diff --git a/WPScan-User-Documentation.md b/WPScan-User-Documentation.md index 99454dd..d076209 100644 --- a/WPScan-User-Documentation.md +++ b/WPScan-User-Documentation.md @@ -79,6 +79,16 @@ WPScan keeps a local database of metadata that is used to output useful informat _Please note that this data does not include the vulnerability data. See [Vulnerability Database](https://github.com/wpscanteam/wpscan/wiki/WPScan-User-Documentation#vulnerability-database) for information on the vulnerability data._ +## Vulnerability Database + +WPScan uses the [WordPress Vulnerability Database](https://wpscan.com/api) API in real time to retrieve known vulnerabilities that affect WordPress core, plugins and themes. + +For the vulnerability information to be shown within WPScan you will need to supply an API token with the `--api-token YOUR_TOKEN` option. Alternatively, you can supply the API token from a WPScan configuration file. + +A free API token is available, as well as paid plans, depending on your usage needs. + +If you do not supply an API token, WPScan will work as normal, with the exception that when a WordPress version, plugin or theme is detected, the associated known vulnerabilities will not be displayed. + ## Enumeration Modes When enumerating the WordPress version, installed plugins or installed themes, you can use three different "modes", which are: @@ -159,16 +169,6 @@ docker run -it --rm -v /Users/__macuser__/:/__containerdirectory__ wpscanteam/wp See: https://github.com/wpscanteam/wpscan/issues/1256#issuecomment-609055053 -## Vulnerability Database - -WPScan uses the [WordPress Vulnerability Database](https://wpscan.com/api) API in real time to retrieve known vulnerabilities that affect WordPress core, plugins and themes. - -For the vulnerability information to be shown within WPScan you will need to supply an API token with the `--api-token YOUR_TOKEN` option. Alternatively, you can supply the API token from a WPScan configuration file. - -A free API token is available, as well as paid plans, depending on your usage needs. - -If you do not supply an API token, WPScan will work as normal, with the exception that when a WordPress version, plugin or theme is detected, the associated known vulnerabilities will not be displayed. - ## Bypassing Simple WAFs To bypass some simple WAFs you can try the `--random-user-agent` option.