RubyGems - wpscan - Versions diffs - 3.8.28 → 4.0.0 - Mend

wpscan 3.8.28 → 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (252) hide show

checksums.yaml +4 -4
data/README.md +104 -30
data/app/app.rb +26 -0
data/app/controllers/aliases.rb +2 -2
data/app/controllers/authenticated_inventory.rb +43 -0
data/app/controllers/core/cli_options.rb +151 -0
data/app/controllers/core.rb +200 -25
data/app/controllers/custom_directories.rb +1 -1
data/app/controllers/enumeration/cli_options.rb +21 -31
data/app/controllers/enumeration/enum_methods.rb +145 -38
data/app/controllers/enumeration.rb +26 -3
data/app/controllers/interesting_findings.rb +25 -0
data/app/controllers/main_theme.rb +1 -1
data/app/controllers/password_attack.rb +14 -6
data/app/controllers/vuln_api.rb +9 -3
data/app/controllers/wp_version.rb +1 -1
data/app/controllers.rb +1 -0
data/app/finders/backup_folders/known_locations.rb +66 -0
data/app/finders/backup_folders.rb +19 -0
data/app/finders/config_backups/known_filenames.rb +6 -4
data/app/finders/config_backups.rb +1 -1
data/app/finders/db_exports/known_locations.rb +16 -14
data/app/finders/db_exports.rb +1 -1
data/app/finders/interesting_findings/backup_db.rb +1 -1
data/app/finders/interesting_findings/debug_log.rb +1 -1
data/app/finders/interesting_findings/duplicator_installer_log.rb +1 -1
data/app/finders/interesting_findings/emergency_pwd_reset_script.rb +1 -1
data/app/finders/interesting_findings/fantastico_fileslist.rb +21 -0
data/app/finders/interesting_findings/full_path_disclosure.rb +1 -1
data/app/finders/interesting_findings/headers.rb +17 -0
data/app/finders/interesting_findings/mu_plugins.rb +1 -1
data/app/finders/interesting_findings/multisite.rb +1 -1
data/app/finders/interesting_findings/php_disabled.rb +2 -2
data/app/finders/interesting_findings/readme.rb +1 -1
data/app/finders/interesting_findings/registration.rb +1 -1
data/app/finders/interesting_findings/robots_txt.rb +20 -0
data/app/finders/interesting_findings/search_replace_db_2.rb +19 -0
data/app/finders/interesting_findings/tmm_db_migrate.rb +1 -1
data/app/finders/interesting_findings/upload_directory_listing.rb +1 -1
data/app/finders/interesting_findings/upload_sql_dump.rb +2 -2
data/app/finders/interesting_findings/wp_cron.rb +1 -1
data/app/finders/interesting_findings/xml_rpc.rb +61 -0
data/app/finders/interesting_findings.rb +13 -4
data/app/finders/main_theme/css_style_in_homepage.rb +1 -1
data/app/finders/main_theme/urls_in_homepage.rb +3 -7
data/app/finders/main_theme/woo_framework_meta_generator.rb +4 -4
data/app/finders/main_theme.rb +1 -1
data/app/finders/medias/attachment_brute_forcing.rb +2 -2
data/app/finders/medias.rb +1 -1
data/app/finders/passwords/wp_login.rb +2 -2
data/app/finders/passwords/xml_rpc.rb +2 -2
data/app/finders/passwords/xml_rpc_multicall.rb +1 -1
data/app/finders/plugin_version/readme.rb +1 -1
data/app/finders/plugin_version.rb +1 -1
data/app/finders/plugins/known_locations.rb +17 -7
data/app/finders/plugins/urls_in_homepage.rb +3 -7
data/app/finders/plugins/wp_json_api.rb +85 -0
data/app/finders/plugins.rb +2 -1
data/app/finders/theme_version/style.rb +1 -1
data/app/finders/theme_version/woo_framework_meta_generator.rb +1 -1
data/app/finders/theme_version.rb +1 -1
data/app/finders/themes/known_locations.rb +12 -6
data/app/finders/themes/urls_in_homepage.rb +3 -7
data/app/finders/themes/wp_json_api.rb +74 -0
data/app/finders/themes.rb +2 -1
data/app/finders/timthumb_version/bad_request.rb +1 -1
data/app/finders/timthumb_version.rb +1 -1
data/app/finders/timthumbs/known_locations.rb +6 -4
data/app/finders/timthumbs.rb +1 -1
data/app/finders/users/author_id_brute_forcing.rb +11 -7
data/app/finders/users/author_posts.rb +1 -1
data/app/finders/users/author_sitemap.rb +1 -1
data/app/finders/users/login_error_messages.rb +1 -1
data/app/finders/users/oembed_api.rb +3 -1
data/app/finders/users/wp_json_api.rb +11 -7
data/app/finders/users.rb +1 -1
data/app/finders/wp_version/atom_generator.rb +1 -1
data/app/finders/wp_version/rdf_generator.rb +1 -1
data/app/finders/wp_version/readme.rb +1 -1
data/app/finders/wp_version/rss_generator.rb +1 -1
data/app/finders/wp_version/unique_fingerprinting.rb +2 -2
data/app/finders/wp_version.rb +1 -1
data/app/finders.rb +1 -0
data/app/formatters/cli.rb +79 -0
data/app/formatters/cli_no_color.rb +9 -0
data/app/formatters/cli_no_colour.rb +17 -0
data/app/formatters/json.rb +14 -0
data/app/formatters/jsonl.rb +29 -0
data/app/formatters/sarif.rb +311 -0
data/app/models/backup_folder.rb +39 -0
data/app/models/fantastico_fileslist.rb +34 -0
data/app/models/headers.rb +44 -0
data/app/models/interesting_finding.rb +41 -2
data/app/models/plugin.rb +8 -2
data/app/models/robots_txt.rb +31 -0
data/app/models/search_replace_db_2.rb +17 -0
data/app/models/theme.rb +9 -2
data/app/models/timthumb.rb +2 -2
data/app/models/user.rb +35 -0
data/app/models/version.rb +49 -0
data/app/models/wp_item/wordpress_org_data.rb +55 -0
data/app/models/wp_item.rb +109 -9
data/app/models/wp_version.rb +2 -2
data/app/models/xml_rpc.rb +73 -3
data/app/models.rb +2 -1
data/app/user_agents.txt +46 -0
data/app/views/cli/core/banner.erb +3 -3
data/app/views/cli/core/finished.erb +15 -0
data/app/views/cli/core/help.erb +4 -0
data/app/views/cli/core/started.erb +11 -0
data/app/views/cli/enumeration/backup_folders.erb +11 -0
data/app/views/cli/enumeration/plugin.erb +13 -0
data/app/views/cli/enumeration/plugins.erb +1 -12
data/app/views/cli/enumeration/theme.erb +4 -0
data/app/views/cli/enumeration/themes.erb +1 -3
data/app/views/cli/enumeration/user.erb +4 -0
data/app/views/cli/enumeration/users.erb +1 -3
data/app/views/cli/finding.erb +1 -1
data/app/views/cli/interesting_findings/_array.erb +10 -0
data/app/views/cli/interesting_findings/findings.erb +23 -0
data/app/views/cli/scan_aborted.erb +5 -0
data/app/views/cli/update_aborted.erb +5 -0
data/app/views/cli/vuln_api/status.erb +2 -0
data/app/views/cli/vulnerability.erb +6 -0
data/app/views/cli/wp_item.erb +4 -1
data/app/views/json/core/banner.erb +2 -8
data/app/views/json/core/finished.erb +13 -0
data/app/views/json/core/help.erb +4 -0
data/app/views/json/core/started.erb +10 -0
data/app/views/json/enumeration/backup_folders.erb +11 -0
data/app/views/json/enumeration/plugin.erb +15 -0
data/app/views/json/enumeration/theme.erb +5 -0
data/app/views/json/enumeration/user.erb +6 -0
data/app/views/json/finding.erb +8 -2
data/app/views/json/interesting_findings/findings.erb +24 -0
data/app/views/json/notice.erb +1 -0
data/app/views/json/scan_aborted.erb +5 -0
data/app/views/json/update_aborted.erb +5 -0
data/app/views/json/vuln_api/status.erb +2 -0
data/app/views/json/wp_item.erb +4 -1
data/bin/wpscan +1 -0
data/lib/opt_parse_validator/config_files_loader_merger/base.rb +26 -0
data/lib/opt_parse_validator/config_files_loader_merger/json.rb +17 -0
data/lib/opt_parse_validator/config_files_loader_merger/yml.rb +17 -0
data/lib/opt_parse_validator/config_files_loader_merger.rb +62 -0
data/lib/opt_parse_validator/errors.rb +9 -0
data/lib/opt_parse_validator/hacks.rb +19 -0
data/lib/opt_parse_validator/opts/alias.rb +28 -0
data/lib/opt_parse_validator/opts/array.rb +34 -0
data/lib/opt_parse_validator/opts/base.rb +142 -0
data/lib/opt_parse_validator/opts/boolean.rb +19 -0
data/lib/opt_parse_validator/opts/choice.rb +43 -0
data/lib/opt_parse_validator/opts/credentials.rb +15 -0
data/lib/opt_parse_validator/opts/directory_path.rb +17 -0
data/lib/opt_parse_validator/opts/file_path.rb +34 -0
data/lib/opt_parse_validator/opts/headers.rb +33 -0
data/lib/opt_parse_validator/opts/integer.rb +15 -0
data/lib/opt_parse_validator/opts/integer_range.rb +37 -0
data/lib/opt_parse_validator/opts/multi_choices.rb +135 -0
data/lib/opt_parse_validator/opts/path.rb +78 -0
data/lib/opt_parse_validator/opts/positive_integer.rb +16 -0
data/lib/opt_parse_validator/opts/proxy.rb +7 -0
data/lib/opt_parse_validator/opts/regexp.rb +14 -0
data/lib/opt_parse_validator/opts/smart_list.rb +30 -0
data/lib/opt_parse_validator/opts/string.rb +8 -0
data/lib/opt_parse_validator/opts/uri.rb +41 -0
data/lib/opt_parse_validator/opts/url.rb +11 -0
data/lib/opt_parse_validator/opts.rb +9 -0
data/lib/opt_parse_validator/version.rb +6 -0
data/lib/opt_parse_validator.rb +161 -0
data/lib/wpscan/browser/actions.rb +48 -0
data/lib/wpscan/browser/options.rb +92 -0
data/lib/wpscan/browser.rb +87 -2
data/lib/wpscan/browser_authenticator.rb +64 -0
data/lib/wpscan/cache/file_store.rb +77 -0
data/lib/wpscan/cache/typhoeus.rb +25 -0
data/lib/wpscan/controller.rb +100 -4
data/lib/wpscan/controllers.rb +78 -3
data/lib/wpscan/db/dynamic_finders/base.rb +3 -7
data/lib/wpscan/db/dynamic_finders/plugin.rb +2 -2
data/lib/wpscan/db/dynamic_finders/wordpress.rb +1 -1
data/lib/wpscan/db/fingerprints.rb +2 -2
data/lib/wpscan/db/updater.rb +23 -13
data/lib/wpscan/db/vuln_api.rb +19 -7
data/lib/wpscan/db/wp_item.rb +2 -2
data/lib/wpscan/errors/enumeration.rb +4 -4
data/lib/wpscan/errors/http.rb +82 -3
data/lib/wpscan/errors/saml.rb +28 -0
data/lib/wpscan/errors/scan.rb +14 -0
data/lib/wpscan/errors/update.rb +11 -3
data/lib/wpscan/errors/vuln_api.rb +24 -0
data/lib/wpscan/errors/wordpress.rb +2 -2
data/lib/wpscan/errors/wp_auth.rb +37 -0
data/lib/wpscan/errors.rb +4 -3
data/lib/wpscan/exit_code.rb +25 -0
data/lib/wpscan/finders/base_finders.rb +45 -0
data/lib/wpscan/finders/dynamic_finder/finder.rb +1 -1
data/lib/wpscan/finders/dynamic_finder/version/body_pattern.rb +1 -1
data/lib/wpscan/finders/dynamic_finder/version/comment.rb +1 -1
data/lib/wpscan/finders/dynamic_finder/version/header_pattern.rb +1 -1
data/lib/wpscan/finders/dynamic_finder/version/javascript_var.rb +1 -1
data/lib/wpscan/finders/dynamic_finder/version/query_parameter.rb +3 -5
data/lib/wpscan/finders/dynamic_finder/version/xpath.rb +1 -1
data/lib/wpscan/finders/dynamic_finder/wp_items/finder.rb +3 -3
data/lib/wpscan/finders/dynamic_finder/wp_version.rb +1 -1
data/lib/wpscan/finders/finder/breadth_first_dictionary_attack.rb +257 -0
data/lib/wpscan/finders/finder/enumerator.rb +77 -0
data/lib/wpscan/finders/finder/fingerprinter.rb +48 -0
data/lib/wpscan/finders/finder/smart_url_checker/findings.rb +33 -0
data/lib/wpscan/finders/finder/smart_url_checker.rb +60 -0
data/lib/wpscan/finders/finder/wp_version/smart_url_checker.rb +1 -1
data/lib/wpscan/finders/finder.rb +78 -0
data/lib/wpscan/finders/finding.rb +54 -0
data/lib/wpscan/finders/findings.rb +33 -0
data/lib/wpscan/finders/independent_finder.rb +33 -0
data/lib/wpscan/finders/independent_finders.rb +26 -0
data/lib/wpscan/finders/same_type_finder.rb +19 -0
data/lib/wpscan/finders/same_type_finders.rb +28 -0
data/lib/wpscan/finders/unique_finder.rb +19 -0
data/lib/wpscan/finders/unique_finders.rb +47 -0
data/lib/wpscan/finders.rb +11 -12
data/lib/wpscan/formatter/buffer.rb +17 -0
data/lib/wpscan/formatter.rb +152 -0
data/lib/wpscan/helper.rb +7 -1
data/lib/wpscan/http_status_tracking.rb +128 -0
data/lib/wpscan/numeric.rb +13 -0
data/lib/wpscan/parsed_cli.rb +31 -2
data/lib/wpscan/progressbar_null_output.rb +23 -0
data/lib/wpscan/public_suffix/domain.rb +44 -0
data/lib/wpscan/references.rb +118 -4
data/lib/wpscan/scan.rb +127 -0
data/lib/wpscan/target/hashes.rb +45 -0
data/lib/wpscan/target/platform/php.rb +124 -0
data/lib/wpscan/target/platform/wordpress/custom_directories.rb +3 -3
data/lib/wpscan/target/platform/wordpress.rb +7 -8
data/lib/wpscan/target/platform.rb +3 -0
data/lib/wpscan/target/scope.rb +103 -0
data/lib/wpscan/target/server/apache.rb +27 -0
data/lib/wpscan/target/server/generic.rb +72 -0
data/lib/wpscan/target/server/iis.rb +29 -0
data/lib/wpscan/target/server/nginx.rb +27 -0
data/lib/wpscan/target/server.rb +6 -0
data/lib/wpscan/target.rb +129 -9
data/lib/wpscan/typhoeus/hydra.rb +12 -0
data/lib/wpscan/typhoeus/response.rb +24 -1
data/lib/wpscan/version.rb +1 -1
data/lib/wpscan/vulnerability.rb +49 -3
data/lib/wpscan/vulnerability_filter.rb +68 -0
data/lib/wpscan/vulnerable.rb +13 -1
data/lib/wpscan/web_site.rb +152 -0
data/lib/wpscan.rb +126 -29
metadata +362 -20

data/lib/wpscan/finders/independent_finders.rb ADDED Viewed

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+module WPScan
+  module Finders
+    # This class is designed to handle independent results
+    # which are not related with each others
+    # e.g: interesting files
+    class IndependentFinders < BaseFinders
+      # @param [ Hash ] opts
+      # @option opts [ Symbol ] mode :mixed, :passive or :aggressive
+      #
+      # @return [ Findings ]
+      def run(opts = {})
+        methods = symbols_from_mode(opts[:mode])
+        each do |finder|
+          methods.each do |symbol|
+            run_finder(finder, symbol, opts)
+          end
+        end
+        filter_findings
+      end
+    end
+  end
+end

data/lib/wpscan/finders/same_type_finder.rb ADDED Viewed

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+module WPScan
+  module Finders
+    # Same Type Finder
+    module SameTypeFinder
+      def self.included(klass)
+        klass.class_eval do
+          include IndependentFinder
+          # @return [ Array ]
+          def finders
+            @finders ||= WPScan::Finders::SameTypeFinders.new
+          end
+        end
+      end
+    end
+  end
+end

data/lib/wpscan/finders/same_type_finders.rb ADDED Viewed

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+module WPScan
+  module Finders
+    # This class is designed to handle same type results, such as enumeration of plugins,
+    # themes etc.
+    class SameTypeFinders < BaseFinders
+      # @param [ Hash ] opts
+      # @option opts [ Symbol ] :mode :mixed, :passive or :aggressive
+      # @option opts [ Boolean ] :sort Wether or not to sort the findings
+      #
+      # @return [ Findings ]
+      def run(opts = {}, &block)
+        findings.on_append = block if block
+        symbols_from_mode(opts[:mode]).each do |symbol|
+          each do |finder|
+            run_finder(finder, symbol, opts)
+          end
+        end
+        findings.sort! if opts[:sort]
+        filter_findings
+      end
+    end
+  end
+end

data/lib/wpscan/finders/unique_finder.rb ADDED Viewed

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+module WPScan
+  module Finders
+    # Unique Finder
+    module UniqueFinder
+      def self.included(klass)
+        klass.class_eval do
+          include IndependentFinder
+          # @return [ Array ]
+          def finders
+            @finders ||= WPScan::Finders::UniqueFinders.new
+          end
+        end
+      end
+    end
+  end
+end

data/lib/wpscan/finders/unique_finders.rb ADDED Viewed

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+module WPScan
+  module Finders
+    # This class is designed to return a unique result such as a version
+    # Note: Finders contained can return multiple results but the #run will only
+    # returned the best finding
+    class UniqueFinders < BaseFinders
+      # @param [ Hash ] opts
+      # @option opts [ Symbol ] :mode :mixed, :passive or :aggressive
+      # @option opts [ Int ] :confidence_threshold  If a finding's confidence reaches this value,
+      #                                             it will be returned as the best finding.
+      #                                             Default is 100.
+      #                                             If <= 0, all finders will be ran.
+      #
+      # @return [ Object, false ] The best finding or false if none
+      def run(opts = {})
+        opts[:confidence_threshold] ||= 100
+        symbols_from_mode(opts[:mode]).each do |symbol|
+          each do |finder|
+            run_finder(finder, symbol, opts)
+            next if opts[:confidence_threshold] <= 0
+            findings.each { |f| return f if f.confidence >= opts[:confidence_threshold] }
+          end
+        end
+        filter_findings
+      end
+      protected
+      # @return [ Object, false ] The best finding or false if none
+      def filter_findings
+        # results are sorted by confidence ASC
+        findings.sort_by!(&:confidence)
+        # If all findings have the same confidence, false is returned
+        return false if findings.size > 1 && findings.first.confidence == findings.last.confidence
+        findings.last || false
+      end
+    end
+  end
+end

data/lib/wpscan/finders.rb CHANGED Viewed

@@ -1,5 +1,16 @@
 # frozen_string_literal: true
+require 'wpscan/finders/finder'
+require 'wpscan/finders/finding'
+require 'wpscan/finders/findings'
+require 'wpscan/finders/base_finders'
+require 'wpscan/finders/independent_finders'
+require 'wpscan/finders/independent_finder'
+require 'wpscan/finders/unique_finders'
+require 'wpscan/finders/unique_finder'
+require 'wpscan/finders/same_type_finders'
+require 'wpscan/finders/same_type_finder'
 require 'wpscan/finders/finder/wp_version/smart_url_checker'
 require 'wpscan/finders/dynamic_finder/finder'
@@ -14,15 +25,3 @@ require 'wpscan/finders/dynamic_finder/version/query_parameter'
 require 'wpscan/finders/dynamic_finder/version/config_parser'
 require 'wpscan/finders/dynamic_finder/wp_item_version'
 require 'wpscan/finders/dynamic_finder/wp_version'
-module WPScan
-  # Custom Finders
-  module Finders
-    include CMSScanner::Finders
-    # Custom InterestingFindings
-    module InterestingFindings
-      include CMSScanner::Finders::InterestingFindings
-    end
-  end
-end

data/lib/wpscan/formatter/buffer.rb ADDED Viewed

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+module WPScan
+  module Formatter
+    # Module used to output the rendered views into a buffer
+    # and beautify it a the end of the scan
+    module Buffer
+      def output(tpl, vars = {}, controller_name = nil)
+        buffer << render(tpl, vars, controller_name).encode('UTF-8', invalid: :replace, undef: :replace)
+      end
+      def buffer
+        @buffer ||= +''
+      end
+    end
+  end
+end

data/lib/wpscan/formatter.rb ADDED Viewed

@@ -0,0 +1,152 @@
+# frozen_string_literal: true
+require 'wpscan/formatter/buffer'
+module WPScan
+  # Formatter
+  module Formatter
+    # Module to be able to do Formatter.load() & Formatter.availables
+    # and do that as well when the Formatter is included in another module
+    module ClassMethods
+      # @param [ String ] format
+      # @param [ Array<String> ] custom_views
+      #
+      # @return [ Formatter::Base ]
+      def load(format = nil, custom_views = nil)
+        format ||= 'cli'
+        custom_views ||= []
+        f = const_get(format.tr('-', '_').camelize).new
+        custom_views.each { |v| f.views_directories << v }
+        f
+      end
+      # @return [ Array<String> ] The list of the available formatters (except the Base one)
+      # @note: the #load method above should then be used to create the associated formatter
+      def availables
+        formatters = WPScan::Formatter.constants.select do |const|
+          name = WPScan::Formatter.const_get(const)
+          name.is_a?(Class) && name != WPScan::Formatter::Base
+        end
+        formatters.map { |sym| sym.to_s.underscore.dasherize }
+      end
+    end
+    extend ClassMethods
+    def self.included(base)
+      base.extend(ClassMethods)
+    end
+    # This module should be implemented in the code which uses this Framework to
+    # be able to override/implements instance methods for all the Formatters
+    # w/o having to include/write the methods in each formatters.
+    #
+    # Example: to override the #views_directories (see the wpscan-v3/lib/wpscan/formatter.rb)
+    module InstanceMethods
+    end
+    # Base Formatter
+    class Base
+      attr_reader :controller_name
+      def initialize
+        # Can't put this at the top level of the class, due to the WPScan::
+        extend WPScan::Formatter::InstanceMethods
+      end
+      # @return [ String ] The underscored name of the class
+      def format
+        self.class.name.demodulize.underscore
+      end
+      # @return [ Boolean ]
+      def user_interaction?
+        format == 'cli'
+      end
+      # @return [ Boolean ]
+      # Whether this formatter can render findings incrementally as they
+      # arrive (cli, jsonl), or needs to receive the full result set first
+      # (json, sarif — they emit a single well-formed document at end-of-scan).
+      def streams?
+        false
+      end
+      # @return [ String ] The underscored format to use as a base
+      def base_format; end
+      # @return [ Array<String> ]
+      def formats
+        [format, base_format].compact
+      end
+      # This is called after the scan
+      # and used in some formatters (e.g JSON)
+      # to indent results
+      def beautify; end
+      # @see #render
+      def output(tpl, vars = {}, controller_name = nil)
+        puts render(tpl, vars, controller_name)
+      end
+      ERB_SUPPORTS_KVARGS = ::ERB.instance_method(:initialize).parameters.assoc(:key) # Ruby 2.6+
+      # @param [ String ] tpl
+      # @param [ Hash ] vars
+      # @param [ String ] controller_name
+      def render(tpl, vars = {}, controller_name = nil)
+        template_vars(vars)
+        @controller_name = controller_name if controller_name
+        # '-' disables new lines when -%> is used.
+        # See http://www.ruby-doc.org/stdlib/libdoc/erb/rdoc/ERB.html
+        ERB.new(File.read(view_path(tpl)), trim_mode: '-').result(binding)
+      end
+      # @param [ Hash ] vars
+      #
+      # @return [ Void ]
+      def template_vars(vars)
+        vars.each do |key, value|
+          instance_variable_set("@#{key}", value) unless key == :views_directories
+        end
+      end
+      # @param [ String ] tpl
+      #
+      # @return [ String ] The path of the view
+      def view_path(tpl)
+        if tpl[0, 1] == '@' # Global Template
+          tpl = tpl.delete('@')
+        else
+          raise 'The controller_name can not be nil' unless controller_name
+          tpl = "#{controller_name}/#{tpl}"
+        end
+        raise "Wrong tpl format: '#{tpl}'" unless %r{\A[\w/_]+\z}.match?(tpl)
+        views_directories.reverse_each do |dir|
+          formats.each do |format|
+            potential_file = File.join(dir, format, "#{tpl}.erb")
+            return potential_file if File.exist?(potential_file)
+          end
+        end
+        raise "View not found for #{format}/#{tpl}"
+      end
+      # @return [ Array<String> ] The directories to look into for views
+      def views_directories
+        @views_directories ||= [
+          APP_DIR, WPScan::APP_DIR,
+          File.join(Dir.home, ".#{WPScan.app_name}"), File.join(Dir.pwd, ".#{WPScan.app_name}")
+        ].uniq.reduce([]) { |acc, elem| acc << Pathname.new(elem).join('views').to_s }
+      end
+    end
+  end
+end

data/lib/wpscan/helper.rb CHANGED Viewed

@@ -1,5 +1,11 @@
 # frozen_string_literal: true
+# @param [ String ] file The file path
+def redirect_output_to_file(file)
+  $stdout.reopen(file, 'w')
+  $stdout.sync = true
+end
 def read_json_file(file)
   JSON.parse(File.read(file))
 rescue StandardError => e
@@ -13,7 +19,7 @@ end
 #
 # @return [ Symbol ]
 def classify_slug(slug)
-  classified = slug.to_s.gsub(/[^a-z\d\-]/i, '-').gsub(/-{1,}/, '_').camelize.to_s
+  classified = slug.to_s.gsub(/[^a-z\d-]/i, '-').gsub(/-{1,}/, '_').camelize.to_s
   classified = "D_#{classified}" if /\d/.match?(classified[0])
   # Special case for slugs with all non-latin characters.

data/lib/wpscan/http_status_tracking.rb ADDED Viewed

@@ -0,0 +1,128 @@
+# frozen_string_literal: true
+module WPScan
+  # Module for HTTP status code tracking and error detection
+  module HttpStatusTracking
+    # Tracking for HTTP status codes
+    def status_codes
+      @@status_codes_mutex ||= Mutex.new
+      @@status_codes ||= Hash.new(0)
+    end
+    # Reset status codes (mainly for testing)
+    def reset_status_codes
+      @@status_codes_mutex ||= Mutex.new
+      @@status_codes_mutex.synchronize do
+        @@status_codes = Hash.new(0)
+      end
+    end
+    # Thread-safe increment of status code count
+    def increment_status_code(code)
+      @@status_codes_mutex ||= Mutex.new
+      @@status_codes_mutex.synchronize do
+        status_codes[code] += 1
+      end
+    end
+    # Thread-safe set of status code count (mainly for testing)
+    def set_status_code(code, count)
+      @@status_codes_mutex ||= Mutex.new
+      @@status_codes_mutex.synchronize do
+        status_codes[code] = count
+      end
+    end
+    # Get top N status codes by frequency
+    def top_status_codes(limit = 5)
+      @@status_codes_mutex ||= Mutex.new
+      @@status_codes_mutex.synchronize do
+        return {} if status_codes.empty?
+        status_codes.sort_by { |_code, count| -count }.first(limit).to_h
+      end
+    end
+    # Helper to count specific error types
+    def error_counts
+      @@status_codes_mutex ||= Mutex.new
+      @@status_codes_mutex.synchronize do
+        {
+          failed: status_codes[0] || 0,
+          rate_limit: status_codes[429] || 0,
+          server_errors: status_codes.select { |code, _| code >= 500 }.values.sum,
+          client_errors: status_codes.select { |code, _count| code >= 400 && code < 500 && code != 404 }.values.sum
+        }
+      end
+    end
+    # Format status codes for display (converts code 0 to "failed")
+    def format_status_codes(codes_hash)
+      codes_hash.to_h do |code, count|
+        label = code.zero? ? 'failed' : code.to_s
+        [label, count]
+      end
+    end
+    # Get all applicable warning messages based on error types
+    def error_warning_messages
+      return [] if total_requests.zero?
+      messages = []
+      counts = error_counts
+      check_specific_error_conditions(messages, counts)
+      check_generic_error_rate(messages, counts)
+      messages
+    end
+    # Determine if warning should be shown for concerning error codes
+    def concerning_error_codes?
+      return false if total_requests.zero?
+      counts = error_counts
+      # Total errors excluding 404s but including failed requests (code 0)
+      total_errors = counts[:client_errors] + counts[:server_errors] + counts[:failed]
+      error_percentage = total_errors.to_f / total_requests
+      # Warning conditions
+      error_percentage > 0.2 ||
+        counts[:rate_limit] > 10 ||
+        counts[:server_errors] > 10 ||
+        counts[:failed] > 10
+    end
+    private
+    def check_specific_error_conditions(messages, counts)
+      if counts[:failed] > 10
+        messages << 'Too many failed requests (no response) could indicate network issues, ' \
+                    'WAF/IPS blocking, or an unavailable target'
+      end
+      if counts[:rate_limit] > 10
+        messages << 'Rate limiting detected (429 responses). Consider using --throttle or reducing --max-threads'
+      end
+      if counts[:server_errors] > 10
+        messages << 'Too many server errors (5xx). The target may be experiencing issues or blocking requests'
+      end
+      # Check for other 4xx client errors (excluding 404 and 429 which are handled separately)
+      other_client_errors = counts[:client_errors] - counts[:rate_limit]
+      return unless other_client_errors > 10
+      messages << 'Too many client errors (4xx). This could indicate access restrictions, ' \
+                  'authentication issues, or WAF blocking'
+    end
+    def check_generic_error_rate(messages, counts)
+      error_percentage = (counts[:client_errors] + counts[:server_errors] + counts[:failed]).to_f / total_requests
+      return unless error_percentage > 0.2 && messages.empty?
+      messages << 'Too many errors detected. This could indicate network issues, rate limiting, ' \
+                  'or security protection (e.g. WAF)'
+    end
+  end
+end

data/lib/wpscan/numeric.rb ADDED Viewed

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+# Hack of the Numeric class
+class Numeric
+  # @return [ String ] A human readable string of the value
+  def bytes_to_human
+    units = %w[B KB MB GB TB]
+    e     = abs.zero? ? abs : (Math.log(abs) / Math.log(1024)).floor
+    s     = format('%<s>.3f', s: (abs.to_f / (1024**e)))
+    s.sub(/\.?0*$/, " #{units[e]}")
+  end
+end

data/lib/wpscan/parsed_cli.rb CHANGED Viewed

@@ -1,7 +1,36 @@
 # frozen_string_literal: true
 module WPScan
-  # To be able to use ParsedCli directly, rather than having to access it via WPscan::ParsedCli
-  class ParsedCli < CMSScanner::ParsedCli
+  # Holds the parsed CLI options and exposes them via class methods (e.g. #verbose?)
+  # rather than from the raw hash. Similar to an OpenStruct but class-wise, with extra
+  # logic to push browser-relevant options into the Browser singleton.
+  class ParsedCli
+    # @return [ Hash ]
+    def self.options
+      @options ||= {}
+    end
+    # Sets the CLI options and propagates them to the Browser.
+    # @param [ Hash ] options
+    def self.options=(options)
+      @options = options.dup || {}
+      WPScan::Browser.reset
+      WPScan::Browser.instance(@options)
+    end
+    # @return [ Boolean ]
+    def self.verbose?
+      options[:verbose] ? true : false
+    end
+    # Unknown methods return nil — expected behaviour for option lookups.
+    # rubocop:disable Style/MissingRespondToMissing
+    def self.method_missing(method_name, *_args, &)
+      super if method_name == :new
+      options[method_name.to_sym]
+    end
+    # rubocop:enable Style/MissingRespondToMissing
   end
 end

data/lib/wpscan/progressbar_null_output.rb ADDED Viewed

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+require 'ruby-progressbar/outputs/null'
+module WPScan
+  # Adds the feature to log message sent to #log
+  # So they can be retrieved at some point, like after a password attack with a JSON output
+  # which won't display the progressbar but still call #log for errors etc
+  class ProgressBarNullOutput < ::ProgressBar::Outputs::Null
+    # @retutn [ Array<String> ]
+    def logs
+      @logs ||= []
+    end
+    # Override of parent method
+    # @return [ Array<String> ] return the logs when no string provided
+    def log(string = nil)
+      return logs if string.nil?
+      logs << string unless logs.include?(string)
+    end
+  end
+end

data/lib/wpscan/public_suffix/domain.rb ADDED Viewed

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+module PublicSuffix
+  # Monkey Patch to include the match logic
+  class Domain
+    # For Sanity
+    def ==(other)
+      name == other.name
+    end
+    # @return [ Boolean ]
+    #
+    # rubocop:disable Naming/PredicateMethod
+    def match(pattern)
+      pattern = PublicSuffix.parse(pattern) unless pattern.is_a?(PublicSuffix::Domain)
+      return name == pattern.name unless pattern.trd
+      return false unless tld == pattern.tld && sld == pattern.sld
+      matching_pattern?(pattern)
+    end
+    # rubocop:enable Naming/PredicateMethod
+    protected
+    # @rturn [ Boolean ]
+    def matching_pattern?(pattern)
+      pattern_trds = pattern.trd.split('.')
+      domain_trds  = trd.split('.')
+      case pattern_trds.first
+      when '*'
+        pattern_trds[1..] == domain_trds[1..]
+      when '**'
+        pa = pattern_trds[1..]
+        pa_size = pa.size
+        domain_trds[domain_trds.size - pa_size, pa_size] == pa
+      else
+        name == pattern.name
+      end
+    end
+  end
+end