wpscan

Command: --url - The URL of the blog to scan. Allowed Protocols: http, https. Default Protocol if none provided: http. This option is mandatory.

Command: --force - Do not check if the target is running WordPress or returns a 403

Command: --proxy - Format: protocol://IP:port

Command: --scope - 'Comma separated (sub-)domains to consider in scope. Wildcard(s) allowed in the trd of valid domains, e.g: *.target.tld. Separator to use between the values: ','

Command: --vhost - The virtual host (Host header) to use in requests

Command: --format - Output results in the format supplied. Available choices: cli, json, cli-no-colour, cli-no-color

Command: --server - Force the supplied server module to be loaded. Available choices: apache, iis, nginx

Command: --headers - Additional headers to append in requests

Command: --verbose - Verbose mode

Command: --stealthy - Alias for --random-user-agent --detection-mode passive --plugins-version-detection passive

Command: --throttle - Milliseconds to wait before doing another web request. If used, the max threads will be set to 1.

Command: --api-token - The WPScan API Token to display vulnerability data, available at https://wpscan.com/profile

Command: --cache-dir - Default: /tmp/wpscan/cache

Command: --enumerate - Enumeration Process. Available Choices: vp (Vulnerable plugins), ap (All plugins), p (Popular plugins), vt (Vulnerable themes), at (All themes), t (Popular themes), tt (Timthumbs), cb (Config backups), dbe (Db exports), u (User IDs range. e.g: u1-5. Range separator to use: '-'. Value if no argument supplied: 1-10), m (Media IDs range. e.g m1-15. Note: Permalink setting must be set to 'Plain' for those to be detected. Range separator to use: '-'. Value if no argument supplied: 1-100). Separator to use between the values: ','. Default: All Plugins, Config Backups. Value if no argument supplied: vp,vt,tt,cb,dbe,u,m.

Command: --http-auth - Format: login:password

Command: --login-uri - The URI of the login page if different from /wp-login.php

Command: --no-banner - Don't display the banner

Command: --no-update - Do not update the Database.

Command: --passwords - List of passwords to use during the password attack. If no --username/s option supplied, user enumeration will be run.

Command: --proxy-auth - Format: login:password

Command: --user-agent - User agent

Command: --clear-cache - Clear the cache before the scan

Command: --max-threads - The max threads to use. Default: 5

Command: --cookie-string - Cookie string to use in requests, format: cookie1=value1[; cookie2=value2

Command: --detection-mode - Default: mixed. Available choices: mixed, passive, aggressive

Command: --timthumbs-list - List of timthumbs' location to use

Command: --usernames - List of usernames to use during the password attack.

Command: --wp-content-dir - The wp-content directory if custom or not detected, such as wp-content

Command: --wp-plugins-dir - The plugins directory if custom or not detected, such as wp-content/plugins

Command: --wp-version-all - Check all the version locations

Command: --db-exports-list - List of DB exports' paths to use

Command: --password-attack - Force the supplied attack to be used rather than automatically determining one. Multicall will only work against WP < 4.4. Available choices: wp-login, xmlrpc, xmlrpc-multicall

Command: --request-timeout - The request timeout in seconds. Default: 60

Command: --users-detection - Use the supplied mode to enumerate Users, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive

Command: --users-list - List of users to check during the users enumeration from the Login Error Messages

Command: --medias-detection - Use the supplied mode to enumerate Medias, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive

Command: --themes-detection - Use the supplied mode to enumerate Themes, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive

Command: --themes-list - List of themes to enumerate.

Command: --themes-threshold - Raise an error when the number of detected themes via known locations reaches the threshold. Set to 0 to ignore the threshold. Default: 20

Command: --user-agents-list - List of agents to use with --random-user-agent

Command: --usernames - List of usernames to use during the password attack. Examples: 'a1', 'a1,a2,a3'

Command: --exclude-usernames - Exclude usernames matching the Regexp/string (case insensitive). Regexp delimiters are not required.

Command: --max-scan-duration - Abort the scan if it exceeds the time provided in seconds

Command: --plugins-detection - Use the supplied mode to enumerate Plugins. Default: passive. Available choices: mixed, passive, aggressive

Command: --plugins-list - List of plugins to enumerate.

Command: --plugins-threshold - Raise an error when the number of detected plugins via known locations reaches the threshold. Set to 0 to ignore the threshold. Default: 100

Command: --random-user-agent - Additional headers to append in requests. Separator to use between the headers: '; '. Examples: 'X-Forwarded-For: 127.0.0.1', 'X-Forwarded-For: 127.0.0.1; Another: aaa'

Command: --users-list - List of users to check during the users enumeration from the Login Error Messages. Examples: 'a1', 'a1,a2,a3'

Command: --cache-ttl - The cache time to live in seconds. Default: 600

Command: --connect-timeout - The connection timeout in seconds. Default: 30

Command: --disable-tls-checks - Disables SSL/TLS certificate verification, and downgrade to TLS1.0+ (requires cURL 7.66 for the latter)

Command: --themes-list - List of themes to enumerate. Examples: 'a1', 'a1,a2,a3'

Command: --themes-version-all - Check all the themes version locations according to the choosen mode (--detection-mode, --themes-detection and --themes-version-detection)

Command: --config-backups-list - List of config backups' filenames to use'

Command: --plugins-list - List of plugins to enumerate. Examples: 'a1', 'a1,a2,a3'

Command: --plugins-version-all - Check all the plugins version locations according to the choosen mode (--detection-mode, --plugins-detection and --plugins-version-detection)

Command: --timthumbs-detection - Use the supplied mode to enumerate Timthumbs, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive

Command: --db-exports-detection - Use the supplied mode to enumerate DB Exports, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive

Command: --ignore-main-redirect - Ignore the main redirect (if any) and scan the target url

Command: --main-theme-detection - Use the supplied mode for the Main theme detection, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive

Command: --wp-version-detection - Use the supplied mode for the WordPress version detection, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive

Command: --exclude-content-based - Exclude all responses matching the Regexp (case insensitive) during parts of the enumeration. Both the headers and body are checked. Regexp delimiters are not required.

Command: --multicall-max-passwords - Maximum number of passwords to send by request with XMLRPC multicall. Default: 500

Command: --config-backups-detection - Use the supplied mode to enumerate Config Backups, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive

Command: --themes-version-detection - Use the supplied mode to check themes versions instead of the --detection-mode or --themes-detection modes. Available choices: mixed, passive, aggressive

Command: --cookie-jar - File to read and write cookies

Command: --plugins-version-detection - Use the supplied mode to check plugins versions. Default: mixed. Available choices: mixed, passive, aggressive

Command: --interesting-findings-detection - Use the supplied mode for the interesting findings detection. Available choices: mixed, passive, aggressive