The scan uses techniques that include brute forcing the plugins directory of a wordpress installation to find installed plugins. This is an accurate way to find plugins and can even pinpoint plugins that are disabled within the site but still installed in the wp-content/plugins directory and possibly a security risk.
Features of the active WPScan component include:
- Username discovery; with usernames an attacker can then start brute forcing account passwords
- Enhanced version enumeration, from both the meta generator tag and client side files
- Vulnerability identification, comparing current version with known vulnerabilities
- Timbthumb file discovery - this is a vulnerability affecting hundreds of thousands of WordPress sites
- Plugin enumeration (over 2000 plugins tested)
- Plugin vulnerability identification (from plugin name)
- Test for directory indexing on any discovered plugins
Due to the aggressive nature of the plugin and username discovery techniques we have decided to make the WPScan component of our online scanner available only to members.
If you would like to run WPScan from your own installation there are excellent getting started guides on the google-code site and in the README file. Getting it installed and running on Ubuntu or Back-track does not take much effort; so fire up your Linux distro and start testing.
Did you known that wordpress runs more than 11% of the worlds top web sites.