How to (Ethically) Scan a WordPress Site for Vulnerabilities

Last updated: 15 September 2019

If you need to scan a WordPress website for vulnerabilities, there is a free tool that you can use right now on your computer.

This tool is: WPScan.org

It’s quite simple to use if you’re familiar with the terminal, but even if you’re not, Docker helps you streamline most of the process.

Installation of WPScan

First of all, download and install Docker Desktop on your computer.

After Docker is installed, head over to your terminal and run the following command:

docker pull wpscanteam/wpscan

WPScan is now installed!

API Registration

From version 3.7.0 of the WPScan CLI tool, if you want to display vulnerability data in your scans, you need to get an API token from WPVulnDB.

An API token will give you 50 free requests per day. To retrieve it, you just need to register an account on WPVulnDB.

After registration, confirm your email address and login into your WPVulnDB account. From there, select “Free Usage” and copy the API token from your profile page.

Screenshot of the API selection on WPVulnDB
Screenshot of the API selection on WPVulnDB

Paste the API token over to your notes so that you can easily copy it when you perform scans.

Vulnerability Scanning

It’s time to find them vulnerabilities. Open your terminal and type the following:

docker run -it --rm wpscanteam/wpscan --url https://yourwebsite.tld/ --api-token XXXXXXXXXXXXXXXXXXXX

Replace https://yourwebsite.tld/ with your website’s URL and XXXXXXXXXXXXXXXXXXXX with your API token.

That’s it!

You should see the report in the terminal. For example, if the scanned site was on WP 5.2.2, the report would have included:

[+] WordPress version 5.2.2 identified (Insecure, released on 2019-06-18).
 | Detected By: Most Common Wp Includes Query Parameter In Homepage (Passive Detection)
 |  - https://yourwebsite.tld/wp-includes/css/dashicons.min.css?ver=5.2.2
 | Confirmed By:
 |  Common Wp Includes Query Parameter In Homepage (Passive Detection)
 |   - https://yourwebsite.tld/wp-includes/js/mediaelement/wp-mediaelement.min.css?ver=5.2.2
 |   - https://yourwebsite.tld/wp-includes/js/wp-util.min.js?ver=5.2.2
 |  Query Parameter In Upgrade Page (Aggressive Detection)
 |   - https://yourwebsite.tld/wp-includes/css/buttons.min.css?ver=5.2.2
 |   - https://yourwebsite.tld/wp-admin/css/install.min.css?ver=5.2.2
 |
 | [!] 6 vulnerabilities identified:
 |
 | [!] Title: WordPress 5.2.2 - Cross-Site Scripting (XSS) in Stored Comments
 |     Fixed in: 5.2.3
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9861
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16218
 |      - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
 |
 | [!] Title: WordPress 5.2.2 - Authenticated Cross-Site Scripting (XSS) in Post Previews
 |     Fixed in: 5.2.3
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9862
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16223
 |      - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
 |
 | [!] Title: WordPress 5.2.2 - Potential Open Redirect
 |     Fixed in: 5.2.3
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9863
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16220
 |      - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/c86ee39ff4c1a79b93c967eb88522f5c09614a28
 |
 | [!] Title: WordPress 5.0-5.2.2 - Authenticated Stored XSS in Shortcode Previews
 |     Fixed in: 5.2.3
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9864
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16219
 |      - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
 |      - https://fortiguard.com/zeroday/FG-VD-18-165
 |      - https://www.fortinet.com/blog/threat-research/wordpress-core-stored-xss-vulnerability.html
 |
 | [!] Title: WordPress 5.2.2 - Cross-Site Scripting (XSS) in Dashboard
 |     Fixed in: 5.2.3
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9865
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16221
 |      - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
 |
 | [!] Title: WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation
 |     Fixed in: 5.2.3
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9867
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16222
 |      - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/30ac67579559fe42251b5a9f887211bf61a8ed68

Ouch, that’s a lot of holes! And that’s just for WP core being one version behind.

You might get some false positives, but in most of those cases, there will be this message: The version could not be determined. When the scan is not confident that it detected the right version of a plugin for example, it would tell you.

Now don’t go hacking your competitors, folks. Be ethical and responsible with your scans.