DF file' do
      its(:potential_readme_filenames) { should eql described_class::READMES }
    end
    context 'when set in the DF file' do
      context 'as a string' do
        let(:slug) { 'photoblocks-grid-gallery' }
        its(:potential_readme_filenames) { should eql %w[README.txt] }
      end
      context 'as an array' do
        let(:slug) { 'customerlabs-actionrecorder' }
        its(:potential_readme_filenames) { should eql %w[Readme.txt Readme.md] }
      end
    end
  end
  describe '#latest_version, #last_updated, #popular' do
-    context 'when none' do
+    before { allow(plugin).to receive(:db_data).and_return(db_data) }
-      let(:slug) { 'vulnerable-not-popular' }
+
    context 'when no db_data and no metadata' do
      let(:slug)    { 'not-known' }
      let(:db_data) { {} }
      its(:latest_version) { should be_nil }
      its(:last_updated) { should be_nil }
      its(:popular?) { should be false }
    end
-    context 'when values' do
+    context 'when no db_data but metadata' do
      let(:slug) { 'no-vulns-popular' }
      let(:db_data) { {} }
      its(:latest_version) { should eql WPScan::Model::Version.new('2.0') }
      its(:last_updated) { should eql '2015-05-16T00:00:00.000Z' }
      its(:popular?) { should be true }
    end
    context 'when db_data' do
      let(:slug) { 'no-vulns-popular' }
      let(:db_data) { vuln_api_data_for('plugins/no-vulns-popular') }
      its(:latest_version) { should eql WPScan::Model::Version.new('2.1') }
      its(:last_updated) { should eql '2015-05-16T00:00:00.000Z-via-api' }
      its(:popular?) { should be true }
    end
  end
  describe '#outdated?' do
    before { allow(plugin).to receive(:db_data).and_return({}) }
    context 'when last_version' do
      let(:slug) { 'no-vulns-popular' }
@@ -96,13 +131,13 @@ describe WPScan::Model::Plugin do
            .and_return(WPScan::Model::Version.new(version_number))
        end
-        context 'when version < last_version' do
+        context 'when version < latest_version' do
          let(:version_number) { '1.2' }
          its(:outdated?) { should eql true }
        end
-        context 'when version >= last_version' do
+        context 'when version >= latest_version' do
          let(:version_number) { '3.0' }
          its(:outdated?) { should eql false }
@@ -110,7 +145,7 @@ describe WPScan::Model::Plugin do
      end
    end
-    context 'when no last_version' do
+    context 'when no latest_version' do
      let(:slug) { 'vulnerable-not-popular' }
      context 'when no version' do
@@ -133,6 +168,8 @@ describe WPScan::Model::Plugin do
  end
  describe '#vulnerabilities' do
    before { allow(plugin).to receive(:db_data).and_return(db_data) }
    after do
      expect(plugin.vulnerabilities).to eq @expected
      expect(plugin.vulnerable?).to eql @expected.empty? ? false : true
@@ -140,6 +177,7 @@ describe WPScan::Model::Plugin do
    context 'when plugin not in the DB' do
      let(:slug)    { 'not-in-db' }
      let(:db_data) { {} }
      it 'returns an empty array' do
        @expected = []
@@ -149,6 +187,7 @@ describe WPScan::Model::Plugin do
    context 'when in the DB' do
      context 'when no vulnerabilities' do
        let(:slug)    { 'no-vulns-popular' }
        let(:db_data) { vuln_api_data_for('plugins/no-vulns-popular') }
        it 'returns an empty array' do
          @expected = []
@@ -157,10 +196,12 @@ describe WPScan::Model::Plugin do
      context 'when vulnerabilities' do
        let(:slug)    { 'vulnerable-not-popular' }
        let(:db_data) { vuln_api_data_for('plugins/vulnerable-not-popular') }
        let(:all_vulns) do
          [
            WPScan::Vulnerability.new(
-              'First Vuln',
+              'First Vuln <= 6.3.10 - LFI',
              { wpvulndb: '1' },
              'LFI',
              '6.3.10'
--- a/spec/app/models/theme_spec.rb
+++ b/spec/app/models/theme_spec.rb
@@ -10,10 +10,9 @@ describe WPScan::Model::Theme do
  before { expect(blog).to receive(:content_dir).at_least(1).and_return('wp-content') }
  describe '#new' do
-    before do
+    before { stub_request(:get, /.*\.css\z/).to_return(body: File.read(fixture)) }
-      stub_request(:get, /.*\.css\z/)
+
-        .to_return(body: File.read(fixtures.join('style.css')))
+    let(:fixture) { fixtures.join('style.css') }
    end
    its(:url) { should eql 'http://wp.lab/wp-content/themes/spec/' }
    its(:style_url) { should eql 'http://wp.lab/wp-content/themes/spec/style.css' }
@@ -34,6 +33,14 @@ describe WPScan::Model::Theme do
      its(:style_url) { should eql opts[:style_url] }
    end
    context 'when some new lines are stripped' do
      let(:fixture) { fixtures.join('stripped_new_lines.css') }
      its(:style_name)  { should eql 'Divi' }
      its(:style_uri)   { should eql 'http://www.elegantthemes.com/gallery/divi/' }
      its(:license_uri) { should eql 'http://www.gnu.org/licenses/gpl-2.0.html' }
    end
  end
  describe '#version' do
@@ -86,8 +93,179 @@ describe WPScan::Model::Theme do
    end
  end
  describe '#latest_version, #last_updated, #popular' do
    before do
      stub_request(:get, /.*\.css\z/)
      allow(theme).to receive(:db_data).and_return(db_data)
    end
    context 'when no db_data and no metadata' do
      let(:slug)    { 'not-known' }
      let(:db_data) { {} }
      its(:latest_version) { should be_nil }
      its(:last_updated) { should be_nil }
      its(:popular?) { should be false }
    end
    context 'when no db_data but metadata' do
      let(:slug) { 'no-vulns-popular' }
      let(:db_data) { {} }
      its(:latest_version) { should eql WPScan::Model::Version.new('2.0') }
      its(:last_updated) { should eql '2015-05-16T00:00:00.000Z' }
      its(:popular?) { should be true }
    end
    context 'when db_data' do
      let(:slug) { 'no-vulns-popular' }
      let(:db_data) { vuln_api_data_for('themes/no-vulns-popular') }
      its(:latest_version) { should eql WPScan::Model::Version.new('2.2') }
      its(:last_updated) { should eql '2015-05-16T00:00:00.000Z-via-api' }
      its(:popular?) { should be true }
    end
  end
  describe '#outdated?' do
    before do
      stub_request(:get, /.*\.css\z/)
      allow(theme).to receive(:db_data).and_return({})
    end
    context 'when last_version' do
      let(:slug) { 'no-vulns-popular' }
      context 'when no version' do
        before { expect(theme).to receive(:version).at_least(1).and_return(nil) }
        its(:outdated?) { should eql false }
      end
      context 'when version' do
        before do
          expect(theme)
            .to receive(:version)
            .at_least(1)
            .and_return(WPScan::Model::Version.new(version_number))
        end
        context 'when version < latest_version' do
          let(:version_number) { '1.2' }
          its(:outdated?) { should eql true }
        end
        context 'when version >= latest_version' do
          let(:version_number) { '3.0' }
          its(:outdated?) { should eql false }
        end
      end
    end
    context 'when no latest_version' do
      let(:slug) { 'vulnerable-not-popular' }
      context 'when no version' do
        before { expect(theme).to receive(:version).at_least(1).and_return(nil) }
        its(:outdated?) { should eql false }
      end
      context 'when version' do
        before do
          expect(theme)
            .to receive(:version)
            .at_least(1)
            .and_return(WPScan::Model::Version.new('1.0'))
        end
        its(:outdated?) { should eql false }
      end
    end
  end
  describe '#vulnerabilities' do
-    xit
+    before do
      stub_request(:get, /.*\.css\z/)
      allow(theme).to receive(:db_data).and_return(db_data)
    end
    after do
      expect(theme.vulnerabilities).to eq @expected
      expect(theme.vulnerable?).to eql @expected.empty? ? false : true
    end
    context 'when theme not in the DB' do
      let(:slug)    { 'not-in-db' }
      let(:db_data) { {} }
      it 'returns an empty array' do
        @expected = []
      end
    end
    context 'when in the DB' do
      context 'when no vulnerabilities' do
        let(:slug)    { 'no-vulns-popular' }
        let(:db_data) { vuln_api_data_for('themes/no-vulns-popular') }
        it 'returns an empty array' do
          @expected = []
        end
      end
      context 'when vulnerabilities' do
        let(:slug)    { 'vulnerable-not-popular' }
        let(:db_data) { vuln_api_data_for('themes/vulnerable-not-popular') }
        let(:all_vulns) do
          [
            WPScan::Vulnerability.new(
              'First Vuln',
              { wpvulndb: '1' },
              'LFI',
              '6.3.10'
            ),
            WPScan::Vulnerability.new('No Fixed In', wpvulndb: '2')
          ]
        end
        context 'when no theme version' do
          before { expect(theme).to receive(:version).at_least(1).and_return(false) }
          it 'returns all the vulnerabilities' do
            @expected = all_vulns
          end
        end
        context 'when theme version' do
          before do
            expect(theme)
              .to receive(:version)
              .at_least(1)
              .and_return(WPScan::Model::Version.new(number))
          end
          context 'when < to a fixed_in' do
            let(:number) { '5.0' }
            it 'returns it' do
              @expected = all_vulns
            end
          end
          context 'when >= to a fixed_in' do
            let(:number) { '6.3.10' }
            it 'does not return it ' do
              @expected = [all_vulns.last]
            end
          end
        end
      end
    end
  end
  describe '#parent_theme' do
--- a/spec/app/models/wp_version_spec.rb
+++ b/spec/app/models/wp_version_spec.rb
@@ -40,11 +40,13 @@ describe WPScan::Model::WpVersion do
  describe '#vulnerabilities' do
    subject(:version) { described_class.new(number) }
    before { allow(version).to receive(:db_data).and_return(db_data) }
    context 'when no vulns' do
      let(:number) { '4.4' }
      let(:db_data) { { 'vulnerabilities' => [] } }
-      its(:vulnerabilities) { should eql([]) }
+      its(:vulnerabilities) { should be_empty }
    end
    context 'when vulnerable' do
@@ -53,23 +55,8 @@ describe WPScan::Model::WpVersion do
        expect(version).to be_vulnerable
      end
-      context 'when a signle vuln' do
+      let(:all_vulns) do
-        let(:number) { '3.8' }
+        [
        it 'returns the expected result' do
          @expected = [WPScan::Vulnerability.new(
            'WP 3.8 - Vuln 1',
            { url: %w[url-4], osvdb: %w[11], wpvulndb: '3' },
            'AUTHBYPASS'
          )]
        end
      end
      context 'when multiple vulns' do
        let(:number) { '3.8.1' }
        it 'returns the expected results' do
          @expected = [
          WPScan::Vulnerability.new(
            'WP 3.8.1 - Vuln 1',
            { wpvulndb: '1' },
@@ -83,31 +70,67 @@ describe WPScan::Model::WpVersion do
          )
        ]
      end
      context 'when a signle vuln' do
        let(:number) { '3.8.1' }
        let(:db_data) { vuln_api_data_for('wordpresses/38') }
        it 'returns the expected result' do
          @expected = [WPScan::Vulnerability.new(
            'WP 3.8 - Vuln 1',
            { url: %w[url-4], wpvulndb: '3' },
            'AUTHBYPASS'
          )]
        end
      end
      context 'when multiple vulns' do
        let(:number) { '3.8.1' }
        let(:db_data) { vuln_api_data_for('wordpresses/381') }
        it 'returns the expected results' do
          @expected = [
            WPScan::Vulnerability.new(
              'WP 3.8.1 - Vuln 1',
              { wpvulndb: '1' },
              'SQLI'
            ),
            WPScan::Vulnerability.new(
              'WP 3.8.1 - Vuln 2',
              { url: %w[url-2 url-3], cve: %w[2014-0166], wpvulndb: '2' },
              nil,
              '3.8.2'
            )
          ]
        end
      end
    end
  end
-  describe '#release_date' do
+  describe '#metadata, #release_date, #status' do
    subject(:version) { described_class.new('3.8.1') }
    before { allow(version).to receive(:db_data).and_return(db_data) }
    context 'when no db_data' do
      let(:db_data) { {} }
      its(:release_date) { should eql '2014-01-23' }
    context 'when the version is not in the DB' do
      subject(:version) { described_class.new('3.8.2') }
      its(:release_date) { should eql 'Unknown' }
    end
  end
  describe '#status' do
    subject(:version) { described_class.new('3.8.1') }
      its(:status) { should eql 'outdated' }
-    context 'when the version is not in the DB' do
+      context 'when the version is not in the metadata' do
        subject(:version) { described_class.new('3.8.2') }
        its(:release_date) { should eql 'Unknown' }
        its(:status) { should eql 'Unknown' }
      end
    end
    context 'when db_data' do
      let(:db_data) { vuln_api_data_for('wordpresses/381') }
      its(:release_date) { should eql '2014-01-23-via-api' }
      its(:status) { should eql 'outdated-via-api' }
    end
  end
 end
--- a/spec/app/views_spec.rb
+++ b/spec/app/views_spec.rb
@@ -9,6 +9,7 @@ describe 'App::Views' do
  # in the expected output.
  %i[JSON CliNoColour].each do |formatter|
    context "when #{formatter}" do
      it_behaves_like 'App::Views::VulnApi'
      it_behaves_like 'App::Views::WpVersion'
      it_behaves_like 'App::Views::MainTheme'
      it_behaves_like 'App::Views::Enumeration'
--- a/spec/fixtures/db/dynamic_finders.yml
+++ b/spec/fixtures/db/dynamic_finders.yml
--- a/spec/fixtures/db/metadata.json
+++ b/spec/fixtures/db/metadata.json
@@ -0,0 +1,56 @@
 {
  "wordpress": {
    "4.0": {
      "release_date": "2014-09-04",
      "status": "latest"
    },
    "3.8.1": {
      "release_date": "2014-01-23",
      "status": "outdated"
    },
    "3.8": {
      "release_date": "2013-12-12",
      "status": "insecure"
    }
  },
  "plugins": {
    "no-vulns-popular": {
      "vulnerabilities": false,
      "popular": true,
      "latest_version": "2.0",
      "last_updated": "2015-05-16T00:00:00.000Z"
    },
    "vulnerable-not-popular": {
      "latest_version": null,
      "last_updated": null,
      "popular": false,
      "vulnerabilities": true
    }
  },
  "themes": {
    "no-vulns-popular": {
      "popular": true,
      "latest_version": "2.0",
      "last_updated": "2015-05-16T00:00:00.000Z",
      "vulnerabilities": false
    },
    "vulnerable-not-popular": {
      "latest_version": null,
      "last_updated": null,
      "popular": false,
      "vulnerabilities": true
    },
    "dignitas-themes": {
      "popular": true,
      "latest_version": null,
      "last_updated": null,
      "vulnerabilities" : true
    },
    "yaaburnee-themes": {
      "popular": false,
      "latest_version": null,
      "last_updated": null,
      "vulnerabilities" : true
    }
  }
 }
--- a/spec/fixtures/db/plugins.json
+++ b/spec/fixtures/db/plugins.json
@@ -1,25 +0,0 @@
 {
  "no-vulns-popular": {
    "vulnerabilities": [],
    "popular": true,
    "latest_version": "2.0",
    "last_updated": "2015-05-16T00:00:00.000Z"
  },
  "vulnerable-not-popular": {
    "latest_version": null,
    "last_updated": null,
    "popular": false,
    "vulnerabilities" : [
      {
        "title" : "First Vuln",
        "fixed_in" : "6.3.10",
        "id" : 1,
        "vuln_type": "LFI"
      },
      {
        "title": "No Fixed In",
        "id": 2
      }
    ]
  }
 }
--- a/spec/fixtures/db/sponsor.txt
+++ b/spec/fixtures/db/sponsor.txt
@@ -0,0 +1 @@
 Sponsored By Kittens
--- a/spec/fixtures/db/themes.json
+++ b/spec/fixtures/db/themes.json
@@ -1,48 +0,0 @@
 {
  "no-vulns-popular": {
    "popular": true,
    "latest_version": "2.0",
    "last_updated": "2015-05-16T00:00:00.000Z",
    "vulnerabilities": []
  },
  "dignitas-themes": {
    "popular": true,
    "latest_version": null,
    "last_updated": null,
    "vulnerabilities" : [
      {
        "created_at" : "2015-03-05T19:25:59.000Z",
        "updated_at" : "2015-03-05T19:37:47.000Z",
        "references": {
          "url" : [
            "http://research.evex.pw/?vuln=6",
            "http://packetstormsecurity.com/files/130652/"
          ]
          },
       "title" : "Dignitas 1.1.9 - Privilage Escalation",
       "id" : 7825,
       "vuln_type" : "AUTHBYPASS"
        }
     ]
  },
  "yaaburnee-themes": {
    "popular": false,
    "latest_version": null,
    "last_updated": null,
    "vulnerabilities" : [
      {
        "created_at" : "2015-03-05T19:25:44.000Z",
        "updated_at" : "2015-03-05T19:41:14.000Z",
        "references": {
          "url" : [
            "http://research.evex.pw/?vuln=6",
            "http://packetstormsecurity.com/files/130652/"
          ]
        },
        "title" : "Ya'aburnee 1.0.7 - Privilage Escalation",
        "id" : 7824,
        "vuln_type" : "AUTHBYPASS"
      }
    ]
  }
 }
--- a/spec/fixtures/db/vuln_api/plugins/no-vulns-popular.json
+++ b/spec/fixtures/db/vuln_api/plugins/no-vulns-popular.json
@@ -0,0 +1,6 @@
 {
  "vulnerabilities": [],
  "popular": true,
  "latest_version": "2.1",
  "last_updated": "2015-05-16T00:00:00.000Z-via-api"
 }
--- a/spec/fixtures/db/vuln_api/plugins/vulnerable-not-popular.json
+++ b/spec/fixtures/db/vuln_api/plugins/vulnerable-not-popular.json
@@ -0,0 +1,17 @@
 {
  "latest_version": null,
  "last_updated": null,
  "popular": false,
  "vulnerabilities" : [
    {
      "title" : "First Vuln \u003c= 6.3.10 - LFI",
      "fixed_in" : "6.3.10",
      "id" : 1,
      "vuln_type": "LFI"
    },
    {
      "title": "No Fixed In",
      "id": 2
    }
  ]
 }
--- a/spec/fixtures/db/vuln_api/themes/dignitas-themes.json
+++ b/spec/fixtures/db/vuln_api/themes/dignitas-themes.json
@@ -0,0 +1,22 @@
 {
  "popular": true,
  "latest_version": null,
  "last_updated": null,
  "vulnerabilities" : [
    {
      "created_at" : "2015-03-05T19:25:59.000Z",
      "updated_at" : "2015-03-05T19:37:47.000Z",
      "references": {
        "url" : [
          "http://research.evex.pw/?vuln=6"
        ],
        "packetstorm": [
          "130652"
        ]
      },
     "title" : "Dignitas 1.1.9 - Privilage Escalation",
     "id" : 7825,
     "vuln_type" : "AUTHBYPASS"
    }
  ]
 }
--- a/spec/fixtures/db/vuln_api/themes/no-vulns-popular.json
+++ b/spec/fixtures/db/vuln_api/themes/no-vulns-popular.json
@@ -0,0 +1,6 @@
 {
  "popular": true,
  "latest_version": "2.2",
  "last_updated": "2015-05-16T00:00:00.000Z-via-api",
  "vulnerabilities": []
 }
--- a/spec/fixtures/db/vuln_api/themes/vulnerable-not-popular.json
+++ b/spec/fixtures/db/vuln_api/themes/vulnerable-not-popular.json
@@ -0,0 +1,17 @@
 {
  "latest_version": null,
  "last_updated": null,
  "popular": false,
  "vulnerabilities" : [
    {
      "title" : "First Vuln",
      "fixed_in" : "6.3.10",
      "id" : 1,
      "vuln_type": "LFI"
    },
    {
      "title": "No Fixed In",
      "id": 2
    }
  ]
 }
--- a/spec/fixtures/db/vuln_api/themes/yaaburnee-themes.json
+++ b/spec/fixtures/db/vuln_api/themes/yaaburnee-themes.json
@@ -0,0 +1,22 @@
 {
  "popular": false,
  "latest_version": null,
  "last_updated": null,
  "vulnerabilities" : [
    {
      "created_at" : "2015-03-05T19:25:44.000Z",
      "updated_at" : "2015-03-05T19:41:14.000Z",
      "references": {
        "url" : [
          "http://research.evex.pw/?vuln=6",
        ],
        "packetstorm": [
          "130652"
        ]
      },
      "title" : "Ya'aburnee 1.0.7 - Privilage Escalation",
      "id" : 7824,
      "vuln_type" : "AUTHBYPASS"
    }
  ]
 }
--- a/spec/fixtures/db/vuln_api/wordpresses/38.json
+++ b/spec/fixtures/db/vuln_api/wordpresses/38.json
@@ -0,0 +1,17 @@
 {
  "release_date" : "2013-12-12",
  "status": "insecure",
  "vulnerabilities" : [
    {
      "references": {
        "url" : ["url-4"],
        "osvdb" : ["11"]
      },
      "created_at" : "2014-08-01T10:58:19.000Z",
      "updated_at" : "2014-09-16T15:45:26.000Z",
      "title" : "WP 3.8 - Vuln 1",
      "id" : 3,
      "vuln_type" : "AUTHBYPASS"
    }
  ]
 }
--- a/spec/fixtures/db/vuln_api/wordpresses/381.json
+++ b/spec/fixtures/db/vuln_api/wordpresses/381.json
@@ -0,0 +1,27 @@
 {
  "release_date" : "2014-01-23-via-api",
  "status": "outdated-via-api",
  "vulnerabilities" : [
    {
      "created_at" : "2014-08-01T10:58:19.000Z",
      "updated_at" : "2014-09-16T13:52:17.000Z",
      "title" : "WP 3.8.1 - Vuln 1",
      "id" : 1,
      "vuln_type" : "SQLI",
      "published_date" : null,
      "fixed_in" : null
     },
     {
      "references" : {
        "cve" : ["2014-0166"],
        "osvdb" : ["10"],
        "url" : ["url-2","url-3"]
      },
      "fixed_in" : "3.8.2",
      "created_at" : "2014-08-01T10:58:19.000Z",
      "updated_at" : "2014-09-16T13:53:11.000Z",
      "id" : 2,
      "title" : "WP 3.8.1 - Vuln 2"
    }
  ]
 }
--- a/spec/fixtures/db/vuln_api/wordpresses/40.json
+++ b/spec/fixtures/db/vuln_api/wordpresses/40.json
@@ -0,0 +1,4 @@
 {
  "release_date" : "2014-09-04",
  "status": "latest"
 }
--- a/spec/fixtures/db/wordpresses.json
+++ b/spec/fixtures/db/wordpresses.json
@@ -1,50 +0,0 @@
 {
  "4.0": {
    "release_date" : "2014-09-04",
    "status": "latest"
  },
  "3.8.1": {
    "release_date" : "2014-01-23",
    "status": "outdated",
    "vulnerabilities" : [
      {
        "created_at" : "2014-08-01T10:58:19.000Z",
        "updated_at" : "2014-09-16T13:52:17.000Z",
        "title" : "WP 3.8.1 - Vuln 1",
        "id" : 1,
        "vuln_type" : "SQLI",
        "published_date" : null,
        "fixed_in" : null
       },
       {
        "references" : {
          "cve" : ["2014-0166"],
          "osvdb" : ["10"],
          "url" : ["url-2","url-3"]
        },
        "fixed_in" : "3.8.2",
        "created_at" : "2014-08-01T10:58:19.000Z",
        "updated_at" : "2014-09-16T13:53:11.000Z",
        "id" : 2,
        "title" : "WP 3.8.1 - Vuln 2"
      }
    ]
   },
   "3.8": {
    "release_date" : "2013-12-12",
    "status": "insecure",
    "vulnerabilities" : [
      {
        "references": {
          "url" : ["url-4"],
          "osvdb" : ["11"]
        },
        "created_at" : "2014-08-01T10:58:19.000Z",
        "updated_at" : "2014-09-16T15:45:26.000Z",
        "title" : "WP 3.8 - Vuln 1",
        "id" : 3,
        "vuln_type" : "AUTHBYPASS"
      }
    ]
  }
 }
--- a/spec/fixtures/dynamic_finders/expected.yml
+++ b/spec/fixtures/dynamic_finders/expected.yml
--- a/spec/fixtures/dynamic_finders/plugin_version/acf-dropzone/translation_file/languages/acf-dropzone.pot
+++ b/spec/fixtures/dynamic_finders/plugin_version/acf-dropzone/translation_file/languages/acf-dropzone.pot
@@ -0,0 +1,63 @@
 # Copyright (C) 2019 Jörn Lund
 # This file is distributed under the same license as the ACF Dropzone plugin.
 msgid ""
 msgstr ""
 "Project-Id-Version: ACF Dropzone 1.0.0\n"
 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/acf-dropzone\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "POT-Creation-Date: 2019-07-04T10:29:43+00:00\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.1.0\n"
 "X-Domain: acf-dropzone\n"
 #. Plugin Name of the plugin
 msgid "ACF Dropzone"
 msgstr ""
 #. Plugin URI of the plugin
 msgid "https://github.com/mcguffin/acf-dropzone"
 msgstr ""
 #. Description of the plugin
 msgid "Drag and drop file upload for ACF-Fields."
 msgstr ""
 #. Author of the plugin
 msgid "Jörn Lund"
 msgstr ""
 #. Author URI of the plugin
 msgid "https://github.com/mcguffin"
 msgstr ""
 #: include/AcfDropzone/Compat/ACF.php:47
 #: tmp/svn/tags/1.0.0/include/AcfDropzone/Compat/ACF.php:47
 #: tmp/svn/trunk/include/AcfDropzone/Compat/ACF.php:47
 #: tmp/git/include/AcfDropzone/Compat/ACF.php:47
 msgid "Enable Dropzone"
 msgstr ""
 #: include/AcfDropzone/Compat/ACF.php:103
 #: tmp/svn/tags/1.0.0/include/AcfDropzone/Compat/ACF.php:103
 #: tmp/svn/trunk/include/AcfDropzone/Compat/ACF.php:103
 #: tmp/git/include/AcfDropzone/Compat/ACF.php:103
 msgid "Dismiss this notice."
 msgstr ""
 #: include/AcfDropzone/Compat/ACF.php:107
 #: tmp/svn/tags/1.0.0/include/AcfDropzone/Compat/ACF.php:107
 #: tmp/svn/trunk/include/AcfDropzone/Compat/ACF.php:107
 #: tmp/git/include/AcfDropzone/Compat/ACF.php:107
 msgid "Drop files here"
 msgstr ""
 #: include/AcfDropzone/Compat/ACF.php:108
 #: tmp/svn/tags/1.0.0/include/AcfDropzone/Compat/ACF.php:108
 #: tmp/svn/trunk/include/AcfDropzone/Compat/ACF.php:108
 #: tmp/git/include/AcfDropzone/Compat/ACF.php:108
 msgid "or"
 msgstr ""
--- a/spec/fixtures/dynamic_finders/plugin_version/acf-duplicate-repeater/translation_file/languages/acf-duplicate-repeater.pot
+++ b/spec/fixtures/dynamic_finders/plugin_version/acf-duplicate-repeater/translation_file/languages/acf-duplicate-repeater.pot
@@ -0,0 +1,58 @@
 # Copyright (C) 2019 Jörn Lund
 # This file is distributed under the same license as the ACF Duplicate Repeater plugin.
 msgid ""
 msgstr ""
 "Project-Id-Version: ACF Duplicate Repeater 2.0.0\n"
 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/acf-duplicate-repeater\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "POT-Creation-Date: 2019-08-22T14:32:38+00:00\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.2.0\n"
 "X-Domain: acf-duplicate-repeater\n"
 #. Plugin Name of the plugin
 msgid "ACF Duplicate Repeater"
 msgstr ""
 #. Plugin URI of the plugin
 msgid "https://github.com/mcguffin/acf-duplicate-repeater"
 msgstr ""
 #. Description of the plugin
 msgid "Duplicate Repeater and Layout Fields in ACF Pro"
 msgstr ""
 #. Author of the plugin
 msgid "Jörn Lund"
 msgstr ""
 #. Author URI of the plugin
 msgid "https://github.com/mcguffin"
 msgstr ""
 #. Translators: ACF-Pro URL
 #: include/ACFDuplicateRepeater/Core/Core.php:69
 msgid "The ACF Duplicate Repeater plugin only provides support for <a href=\"%s\">ACF Pro 5.7</a> and up."
 msgstr ""
 #. Translators: Plugins page URL
 #: include/ACFDuplicateRepeater/Core/Core.php:78
 msgid "Please upgrade ACF Pro to the latest Version on the <a href=\"%s\">plugins page</a>."
 msgstr ""
 #. Translators: Plugins page URL
 #: include/ACFDuplicateRepeater/Core/Core.php:87
 msgid "You can disable and uninstall the plugin on the <a href=\"%2$s\">plugins page</a>."
 msgstr ""
 #: include/ACFDuplicateRepeater/Core/Core.php:123
 msgid "Duplicate Entry"
 msgstr ""
 #: include/ACFDuplicateRepeater/Core/Core.php:127
 msgid "Duplicate Layout"
 msgstr ""
--- a/spec/fixtures/dynamic_finders/plugin_version/acf-flexible-content-extended/change_log/CHANGELOG.md
+++ b/spec/fixtures/dynamic_finders/plugin_version/acf-flexible-content-extended/change_log/CHANGELOG.md
@@ -0,0 +1,4 @@
 # Changelog ##
 ## 1.0.0 - 26 Aug 2019
 * Initial release
--- a/spec/fixtures/dynamic_finders/plugin_version/acf-flexible-content-preview/change_log/CHANGELOG.md
+++ b/spec/fixtures/dynamic_finders/plugin_version/acf-flexible-content-preview/change_log/CHANGELOG.md
@@ -0,0 +1,4 @@
 # Changelog ##
 ## 1.0.0 - 16 Aug 2019
 * Initial release
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
erwanlr	9da326967b	Bumps version	2019-10-11 15:07:50 +01:00
erwanlr	62600b3a66	Fixes #1411	2019-10-11 14:32:00 +01:00
erwanlr	b236138fb5	Adds additional specs related to previous commit	2019-10-10 22:57:26 +01:00
erwanlr	40c2e9a54b	Fixes non detection of plugins/themes from homepage in some cases	2019-10-10 22:33:19 +01:00
erwanlr	a9062db57f	Improves detection speed of plugins/themes from homepage	2019-10-10 21:15:59 +01:00
erwanlr	2621404c5f	Removes useless spec comment	2019-10-10 21:03:54 +01:00
erwanlr	c47211ca79	Fixes empty username returned in some cases	2019-10-10 20:34:39 +01:00
erwanlr	e39a192e8d	Checks default wp-content dir regardless of detection mode if not found passively	2019-10-10 19:59:09 +01:00
Erwan	d85035d5ef	Merge pull request #1407 from wpscanteam/dependabot/bundler/rspec-tw-3.9.0 Update rspec requirement from ~> 3.8.0 to ~> 3.9.0	2019-10-09 12:50:59 +02:00
dependabot-preview[bot]	de09a97343	Update rspec requirement from ~> 3.8.0 to ~> 3.9.0 Updates the requirements on [rspec](https://github.com/rspec/rspec) to permit the latest version. - [Release notes](https://github.com/rspec/rspec/releases) - [Commits](https://github.com/rspec/rspec/compare/v3.8.0...v3.9.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>	2019-10-09 05:48:37 +00:00
erwanlr	a6855345d7	Fixes #1406	2019-10-07 07:03:06 +01:00
erwanlr	a53f88b626	Improves WP detection	2019-10-06 16:51:35 +01:00
erwanlr	7048c82124	Adds DFs	2019-10-06 10:46:12 +01:00
erwanlr	6aa7cda478	Fixes #1404	2019-10-05 20:25:35 +01:00
erwanlr	ff339b9a8c	Updates rubocop config	2019-10-03 13:09:14 +01:00
Erwan	8898cc20fe	Merge pull request #1403 from wpscanteam/dependabot/bundler/rubocop-performance-tw-1.5.0 Update rubocop-performance requirement from ~> 1.4.0 to ~> 1.5.0	2019-10-02 18:35:11 +02:00
dependabot-preview[bot]	770d1da280	Update rubocop-performance requirement from ~> 1.4.0 to ~> 1.5.0 Updates the requirements on [rubocop-performance](https://github.com/rubocop-hq/rubocop-performance) to permit the latest version. - [Release notes](https://github.com/rubocop-hq/rubocop-performance/releases) - [Changelog](https://github.com/rubocop-hq/rubocop-performance/blob/master/CHANGELOG.md) - [Commits](https://github.com/rubocop-hq/rubocop-performance/compare/v1.4.0...v1.5.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>	2019-10-02 06:46:49 +00:00
Erwan	6ba4e8a29b	Merge pull request #1402 from wpscanteam/dependabot/bundler/rubocop-tw-0.75.0 Update rubocop requirement from ~> 0.74.0 to ~> 0.75.0	2019-10-02 08:45:36 +02:00
dependabot-preview[bot]	953ca68495	Update rubocop requirement from ~> 0.74.0 to ~> 0.75.0 Updates the requirements on [rubocop](https://github.com/rubocop-hq/rubocop) to permit the latest version. - [Release notes](https://github.com/rubocop-hq/rubocop/releases) - [Changelog](https://github.com/rubocop-hq/rubocop/blob/master/CHANGELOG.md) - [Commits](https://github.com/rubocop-hq/rubocop/compare/v0.74.0...v0.75.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>	2019-10-01 06:21:21 +00:00
Erwan	4289dfb37d	Merge pull request #1401 from wpscanteam/dependabot/bundler/rake-tw-13.0 Update rake requirement from ~> 12.3 to ~> 13.0	2019-09-30 12:37:15 +02:00
dependabot-preview[bot]	4f6f2f436a	Update rake requirement from ~> 12.3 to ~> 13.0 Updates the requirements on [rake](https://github.com/ruby/rake) to permit the latest version. - [Release notes](https://github.com/ruby/rake/releases) - [Changelog](https://github.com/ruby/rake/blob/master/History.rdoc) - [Commits](https://github.com/ruby/rake/compare/v12.3.0...v13.0.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>	2019-09-30 05:44:30 +00:00
erwanlr	237979a479	Adds DFs	2019-09-28 17:29:35 +01:00
erwanlr	2e48968fd3	Bumps version	2019-09-25 16:00:24 +01:00
erwanlr	9a0c4a5c8f	Fixes #1399	2019-09-25 10:02:15 +01:00
Erwan	9a011f0007	Merge pull request #1397 from noplanman/fix_registration_link Fix broken registration / signup link.	2019-09-25 10:52:06 +02:00
Armando Lüscher	3f907a706f	Fix broken registration / signup link.	2019-09-24 23:19:47 +02:00
erwanlr	9446141716	Adds DFs	2019-09-21 10:20:59 +01:00
erwanlr	1994826af8	Bumps version	2019-09-16 13:14:27 +01:00
erwanlr	ab950d6ffc	Do not cache login requests - Fixes #1395	2019-09-16 10:37:43 +01:00
erwanlr	b77e611a90	Adds DFs	2019-09-14 10:35:22 +01:00
erwanlr	86f0284894	Updates help to reflect enumeration of popular plugins and themes	2019-09-13 18:10:33 +01:00
erwanlr	9bbe014dfe	Merge branch 'master' of github.com:wpscanteam/wpscan	2019-09-13 17:23:19 +01:00
erwanlr	ad92c95500	Fixes crash when API returns HTML data rather than JSON in edge cases	2019-09-13 17:22:26 +01:00
Erwan	d360190382	Adds section for username enumeration in the Readme	2019-09-13 11:31:32 +02:00
ethicalhack3r	1737c8a7f6	Update readme	2019-09-13 11:02:12 +02:00
ethicalhack3r	cde262fd66	Add wpvulndb api info to readme	2019-09-13 10:49:05 +02:00
erwanlr	bd74689079	Bumps version	2019-09-13 08:34:19 +01:00
Erwan	248942bdea	Updates Readme (adds link, fixes typo)	2019-09-11 11:29:45 +02:00
erwanlr	d9f203300b	Updates deps	2019-09-11 10:19:48 +01:00
erwanlr	aceabc969f	Merge branch 'master' into 3.7.0	2019-09-11 10:18:28 +01:00
erwanlr	dedc24d3a7	Adds DFs	2019-09-07 11:55:53 +01:00
erwanlr	6e583e78e8	Gets Sponsor text from db file	2019-09-05 21:47:26 +01:00
erwanlr	c012e83355	Merge branch 'master' into 3.7.0-merged-master	2019-09-05 19:46:16 +01:00
erwanlr	264355d185	Ignores 404 with BodyPattern DF - Ref #1386	2019-09-05 19:41:24 +01:00
erwanlr	fdbfd1ec60	Ref #1386	2019-09-03 12:03:12 +01:00
erwanlr	7a8b27a255	Fixes #1386	2019-09-02 22:09:28 +01:00
erwanlr	ec4bfac98b	Adds DFs	2019-09-01 11:38:57 +01:00
erwanlr	c63ffe37c9	Updates deps and Readme	2019-08-30 18:22:25 +01:00
erwanlr	d2f3ce82c9	Fixes specs	2019-08-30 09:28:47 +01:00
erwanlr	3e24a0b0a4	Merge with master	2019-08-30 09:03:31 +01:00
Erwan	1a07e29ff4	Merge pull request #1383 from wpscanteam/dependabot/bundler/webmock-tw-3.7.0 Update webmock requirement from ~> 3.6.0 to ~> 3.7.0	2019-08-28 14:29:22 +02:00
dependabot-preview[bot]	1aa46a8928	Update webmock requirement from ~> 3.6.0 to ~> 3.7.0 Updates the requirements on [webmock](https://github.com/bblimke/webmock) to permit the latest version. - [Release notes](https://github.com/bblimke/webmock/releases) - [Changelog](https://github.com/bblimke/webmock/blob/master/CHANGELOG.md) - [Commits](https://github.com/bblimke/webmock/compare/v3.6.0...v3.7.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>	2019-08-28 09:01:28 +00:00
erwanlr	d9083f8b5f	Fixes spec related to latest changes	2019-08-24 15:17:18 +01:00
erwanlr	23d558a6d7	Updates to CMSScanner 0.5.8	2019-08-24 14:49:56 +01:00
erwanlr	665a5b7b12	Adds DFs	2019-08-24 14:06:52 +01:00
erwanlr	1d73418969	Adds DFs	2019-08-17 10:36:18 +01:00
erwanlr	f67b5e4cc4	Updates deps again	2019-08-13 11:55:57 +01:00
erwanlr	ae2515444f	Updates deps	2019-08-13 11:03:34 +01:00
erwanlr	463e77f0a5	VulnAPI Implementation	2019-08-13 10:03:01 +01:00
erwanlr	d7b796b1a7	Adds DFs	2019-08-10 12:22:38 +01:00
erwanlr	9b07d53077	Bumps version	2019-08-06 16:10:21 +01:00
erwanlr	8ee9b2bc31	Fixes #1378	2019-08-06 13:01:22 +01:00
erwanlr	c5989477a4	Adds DFs	2019-08-03 10:56:22 +01:00
Erwan	96d8a4e4f8	Merge pull request #1377 from wpscanteam/dependabot/bundler/rubocop-tw-0.74.0 Update rubocop requirement from ~> 0.73.0 to ~> 0.74.0	2019-08-03 10:19:49 +02:00
dependabot-preview[bot]	e865e11731	Update rubocop requirement from ~> 0.73.0 to ~> 0.74.0 Updates the requirements on [rubocop](https://github.com/rubocop-hq/rubocop) to permit the latest version. - [Release notes](https://github.com/rubocop-hq/rubocop/releases) - [Changelog](https://github.com/rubocop-hq/rubocop/blob/master/CHANGELOG.md) - [Commits](https://github.com/rubocop-hq/rubocop/compare/v0.73.0...v0.74.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>	2019-08-01 05:31:24 +00:00
erwanlr	f0997bfe0d	Bumps version	2019-07-31 15:46:59 +01:00
erwanlr	8b67dad456	Fixes regexp perf	2019-07-31 14:54:57 +01:00
erwanlr	53fdac1038	Fixes #1376	2019-07-31 14:53:11 +01:00
erwanlr	534a7602e6	Adds DFs	2019-07-27 18:36:53 +01:00
erwanlr	30f329fe43	Bumps version	2019-07-23 18:27:09 +01:00
erwanlr	4ce39951a9	Additional specs for #1374	2019-07-23 16:33:09 +01:00
ethicalhack3r	0e9eb34626	Remove Patreon link	2019-07-23 12:09:04 +02:00
erwanlr	0ff299c425	Updates UA used when updating the DB	2019-07-22 12:13:01 +01:00
erwanlr	6366258ce9	Merge branch 'df'	2019-07-20 19:11:06 +01:00
erwanlr	bca69a026e	Adds DFs	2019-07-20 19:10:47 +01:00
Christian Mehlmauer	adc26ea42a	ruby 2.6.3	2019-07-19 09:16:56 +02:00
erwanlr	84422b10c8	Changes db_data to metadata	2019-07-18 18:52:52 +01:00
erwanlr	d05ad0f8f4	Adds an Api Token controller	2019-07-18 17:40:27 +01:00
erwanlr	3f70ddaffa	Switching to dev	2019-07-18 17:31:02 +01:00
Erwan	b16e8d84d7	Merge pull request #1369 from wpscanteam/dependabot/bundler/rubocop-tw-0.73.0 Update rubocop requirement from ~> 0.72.0 to ~> 0.73.0	2019-07-17 11:38:45 +02:00
dependabot-preview[bot]	5ee405d5a0	Update rubocop requirement from ~> 0.72.0 to ~> 0.73.0 Updates the requirements on [rubocop](https://github.com/rubocop-hq/rubocop) to permit the latest version. - [Release notes](https://github.com/rubocop-hq/rubocop/releases) - [Changelog](https://github.com/rubocop-hq/rubocop/blob/master/CHANGELOG.md) - [Commits](https://github.com/rubocop-hq/rubocop/compare/v0.72.0...v0.73.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>	2019-07-17 05:28:25 +00:00
erwanlr	a5b9470636	Adds DFs	2019-07-13 11:57:18 +01:00
erwanlr	16a3d54cb6	Bumps version	2019-07-11 17:50:46 +01:00
erwanlr	9677dcd978	Makes sure the sub_dir is only checked once	2019-07-10 18:35:46 +01:00
erwanlr	17ea42f918	Updates cms_scanner dep	2019-07-10 09:17:49 +01:00
erwanlr	bd8915918d	Switcing back to master	2019-07-09 15:07:42 +01:00
erwanlr	91db6773a0	Reduces --themes-threshold	2019-07-09 14:37:30 +01:00
erwanlr	f50680b61f	Adds a --plugins-threshold and --themes-threshold options	2019-07-08 19:47:46 +01:00
erwanlr	3fb5d33333	Switching to dev	2019-07-08 17:34:13 +01:00
erwanlr	f70bbb2660	Switching to master	2019-07-08 14:02:38 +01:00
erwanlr	589c1ac9bb	Only create Versions DF when needed	2019-07-08 13:02:29 +01:00
erwanlr	d458fa1b89	Switching to dev	2019-07-08 10:23:42 +01:00
erwanlr	dc2c99434f	Switching to master	2019-07-07 12:19:05 +01:00
erwanlr	bbf36562d0	Fixes specs	2019-07-07 09:57:54 +01:00
erwanlr	c458edf3e4	Adds a note about the Readme DF	2019-07-07 08:51:29 +01:00
erwanlr	99c2aaef7a	Changes some DF method names to avoid confusion with db ones	2019-07-07 08:35:41 +01:00
erwanlr	921096ca10	Adds DFs	2019-07-07 08:09:22 +01:00
erwanlr	b0fbd6fa36	Removes empty expected DF	2019-07-06 15:58:23 +01:00
erwanlr	21bd67c44f	Switching to minor release	2019-07-06 15:53:00 +01:00
erwanlr	4f142985a2	Fixes #1364	2019-07-06 15:32:42 +01:00
erwanlr	bfa89b44bc	Switching to dev	2019-07-06 13:04:38 +01:00
erwanlr	eba876e72b	Adds DFs	2019-07-06 11:05:22 +01:00
erwanlr	f1a7413e20	Adds Theme DFs	2019-07-05 09:34:13 +01:00