RubyGems - wpscan - Versions diffs - 3.8.10 → 3.8.11 - Mend

wpscan 3.8.10 → 3.8.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml +4 -4
data/README.md +2 -2
data/app/controllers/vuln_api.rb +5 -2
data/app/views/cli/vuln_api/status.erb +3 -3
data/app/views/json/vuln_api/status.erb +1 -1
data/lib/wpscan/browser.rb +1 -1
data/lib/wpscan/db/vuln_api.rb +5 -3
data/lib/wpscan/target/platform/wordpress.rb +6 -8
data/lib/wpscan/typhoeus/response.rb +2 -1
data/lib/wpscan/version.rb +1 -1
metadata +16 -16

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 80bb171dc3d30fab68355160acacb8359681a85fb7f43ca11dc17968cb8b354f
-  data.tar.gz: ae033388eb73cbe1bc736edf32b54170cf12f0fb085ee76799fa207ca885a5d7
+  metadata.gz: 299c8c4ad7fc7a8e9329a891e57a6d13a2872ca0a977f49fe2070e71033e48a1
+  data.tar.gz: dcf67f4cc1770e7f97a201cc0216c7aa7fcf0d3d239834f597a822bdb30e373b
 SHA512:
-  metadata.gz: d0023c87de0d517a6eaf08ea8faf7a1a4681cad7a217bb8ee0201aa52f2ef209f64954cde27ea7d9ea2926e24800e377c43d2a4885ed15b3439468292006fb44
-  data.tar.gz: c01434b18a3682a190cf101e3a94622742dded2b5320c03bbb15eb515056531845feea68cc119351f428a73dbd966e6c1cffeb201844daca9734289f925e7e36
+  metadata.gz: 57c0d2f83d1e6a9a33a79aae80bc0a6ee96ce938eb562db811ca55920607fbba71859f6f3aba8de97a9b900b853edb9bcd02672a14a4948301f0a083b835a13e
+  data.tar.gz: 433b89aab18df530527092bb3bb499fdf8bfcbf3043a9369744ea85aa59bb8709bc0d624ed20451103138b0e2bd86c78f8c18476378899172f450be1c2968b6d

data/README.md CHANGED

@@ -1,5 +1,5 @@
 <p align="center">
-  <a href="https://wpscan.org/">
+  <a href="https://wpscan.com/">
     <img src="https://raw.githubusercontent.com/wpscanteam/wpscan/gh-pages/images/wpscan_logo.png" alt="WPScan logo">
   </a>
 </p>
@@ -176,7 +176,7 @@ Example cases which do not require a commercial license, and thus fall under the
 - Using WPScan to test your own systems.
 - Any non-commercial use of WPScan.
-If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - team@wpscan.org.
+If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - contact@wpscan.com.
 Free-use Terms and Conditions;

data/app/controllers/vuln_api.rb CHANGED

@@ -8,7 +8,10 @@ module WPScan
       def cli_options
         [
-          OptString.new(['--api-token TOKEN', 'The WPVulnDB API Token to display vulnerability data'])
+          OptString.new(
+            ['--api-token TOKEN',
+             'The WPScan API Token to display vulnerability data, available at https://wpscan.com/profile']
+          )
         ]
       end
@@ -19,7 +22,7 @@ module WPScan
         api_status = DB::VulnApi.status
-        raise Error::InvalidApiToken if api_status['error']
+        raise Error::InvalidApiToken if api_status['status'] == 'forbidden'
         raise Error::ApiLimitReached if api_status['requests_remaining'] == 0
         raise api_status['http_error'] if api_status['http_error']
       end

data/app/views/cli/vuln_api/status.erb CHANGED

@@ -1,13 +1,13 @@
 <% unless @status.empty? -%>
 <% if @status['http_error'] -%>
-<%= critical_icon %> WPVulnDB API, <%= @status['http_error'].to_s %>
+<%= critical_icon %> WPScan DB API, <%= @status['http_error'].to_s %>
 <% else -%>
-<%= info_icon %> WPVulnDB API OK
+<%= info_icon %> WPScan DB API OK
  | Plan: <%= @status['plan'] %>
  | Requests Done (during the scan): <%= @api_requests %>
  | Requests Remaining: <%= @status['requests_remaining'] %>
 <% end -%>
 <% else -%>
-<%= warning_icon %> No WPVulnDB API Token given, as a result vulnerability data has not been output.
+<%= warning_icon %> No WPScan API Token given, as a result vulnerability data has not been output.
 <%= warning_icon %> You can get a free API token with 50 daily requests by registering at https://wpscan.com/register
 <% end -%>

data/app/views/json/vuln_api/status.erb CHANGED

@@ -8,6 +8,6 @@
 "requests_remaining": <%= @status['requests_remaining'].to_json %>
 <% end -%>
 <% else -%>
-"error": "No WPVulnDB API Token given, as a result vulnerability data has not been output.\nYou can get a free API token with 50 daily requests by registering at https://wpscan.com/register"
+"error": "No WPScan API Token given, as a result vulnerability data has not been output.\nYou can get a free API token with 50 daily requests by registering at https://wpscan.com/register"
 <% end -%>
 },

data/lib/wpscan/browser.rb CHANGED

@@ -7,7 +7,7 @@ module WPScan
     # @return [ String ]
     def default_user_agent
-      @default_user_agent ||= "WPScan v#{VERSION} (https://wpscan.org/)"
+      @default_user_agent ||= "WPScan v#{VERSION} (https://wpscan.com/wordpress-security-scanner)"
     end
   end
 end

data/lib/wpscan/db/vuln_api.rb CHANGED

@@ -4,7 +4,7 @@ module WPScan
   module DB
     # WPVulnDB API
     class VulnApi
-      NON_ERROR_CODES = [200, 401].freeze
+      NON_ERROR_CODES = [200, 403].freeze
       class << self
         attr_accessor :token
@@ -26,7 +26,7 @@ module WPScan
         # Typhoeus.get is used rather than Browser.get to avoid merging irrelevant params from the CLI
         res = Typhoeus.get(uri.join(path), default_request_params.merge(params))
-        return {} if res.code == 404 # This is for API inconsistencies when dots in path
+        return {} if res.code == 404 || res.code == 429
         return JSON.parse(res.body) if NON_ERROR_CODES.include?(res.code)
         raise Error::HTTP, res
@@ -34,6 +34,8 @@ module WPScan
         retries ||= 0
         if (retries += 1) <= 3
+          @default_request_params[:headers]['X-Retry'] = retries
           sleep(1)
           retry
         end
@@ -68,7 +70,7 @@ module WPScan
       # @return [ Hash ]
       # @note Those params can not be overriden by CLI options
       def self.default_request_params
-        Browser.instance.default_connect_request_params.merge(
+        @default_request_params ||= Browser.instance.default_connect_request_params.merge(
           headers: {
             'User-Agent' => Browser.instance.default_user_agent,
             'Authorization' => "Token token=#{token}"

data/lib/wpscan/target/platform/wordpress.rb CHANGED

@@ -11,9 +11,10 @@ module WPScan
       module WordPress
         include CMSScanner::Target::Platform::PHP
-        WORDPRESS_PATTERN      = %r{/(?:(?:wp-content/(?:themes|(?:mu-)?plugins|uploads))|wp-includes)/}i.freeze
-        WP_JSON_OEMBED_PATTERN = %r{/wp-json/oembed/}i.freeze
-        WP_ADMIN_AJAX_PATTERN  = %r{\\?/wp-admin\\?/admin-ajax\.php}i.freeze
+        WORDPRESS_PATTERN        = %r{/(?:(?:wp-content/(?:themes|(?:mu-)?plugins|uploads))|wp-includes)/}i.freeze
+        WORDPRESS_HOSTED_PATTERN = %r{https?://s\d\.wp\.com#{WORDPRESS_PATTERN}}i.freeze
+        WP_JSON_OEMBED_PATTERN   = %r{/wp-json/oembed/}i.freeze
+        WP_ADMIN_AJAX_PATTERN    = %r{\\?/wp-admin\\?/admin-ajax\.php}i.freeze
         # These methods are used in the associated interesting_findings finders
         # to keep the boolean state of the finding rather than re-check the whole thing again
@@ -103,11 +104,8 @@ module WPScan
           return true if /\.wordpress\.com$/i.match?(uri.host)
           unless content_dir
-            pattern = %r{https?://s\d\.wp\.com#{WORDPRESS_PATTERN}}i.freeze
-            xpath   = '(//@href|//@src)[contains(., "wp.com")]'
-            uris_from_page(homepage_res, xpath) do |uri|
-              return true if uri.to_s.match?(pattern)
+            uris_from_page(homepage_res, '(//@href|//@src)[contains(., "wp.com")]') do |uri|
+              return true if uri.to_s.match?(WORDPRESS_HOSTED_PATTERN)
             end
           end

data/lib/wpscan/typhoeus/response.rb CHANGED

@@ -7,7 +7,8 @@ module Typhoeus
     #
     # @return [ Boolean ]
     def from_vuln_api?
-      effective_url.start_with?(WPScan::DB::VulnApi.uri.to_s) && !effective_url.include?('/status')
+      effective_url.start_with?(WPScan::DB::VulnApi.uri.to_s) &&
+        !effective_url.start_with?(WPScan::DB::VulnApi.uri.join('status').to_s)
     end
   end
 end

data/lib/wpscan/version.rb CHANGED

@@ -2,5 +2,5 @@
 # Version
 module WPScan
-  VERSION = '3.8.10'
+  VERSION = '3.8.11'
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: wpscan
 version: !ruby/object:Gem::Version
-  version: 3.8.10
+  version: 3.8.11
 platform: ruby
 authors:
 - WPScanTeam
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-10-28 00:00:00.000000000 Z
+date: 2020-12-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cms_scanner
@@ -44,14 +44,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.9.13
+        version: 1.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.9.13
+        version: 1.0.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -72,14 +72,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.9.0
+        version: 3.10.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.9.0
+        version: 3.10.0
 - !ruby/object:Gem::Dependency
   name: rspec-its
   requirement: !ruby/object:Gem::Requirement
@@ -100,42 +100,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: 1.6.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: 1.6.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.8.0
+        version: 1.9.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.8.0
+        version: 1.9.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.19.0
+        version: 0.20.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.19.0
+        version: 0.20.0
 - !ruby/object:Gem::Dependency
   name: simplecov-lcov
   requirement: !ruby/object:Gem::Requirement
@@ -170,17 +170,17 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.9.0
+        version: 3.10.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.9.0
+        version: 3.10.0
 description: WPScan is a black box WordPress vulnerability scanner.
 email:
-- team@wpscan.org
+- contact@wpscan.com
 executables:
 - wpscan
 extensions: []
@@ -377,7 +377,7 @@ files:
 - lib/wpscan/version.rb
 - lib/wpscan/vulnerability.rb
 - lib/wpscan/vulnerable.rb
-homepage: https://wpscan.org/
+homepage: https://wpscan.com/wordpress-security-scanner
 licenses:
 - Dual
 metadata: {}