garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Updated WPScan User Documentation (markdown)

Ryan Dewhurst
2021-01-22 15:57:31 +01:00
parent 8050165bf1
commit a2b36100df
1 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
WPScan-User-Documentation.md

@@ -79,6 +79,16 @@ WPScan keeps a local database of metadata that is used to output useful informat
_Please note that this data does not include the vulnerability data. See [Vulnerability Database](https://github.com/wpscanteam/wpscan/wiki/WPScan-User-Documentation#vulnerability-database) for information on the vulnerability data._
## Vulnerability Database
WPScan uses the [WordPress Vulnerability Database](https://wpscan.com/api) API in real time to retrieve known vulnerabilities that affect WordPress core, plugins and themes.
For the vulnerability information to be shown within WPScan you will need to supply an API token with the `--api-token YOUR_TOKEN` option. Alternatively, you can supply the API token from a WPScan configuration file.
A free API token is available, as well as paid plans, depending on your usage needs.
If you do not supply an API token, WPScan will work as normal, with the exception that when a WordPress version, plugin or theme is detected, the associated known vulnerabilities will not be displayed.
## Enumeration Modes
When enumerating the WordPress version, installed plugins or installed themes, you can use three different "modes", which are:
@@ -159,16 +169,6 @@ docker run -it --rm -v /Users/__macuser__/:/__containerdirectory__ wpscanteam/wp
See: https://github.com/wpscanteam/wpscan/issues/1256#issuecomment-609055053
## Vulnerability Database
WPScan uses the [WordPress Vulnerability Database](https://wpscan.com/api) API in real time to retrieve known vulnerabilities that affect WordPress core, plugins and themes.
For the vulnerability information to be shown within WPScan you will need to supply an API token with the `--api-token YOUR_TOKEN` option. Alternatively, you can supply the API token from a WPScan configuration file.
A free API token is available, as well as paid plans, depending on your usage needs.
If you do not supply an API token, WPScan will work as normal, with the exception that when a WordPress version, plugin or theme is detected, the associated known vulnerabilities will not be displayed.
## Bypassing Simple WAFs
To bypass some simple WAFs you can try the `--random-user-agent` option.