Bumps version

.github/workflows/build.yml

@@ -20,14 +20,6 @@ jobs:
       with:
         ruby-version: ${{ matrix.ruby }}
 
-    - name: Restore GEM cache
-      uses: actions/cache@v1
-      with:
-        path: vendor/bundle
-        key: ${{ runner.os }}-${{ matrix.ruby }}-gem-${{ hashFiles('**/wpscan.gemspec') }}
-        restore-keys: |
-          ${{ runner.os }}-${{ matrix.ruby }}-gem-
-
     - name: Install GEMs
       run: |
         gem install bundler

README.md

@@ -130,7 +130,7 @@ cli_options:
   api_token: YOUR_API_TOKEN
 ```
 
-## Load APi Token From ENV
+## Load API Token From ENV (since v3.7.10)
 
 The API Token will be automatically loaded from the ENV variable `WPSCAN_API_TOKEN` if present. If the `--api-token` CLI option is also provided, the value from the CLI will be used.
 

app/finders/passwords/xml_rpc.rb

@@ -16,7 +16,7 @@ module WPScan
         end
 
         def errored_response?(response)
-          response.code != 200 && response.body !~ /login_error/i
+          response.code != 200 && response.body !~ /Incorrect username or password/i
         end
       end
     end

app/finders/users/wp_json_api.rb

@@ -21,7 +21,7 @@ module WPScan
           loop do
             current_page += 1
 
-            res = Typhoeus.get(api_url, params: { per_page: MAX_PER_PAGE, page: current_page })
+            res = Browser.get(api_url, params: { per_page: MAX_PER_PAGE, page: current_page })
 
             total_pages ||= res.headers['X-WP-TotalPages'].to_i
 

app/models/interesting_finding.rb

@@ -20,7 +20,7 @@ module WPScan
     class DebugLog < InterestingFinding
       # @ return [ Hash ]
       def references
-        @references ||= { url: 'https://codex.wordpress.org/Debugging_in_WordPress' }
+        @references ||= { url: ['https://codex.wordpress.org/Debugging_in_WordPress'] }
       end
     end
 

lib/wpscan/version.rb

@@ -2,5 +2,5 @@
 
 # Version
 module WPScan
-  VERSION = '3.7.10'
+  VERSION = '3.7.11'
 end

spec/app/finders/passwords/xml_rpc_spec.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+describe WPScan::Finders::Passwords::XMLRPC do
+  subject(:finder) { described_class.new(target) }
+  let(:target)     { WPScan::Model::XMLRPC.new(url) }
+  let(:url)        { 'http://ex.lo/xmlrpc.php' }
+
+  RESPONSE_403_BODY = '<?xml version="1.0" encoding="UTF-8"?>
+    <methodResponse>
+      <fault>
+        <value>
+          <struct>
+            <member>
+              <name>faultCode</name>
+              <value><int>403</int></value>
+            </member>
+            <member>
+              <name>faultString</name>
+              <value><string>Incorrect username or password.</string></value>
+            </member>
+          </struct>
+        </value>
+      </fault>
+    </methodResponse>'
+
+  describe '#attack' do
+    context 'when no valid credentials' do
+      before do
+        stub_request(:post, url).to_return(status: status, body: RESPONSE_403_BODY)
+
+        finder.attack(users, %w[pwd])
+      end
+
+      let(:users) { %w[admin].map { |username| WPScan::Model::User.new(username) } }
+
+      context 'when status = 200' do
+        let(:status) { 200 }
+
+        its('progress_bar.log') { should be_empty }
+      end
+
+      context 'when status = 403' do
+        let(:status) { 403 }
+
+        its('progress_bar.log') { should be_empty }
+      end
+    end
+  end
+end

spec/fixtures/db/dynamic_finders.yml

@@ -70461,6 +70461,14 @@ plugins:
   woocommerce-advanced-free-shipping:
     Readme:
       path: readme.txt
+  woocommerce-aelia-paypal-standard-multiaccount:
+    Readme:
+      path: README.md
+    ChangeLog:
+      class: BodyPattern
+      path: CHANGELOG.md
+      pattern: !ruby/regexp /####(?<v>\d+\.[\.\d]+)/
+      version: true
   woocommerce-and-1centerprise-data-exchange:
     Readme:
       path: readme.txt
@@ -71009,6 +71017,14 @@ plugins:
   woocommerce-stock-manager:
     Readme:
       path: README.txt
+  woocommerce-subscriptions:
+    Readme:
+      path: readme.txt
+    ChangeLog:
+      class: BodyPattern
+      path: changelog.txt
+      pattern: !ruby/regexp /\- version (?<v>\d+\.[\.\d]+)/i
+      version: true
   woocommerce-template-hints:
     ChangeLog:
       class: BodyPattern

spec/fixtures/dynamic_finders/expected.yml

@@ -43026,6 +43026,13 @@ plugins:
       interesting_entries:
       - 'http://wp.lab/wp-content/plugins/woocommerce-admin/languages/woocommerce-admin.pot,
         Match: ''"Project-Id-Version: WooCommerce Admin 0.9.0'''
+  woocommerce-aelia-paypal-standard-multiaccount:
+    ChangeLog:
+      number: 1.3.3.180413
+      found_by: Change Log (Aggressive Detection)
+      interesting_entries:
+      - 'http://wp.lab/wp-content/plugins/woocommerce-aelia-paypal-standard-multiaccount/CHANGELOG.md,
+        Match: ''####1.3.3.180413'''
   woocommerce-bcash:
     TranslationFile:
       number: 1.13.1
@@ -43542,6 +43549,12 @@ plugins:
       interesting_entries:
       - 'http://wp.lab/wp-content/plugins/woocommerce-square/changelog.txt, Match:
         ''= 1.0.35'''
+  woocommerce-subscriptions:
+    ChangeLog:
+      number: 2.6.5
+      found_by: Change Log (Aggressive Detection)
+      interesting_entries:
+      - 'http://wp.lab/wp-content/plugins/woocommerce-subscriptions/changelog.txt, Match: ''- version 2.6.5'''
   woocommerce-template-hints:
     ChangeLog:
       number: 1.0.0

spec/fixtures/dynamic_finders/plugin_version/woocommerce-aelia-paypal-standard-multiaccount/change_log/CHANGELOG.md

@@ -0,0 +1,92 @@
+# Aelia PayPal Standard gateway with multi account support
+
+## Version 1.x
+####1.3.3.180413
+* Tweak - Improved logic to fetch the PayPal email address during IPN verification.
+
+####1.3.2.171220
+* Fix - Fixed refund logic in WooCommerce 3.2.6.
+
+####1.3.1.170308
+* Improved compatibility with WooCommerce 2.7:
+  * Replaced calls to `WC_Order::get_order_currency()` with `WC_Order::get_currency()`.
+* Updated requirements.
+* Updated requirement checking class.
+* Improved compatibility with WordPress 4.7 and later. Added new logic to process the global `$wp_filter` variable.
+
+####1.3.0.160106
+* Rewritten gateway for WooCommerce 2.4.x. WC 2.4 includes the improvements we submitted to make the PayPal gateway more extensible. The rewritten gateway takes advantage of such changes, simplifying the multi-account logic.
+
+####1.2.6.151208
+* Fixed bug in `woocommerce_subscriptions_paypal_change_status_data` handler. Removed call to `WC_Gateway_Paypal_MultiAccount::obsolete get_order_from_subscriber_id()` method.
+
+####1.2.5.151020
+* Added new filter `payment_status_completed_data`. This new filter will allow 3rd party to pre-process payment data before it's validated.
+
+####1.2.4.150903
+* Removed unneeded code that raised some minor warnings.
+
+####1.2.3.150731
+* Updated requirement checking class.
+
+####1.2.4.150630
+* Refactored logic to validate IPN. Added mechanism to remove all references to the base IPN Handler class.
+
+####1.2.3.150610
+* Fixed bug in IPN handling in WooCommerce 2.3.10. The bug was caused by incorrect references in base `WC_Gateway_Paypal_IPN_Handler` class, which caused the PayPal merchant email validation to fail. Ref. https://github.com/woothemes/woocommerce/pull/8348.
+
+####1.2.2.150519
+* Refactored `WC_Gateway_Paypal_MultiAccount::woocommerce_subscriptions_paypal_change_status_data()`. The method now uses the order object passed to it by the Subscription plugin.
+* Added `WC_Gateway_Paypal_MultiAccount::woocommerce_subscriptions_paypal_change_status_data()` method to PayPal gateway for WooCommerce 2.2 and earlier.
+
+####1.2.1.150515
+* Improved support for Subscriptions. The plugin can now alter the API keys used by the Subscriptions plugin depending on the currency used to buy the subscription.
+* Set requirements to WooCommerce 2.3.8. The plugin cannot work properly with WooCommerce 2.3.0 to 2.3.7 due to some issues in the core.
+* Imported logic to use a single logger for all PayPal Standard classes in WooCommerce 2.3. Ref. https://github.com/woothemes/woocommerce/commit/33d94aaea46137a0d8366e9033e6bebd218333cc.
+
+####1.2.0.150506
+* Added support for PayPal API settings in multiple currencies.
+* Added support for refunds.
+
+####1.1.2.150422
+* Rewritten PayPal Request, PDT and IPN classes to work with unpatched WooCommerce. This was necessary after the decision, from WooCommerce team, of not fixing the PayPal gateway in WC 2.3.x.
+
+####1.1.1.150420
+* Fixed bug in `WC_Gateway_Paypal_IPN_Handler` class. The bug caused IPN validation to fail.
+
+####1.1.0.150319
+* Added support for the complicated PayPal Standard gateway included with WC2.3:
+  * Added new `WC_Gateway_Paypal_MultiAccount` class.
+  * Added new `WC_Gateway_Paypal_Request` class.
+  * Added new `WC_Gateway_Paypal_IPN_Handler` class.
+  * Added new `WC_Gateway_Paypal_PDT_Handler` class.
+* Updated requirements. Plugin now required WooCommerce 2.1, 2.2 or 2.3.8 and later.
+
+####1.0.8.150310
+* Improved requirements checking. The new logic will prevent the plugin from crashing when the requirements are not met.
+
+####1.0.7.140903
+* Packaged plugin for public release.
+
+####1.0.6.140318
+* Added WC_Gateway_Paypal_MultiAccount::get_paypal_order() method.
+
+####1.0.5.140318
+* Improved debug code.
+
+####1.0.4.140228
+* Improved debug code.
+
+####1.0.3.140228
+* Corrected PayPal notification URL.
+
+####1.0.2.140228
+* Fixed bug in retrieving the default receiver email for a currency.
+* Improved logging.
+
+####1.0.1.140227
+* Improved debug mode.
+* Corrected plugin name.
+
+####1.0.0.140227
+* First release.

wpscan.gemspec

@@ -21,7 +21,7 @@ Gem::Specification.new do |s|
   s.executables           = ['wpscan']
   s.require_paths         = ['lib']
 
-  s.add_dependency 'cms_scanner', '~> 0.8.5'
+  s.add_dependency 'cms_scanner', '~> 0.8.6'
 
   s.add_development_dependency 'bundler',             '>= 1.6'
   s.add_development_dependency 'memory_profiler',     '~> 0.9.13'