wpscan 3.8.10 → 3.8.11

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 80bb171dc3d30fab68355160acacb8359681a85fb7f43ca11dc17968cb8b354f
-  data.tar.gz: ae033388eb73cbe1bc736edf32b54170cf12f0fb085ee76799fa207ca885a5d7
+  metadata.gz: 299c8c4ad7fc7a8e9329a891e57a6d13a2872ca0a977f49fe2070e71033e48a1
+  data.tar.gz: dcf67f4cc1770e7f97a201cc0216c7aa7fcf0d3d239834f597a822bdb30e373b
 SHA512:
-  metadata.gz: d0023c87de0d517a6eaf08ea8faf7a1a4681cad7a217bb8ee0201aa52f2ef209f64954cde27ea7d9ea2926e24800e377c43d2a4885ed15b3439468292006fb44
-  data.tar.gz: c01434b18a3682a190cf101e3a94622742dded2b5320c03bbb15eb515056531845feea68cc119351f428a73dbd966e6c1cffeb201844daca9734289f925e7e36
+  metadata.gz: 57c0d2f83d1e6a9a33a79aae80bc0a6ee96ce938eb562db811ca55920607fbba71859f6f3aba8de97a9b900b853edb9bcd02672a14a4948301f0a083b835a13e
+  data.tar.gz: 433b89aab18df530527092bb3bb499fdf8bfcbf3043a9369744ea85aa59bb8709bc0d624ed20451103138b0e2bd86c78f8c18476378899172f450be1c2968b6d

data/README.md

@@ -1,5 +1,5 @@
 <p align="center">
-  <a href="https://wpscan.org/">
+  <a href="https://wpscan.com/">
     <img src="https://raw.githubusercontent.com/wpscanteam/wpscan/gh-pages/images/wpscan_logo.png" alt="WPScan logo">
   </a>
 </p>
@@ -176,7 +176,7 @@ Example cases which do not require a commercial license, and thus fall under the
 - Using WPScan to test your own systems.
 - Any non-commercial use of WPScan.
 
-If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - team@wpscan.org.
+If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - contact@wpscan.com.
 
 Free-use Terms and Conditions;
 

data/app/controllers/vuln_api.rb

@@ -8,7 +8,10 @@ module WPScan
 
       def cli_options
         [
-          OptString.new(['--api-token TOKEN', 'The WPVulnDB API Token to display vulnerability data'])
+          OptString.new(
+            ['--api-token TOKEN',
+             'The WPScan API Token to display vulnerability data, available at https://wpscan.com/profile']
+          )
         ]
       end
 
@@ -19,7 +22,7 @@ module WPScan
 
         api_status = DB::VulnApi.status
 
-        raise Error::InvalidApiToken if api_status['error']
+        raise Error::InvalidApiToken if api_status['status'] == 'forbidden'
         raise Error::ApiLimitReached if api_status['requests_remaining'] == 0
         raise api_status['http_error'] if api_status['http_error']
       end

data/app/views/cli/vuln_api/status.erb

@@ -1,13 +1,13 @@
 <% unless @status.empty? -%>
 <% if @status['http_error'] -%>
-<%= critical_icon %> WPVulnDB API, <%= @status['http_error'].to_s %>
+<%= critical_icon %> WPScan DB API, <%= @status['http_error'].to_s %>
 <% else -%>
-<%= info_icon %> WPVulnDB API OK
+<%= info_icon %> WPScan DB API OK
  | Plan: <%= @status['plan'] %>
  | Requests Done (during the scan): <%= @api_requests %>
  | Requests Remaining: <%= @status['requests_remaining'] %>
 <% end -%>
 <% else -%>
-<%= warning_icon %> No WPVulnDB API Token given, as a result vulnerability data has not been output.
+<%= warning_icon %> No WPScan API Token given, as a result vulnerability data has not been output.
 <%= warning_icon %> You can get a free API token with 50 daily requests by registering at https://wpscan.com/register
 <% end -%>

data/app/views/json/vuln_api/status.erb

@@ -8,6 +8,6 @@
 "requests_remaining": <%= @status['requests_remaining'].to_json %>
 <% end -%>
 <% else -%>
-"error": "No WPVulnDB API Token given, as a result vulnerability data has not been output.\nYou can get a free API token with 50 daily requests by registering at https://wpscan.com/register"
+"error": "No WPScan API Token given, as a result vulnerability data has not been output.\nYou can get a free API token with 50 daily requests by registering at https://wpscan.com/register"
 <% end -%>
 },

data/lib/wpscan/browser.rb

@@ -7,7 +7,7 @@ module WPScan
 
     # @return [ String ]
     def default_user_agent
-      @default_user_agent ||= "WPScan v#{VERSION} (https://wpscan.org/)"
+      @default_user_agent ||= "WPScan v#{VERSION} (https://wpscan.com/wordpress-security-scanner)"
     end
   end
 end

data/lib/wpscan/db/vuln_api.rb

@@ -4,7 +4,7 @@ module WPScan
   module DB
     # WPVulnDB API
     class VulnApi
-      NON_ERROR_CODES = [200, 401].freeze
+      NON_ERROR_CODES = [200, 403].freeze
 
       class << self
         attr_accessor :token
@@ -26,7 +26,7 @@ module WPScan
         # Typhoeus.get is used rather than Browser.get to avoid merging irrelevant params from the CLI
         res = Typhoeus.get(uri.join(path), default_request_params.merge(params))
 
-        return {} if res.code == 404 # This is for API inconsistencies when dots in path
+        return {} if res.code == 404 || res.code == 429
         return JSON.parse(res.body) if NON_ERROR_CODES.include?(res.code)
 
         raise Error::HTTP, res
@@ -34,6 +34,8 @@ module WPScan
         retries ||= 0
 
         if (retries += 1) <= 3
+          @default_request_params[:headers]['X-Retry'] = retries
+
           sleep(1)
           retry
         end
@@ -68,7 +70,7 @@ module WPScan
       # @return [ Hash ]
       # @note Those params can not be overriden by CLI options
       def self.default_request_params
-        Browser.instance.default_connect_request_params.merge(
+        @default_request_params ||= Browser.instance.default_connect_request_params.merge(
           headers: {
             'User-Agent' => Browser.instance.default_user_agent,
             'Authorization' => "Token token=#{token}"

data/lib/wpscan/target/platform/wordpress.rb

@@ -11,9 +11,10 @@ module WPScan
       module WordPress
         include CMSScanner::Target::Platform::PHP
 
-        WORDPRESS_PATTERN      = %r{/(?:(?:wp-content/(?:themes|(?:mu-)?plugins|uploads))|wp-includes)/}i.freeze
-        WP_JSON_OEMBED_PATTERN = %r{/wp-json/oembed/}i.freeze
-        WP_ADMIN_AJAX_PATTERN  = %r{\\?/wp-admin\\?/admin-ajax\.php}i.freeze
+        WORDPRESS_PATTERN        = %r{/(?:(?:wp-content/(?:themes|(?:mu-)?plugins|uploads))|wp-includes)/}i.freeze
+        WORDPRESS_HOSTED_PATTERN = %r{https?://s\d\.wp\.com#{WORDPRESS_PATTERN}}i.freeze
+        WP_JSON_OEMBED_PATTERN   = %r{/wp-json/oembed/}i.freeze
+        WP_ADMIN_AJAX_PATTERN    = %r{\\?/wp-admin\\?/admin-ajax\.php}i.freeze
 
         # These methods are used in the associated interesting_findings finders
         # to keep the boolean state of the finding rather than re-check the whole thing again
@@ -103,11 +104,8 @@ module WPScan
           return true if /\.wordpress\.com$/i.match?(uri.host)
 
           unless content_dir
-            pattern = %r{https?://s\d\.wp\.com#{WORDPRESS_PATTERN}}i.freeze
-            xpath   = '(//@href|//@src)[contains(., "wp.com")]'
-
-            uris_from_page(homepage_res, xpath) do |uri|
-              return true if uri.to_s.match?(pattern)
+            uris_from_page(homepage_res, '(//@href|//@src)[contains(., "wp.com")]') do |uri|
+              return true if uri.to_s.match?(WORDPRESS_HOSTED_PATTERN)
             end
           end
 

data/lib/wpscan/typhoeus/response.rb

@@ -7,7 +7,8 @@ module Typhoeus
     #
     # @return [ Boolean ]
     def from_vuln_api?
-      effective_url.start_with?(WPScan::DB::VulnApi.uri.to_s) && !effective_url.include?('/status')
+      effective_url.start_with?(WPScan::DB::VulnApi.uri.to_s) &&
+        !effective_url.start_with?(WPScan::DB::VulnApi.uri.join('status').to_s)
     end
   end
 end

data/lib/wpscan/version.rb

@@ -2,5 +2,5 @@
 
 # Version
 module WPScan
-  VERSION = '3.8.10'
+  VERSION = '3.8.11'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: wpscan
 version: !ruby/object:Gem::Version
-  version: 3.8.10
+  version: 3.8.11
 platform: ruby
 authors:
 - WPScanTeam
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-10-28 00:00:00.000000000 Z
+date: 2020-12-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cms_scanner
@@ -44,14 +44,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.9.13
+        version: 1.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.9.13
+        version: 1.0.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -72,14 +72,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.9.0
+        version: 3.10.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.9.0
+        version: 3.10.0
 - !ruby/object:Gem::Dependency
   name: rspec-its
   requirement: !ruby/object:Gem::Requirement
@@ -100,42 +100,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: 1.6.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: 1.6.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.8.0
+        version: 1.9.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.8.0
+        version: 1.9.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.19.0
+        version: 0.20.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.19.0
+        version: 0.20.0
 - !ruby/object:Gem::Dependency
   name: simplecov-lcov
   requirement: !ruby/object:Gem::Requirement
@@ -170,17 +170,17 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.9.0
+        version: 3.10.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.9.0
+        version: 3.10.0
 description: WPScan is a black box WordPress vulnerability scanner.
 email:
-- team@wpscan.org
+- contact@wpscan.com
 executables:
 - wpscan
 extensions: []
@@ -377,7 +377,7 @@ files:
 - lib/wpscan/version.rb
 - lib/wpscan/vulnerability.rb
 - lib/wpscan/vulnerable.rb
-homepage: https://wpscan.org/
+homepage: https://wpscan.com/wordpress-security-scanner
 licenses:
 - Dual
 metadata: {}