loading
loading
Scanners
WordPress security scanner run across a list of sites.
overview
wpscan-loop is wpscan wrapped to run over a list of URLs instead of one. You hand it a file of WordPress blog URLs and it scans each in turn, fingerprinting core versions, enumerating plugins and themes, and matching findings against the vulnerability database. When you are responsible for a fleet of WordPress sites, or sweeping every WordPress host a recon stage discovered, this is the node that covers all of them in one run.
Everything that makes wpscan useful carries over: configurable enumeration via --enumerate, passive, mixed, or aggressive detection modes, a WPScan API token for vulnerability data, stealthy mode with throttling, and password attacks against discovered users. The difference is the input. A targets file replaces the single --url, so the scanner iterates the whole list and writes a combined result set.
In a Trickest workflow, feed wpscan-loop a file of URLs and collect the folder it writes. Pass in the WordPress hosts a discovery or fingerprinting stage flagged, set JSON output, and route the findings into triage or alerting across the entire set at once.
source github.com/wpscanteam/wpscan
use cases
Scan every WordPress URL in one file so a whole estate of blogs gets the same plugin, theme, and vulnerability coverage in a single run.
Take the URLs a fingerprinting or discovery node flagged as WordPress and push the entire list through the scanner without scanning them one at a time.
Apply one --enumerate and detection-mode policy to every site in the list so results are directly comparable across the fleet.
Use stealthy mode and a throttle so iterating many sites does not overwhelm any single target or trip rate limits.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| urls | FILE | · | The URLs of the blogs to scan. Allowed Protocols: http, https. Default Protocol if none provided: http. This option is mandatory. |
| enumerate | STRING | --enumerate | Enumeration Process. Available Choices: vp, ap, p, vt, at, t, tt, cb, dbe, u, m. |
| format | STRING | --format | Output results in the format supplied. Available choices: cli, json, cli-no-colour, cli-no-color |
| api-token | STRING | --api-token | The WPScan API Token to display vulnerability data, available at https://wpscan.com/profile |
| detection-mode | STRING | --detection-mode | Default: mixed. Available choices: mixed, passive, aggressive |
| stealthy | BOOLEAN | --stealthy | Alias for --random-user-agent --detection-mode passive --plugins-version-detection passive |
| throttle | STRING | --throttle | Milliseconds to wait before doing another web request. If used, the max threads will be set to 1. |
| force | BOOLEAN | --force | Do not check if the target is running WordPress or returns a 403 |
Showing key inputs. wpscan-loop exposes 69 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| urls | FILE | · | The URLs of the blogs to scan. Allowed Protocols: http, https. Default Protocol if none provided: http. This option is mandatory. |
| force | BOOLEAN | --force | Do not check if the target is running WordPress or returns a 403 |
| proxy | STRING | --proxy | Format: protocol://IP:port |
| scope | STRING | --scope | 'Comma separated (sub-)domains to consider in scope. Wildcard(s) allowed in the trd of valid domains, e.g: *.target.tld. Separator to use between the values: ',' |
| vhost | STRING | --vhost | The virtual host (Host header) to use in requests |
| format | STRING | --format | Output results in the format supplied. Available choices: cli, json, cli-no-colour, cli-no-color |
| server | STRING | --server | Force the supplied server module to be loaded. Available choices: apache, iis, nginx |
| headers | STRING | --headers | Additional headers to append in requests |
| verbose | BOOLEAN | --verbose | Verbose mode |
| stealthy | BOOLEAN | --stealthy | Alias for --random-user-agent --detection-mode passive --plugins-version-detection passive |
| throttle | STRING | --throttle | Milliseconds to wait before doing another web request. If used, the max threads will be set to 1. |
| api-token | STRING | --api-token | The WPScan API Token to display vulnerability data, available at https://wpscan.com/profile |
| cache-dir | STRING | --cache-dir | Default: /tmp/wpscan/cache |
| enumerate | STRING | --enumerate | Enumeration Process. Available Choices: vp (Vulnerable plugins), ap (All plugins), p (Popular plugins), vt (Vulnerable themes), at (All themes), t (Popular themes), tt (Timthumbs), cb (Config backups), dbe (Db exports), u (User IDs range. e.g: u1-5. Range separator to use: '-'. Value if no argument supplied: 1-10), m (Media IDs range. e.g m1-15. Note: Permalink setting must be set to 'Plain' for those to be detected. Range separator to use: '-'. Value if no argument supplied: 1-100). Separator to use between the values: ','. Default: All Plugins, Config Backups. Value if no argument supplied: vp,vt,tt,cb,dbe,u,m. |
| http-auth | STRING | --http-auth | Format: login:password |
| login-uri | STRING | --login-uri | The URI of the login page if different from /wp-login.php |
| no-banner | BOOLEAN | --no-banner | Don't display the banner |
| no-update | BOOLEAN | --no-update | Do not update the Database. |
| passwords | FILE | --passwords | List of passwords to use during the password attack. If no --username/s option supplied, user enumeration will be run. |
| proxy-auth | STRING | --proxy-auth | Format: login:password |
| user-agent | STRING | --user-agent | User agent |
| clear-cache | BOOLEAN | --clear-cache | Clear the cache before the scan |
| header-file | FILE | --header-file | Additional headers to append in requests (one per line) |
| max-threads | STRING | --max-threads | The max threads to use. Default: 5 |
| cookie-string | STRING | --cookie-string | Cookie string to use in requests, format: cookie1=value1[; cookie2=value2 |
| detection-mode | STRING | --detection-mode | Default: mixed. Available choices: mixed, passive, aggressive |
| timthumbs-list | FILE | --timthumbs-list | List of timthumbs' location to use |
| usernames-file | FILE | --usernames | List of usernames to use during the password attack. |
| wp-content-dir | STRING | --wp-content-dir | The wp-content directory if custom or not detected, such as "wp-content" |
| wp-plugins-dir | STRING | --wp-plugins-dir | The plugins directory if custom or not detected, such as "wp-content/plugins" |
| wp-version-all | BOOLEAN | --wp-version-all | Check all the version locations |
| db-exports-list | FILE | --db-exports-list | List of DB exports' paths to use |
| password-attack | STRING | --password-attack | Force the supplied attack to be used rather than automatically determining one. Multicall will only work against WP < 4.4. Available choices: wp-login, xmlrpc, xmlrpc-multicall |
| request-timeout | STRING | --request-timeout | The request timeout in seconds. Default: 60 |
| users-detection | STRING | --users-detection | Use the supplied mode to enumerate Users, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive |
| users-list-file | FILE | --users-list | List of users to check during the users enumeration from the Login Error Messages |
| medias-detection | STRING | --medias-detection | Use the supplied mode to enumerate Medias, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive |
| themes-detection | STRING | --themes-detection | Use the supplied mode to enumerate Themes, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive |
| themes-list-file | FILE | --themes-list | List of themes to enumerate. |
| themes-threshold | STRING | --themes-threshold | Raise an error when the number of detected themes via known locations reaches the threshold. Set to 0 to ignore the threshold. Default: 20 |
| user-agents-list | FILE | --user-agents-list | List of agents to use with --random-user-agent |
| usernames-string | STRING | --usernames | List of usernames to use during the password attack. Examples: 'a1', 'a1,a2,a3' |
| exclude-usernames | STRING | --exclude-usernames | Exclude usernames matching the Regexp/string (case insensitive). Regexp delimiters are not required. |
| max-scan-duration | STRING | --max-scan-duration | Abort the scan if it exceeds the time provided in seconds |
| plugins-detection | STRING | --plugins-detection | Use the supplied mode to enumerate Plugins. Default: passive. Available choices: mixed, passive, aggressive |
| plugins-list-file | FILE | --plugins-list | List of plugins to enumerate. |
| plugins-threshold | STRING | --plugins-threshold | Raise an error when the number of detected plugins via known locations reaches the threshold. Set to 0 to ignore the threshold. Default: 100 |
| random-user-agent | BOOLEAN | --random-user-agent | Additional headers to append in requests. Separator to use between the headers: '; '. Examples: 'X-Forwarded-For: 127.0.0.1', 'X-Forwarded-For: 127.0.0.1; Another: aaa' |
| users-list-string | STRING | --users-list | List of users to check during the users enumeration from the Login Error Messages. Examples: 'a1', 'a1,a2,a3' |
| cache-time-to-live | STRING | --cache-ttl | The cache time to live in seconds. Default: 600 |
| connection-timeout | STRING | --connect-timeout | The connection timeout in seconds. Default: 30 |
| disable-tls-checsk | BOOLEAN | --disable-tls-checks | Disables SSL/TLS certificate verification, and downgrade to TLS1.0+ (requires cURL 7.66 for the latter) |
| themes-list-string | STRING | --themes-list | List of themes to enumerate. Examples: 'a1', 'a1,a2,a3' |
| themes-version-all | BOOLEAN | --themes-version-all | Check all the themes version locations according to the choosen mode (--detection-mode, --themes-detection and --themes-version-detection) |
| config-backups-list | FILE | --config-backups-list | List of config backups' filenames to use' |
| plugins-list-string | STRING | --plugins-list | List of plugins to enumerate. Examples: 'a1', 'a1,a2,a3' |
| plugins-version-all | STRING | --plugins-version-all | Check all the plugins version locations according to the choosen mode (--detection-mode, --plugins-detection and --plugins-version-detection) |
| timthumbs-detection | STRING | --timthumbs-detection | Use the supplied mode to enumerate Timthumbs, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive |
| db-exports-detection | STRING | --db-exports-detection | Use the supplied mode to enumerate DB Exports, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive |
| ignore-main-redirect | BOOLEAN | --ignore-main-redirect | Ignore the main redirect (if any) and scan the target url |
| main-theme-detection | STRING | --main-theme-detection | Use the supplied mode for the Main theme detection, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive |
| wp-version-detection | STRING | --wp-version-detection | Use the supplied mode for the WordPress version detection, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive |
| exclude-content-based | STRING | --exclude-content-based | Exclude all responses matching the Regexp (case insensitive) during parts of the enumeration. Both the headers and body are checked. Regexp delimiters are not required. |
| multicall-max-passwords | STRING | --multicall-max-passwords | Maximum number of passwords to send by request with XMLRPC multicall. Default: 500 |
| config-backups-detection | STRING | --config-backups-detection | Use the supplied mode to enumerate Config Backups, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive |
| themes-version-detection | STRING | --themes-version-detection | Use the supplied mode to check themes versions instead of the --detection-mode or --themes-detection modes. Available choices: mixed, passive, aggressive |
| file-to-read-write-cokies | FILE | --cookie-jar | File to read and write cookies |
| plugins-version-detection | STRING | --plugins-version-detection | Use the supplied mode to check plugins versions. Default: mixed. Available choices: mixed, passive, aggressive |
| interesting-findings-detection | STRING | --interesting-findings-detection | Use the supplied mode for the interesting findings detection. Available choices: mixed, passive, aggressive |
example
# wpscan-loop: enumerate vulnerable plugins/themes as JSON across a URL list# urls.txt contains https://blog.example.com and https://www.example.orgwpscan-loop --enumerate vp,vt,u --format json --detection-mode passive --stealthyblog.example.comwww.example.comshop.example.comnews.example.orgwp.example.netstaging.example.comdev.example.comcdn.example.comguidance
Use wpscan-loop when you have many WordPress URLs to scan in one node. For a single site, use wpscan. For non-WordPress targets, use a general scanner such as nuclei.
Same scanner for one --url. Use it for a single site; the loop variant iterates a file of URLs.
Template scanner across any stack. Run it alongside for non-WordPress checks on the same hosts.
faq
related
Find reflected XSS during recon by checking payload reflection.
Fast and customizable subdomain wordlist generator using patterns.
Scans software bills of materials for security vulnerabilities.
Find broken links, missing images, and other dead references within your HTML.
A command-line scanner that finds exposed services, files, and folders through the web root.
A CMS detection and exploitation suite.
A file of WordPress URLs feeds wpscan-loop, which scans each site for plugins, themes, and known vulnerabilities and writes the combined findings as an output.
Facts on this page come from the live Trickest tool library.