How to Use WPScan to Test for Vulnerable Plugins and Themes in WordPress



WPScan stands for wordpress security scanner. It is written in ruby language and it is a free software used to locate any vulnerable plugins and themes in your wordpress site that makes it vulnerable to attacks. Recently, there has been a tremendous increase in the security issues found among plugins and themes for wordpress sites. With the help of WPScan, the administrators will be able to test wordpress sites using blackbox techniques.

This tutorial will guide you with the installation of WPScan and using it for detecting vulnerable plugins.

Installation of WPScan


WPScan works only with Linux and OSX systems and does not work on Windows. If you want to use in on Windows, you will have to download VirtualBox and install any Linux distribution to use as a virtual machine.

Before we get down to install WPScan, we will need to install git packages since WPScan is hosted on Github. Run the following command to install git packages:

sudo apt-get install git


After installing git packages, we have to install wpscan dependencies:

sudo apt-get install libcurl4-gnutls-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev ruby1.9.3


Next, we will clone the wpscan package from github:

git clone


Create a new directory for wpscan and install the ruby gems through bundle install from the new directory:

cd wpscan
sudo gem install bundler && bundle install --without test development


Enumerating Plugins


Now that we have already installed wpscan, let’s have a look at the tools for detecting vulnerable files on wordpress. WPScan has the ability to enumerate plugins, themes, users and timthumb installations. It also performs bruteforce attack against WordPress.

Let’s go ahead and see how to enumerate plugins. Launch wpscan using the following command:

ruby wpscan.rb --url http(s):// --enumerate p



ruby wpscan.rb --url http(s):// --enumerate vp


to display vulnerable plugins.

You may get an output similar to this:

| Name: akismet| Location: http://********.com/wp-content/plugins/akismet/ 
| Name: audio-player
| Location: http://********.com/wp-content/plugins/audio-player/
| * Title: Audio Player - player.swf playerID Parameter XSS
| * Reference:
| * Reference:
| * Reference:
| * Fixed in: 
| Name: bbpress - v2.3.2
| Location: http://********.com/wp-content/plugins/bbpress/
| Readme: http://********.com/wp-content/plugins/bbpress/readme.txt
| * Title: BBPress - Multiple Script Malformed Input Path Disclosure
| * Reference:
| * Reference:
| * Reference:
| * Reference:
| * Title: BBPress - forum.php page Parameter SQL Injection
| * Reference:
| * Reference:
| * Reference:
| * Reference: 
| Name: contact
| Location: http://********.com/wp-content/plugins/contact/


In the above example, we can see that the audio-player plugin is vulnerable to XSS attacks through playerid parameter. Similarly, bbpress installation is vulnerable to path disclosure and SQL injection. As a matter of fact, it is better to verify these reported vulnerabilities manually as scanners may sometimes report false alerts. In case if you find any potential threats, check for any patch updates available with the plugin developers. If yes, then patches have to be installed.


Enumerating Themes


As with enumerating plugins, themes also works on the same way. Run the following command to display the vulnerable themes:

ruby wpscan.rb --url http(s):// --enumerate t


ruby wpscan.rb --url http(s):// --enumerate vt


The screen will show output similar to this:

| Name: path
| Location: http://********.com/wp-content/themes/path/
| Style URL: http://********.com/wp-content/themes/path/style.css
| Description:  
| Name: pub
| Location: http://********.com/wp-content/themes/pub/
| Style URL: http://********.com/wp-content/themes/pub/style.css
| Description: 
| Name: rockstar
| Location: http://********.com/wp-content/themes/rockstar/
| Style URL: http://********.com/wp-content/themes/rockstar/style.css
| Description: 
| * Title: WooThemes WooFramework Remote Unauthenticated Shortcode Execution
| * Reference: 
| Name: twentyten
| Location: http://********.com/wp-content/themes/twentyten/
| Style URL: http://********.com/wp-content/themes/twentyten/style.css
| Description:


Here, in this example you can see that rockstar theme is vulnerable to remote unauthenticated shortcode execution.

Enumerating Users and Timthumb Installations


WPScan is used to enumerate users too. The attackers may use this to get the list of valid users on a wordpress site for a bruteforce attack.

ruby wpscan.rb --url http(s):// --enumerate u


For enumerating timthumb installations, wpscan can be used to find the vulnerable files:

ruby wpscan.rb --url http(s):// --enumerate tt


WPScan can be updated using the command:

ruby wpscan.rb --update


support2 has written 111 articles

Leave a Reply