WPScan

WPScan is a black-box WordPress security scanner that approaches a target site the way an attacker would — from the outside, without access to source code or the database. It fingerprints the WordPress installation by inspecting HTTP responses, HTML metadata, JavaScript file paths, and known endpoint patterns to determine the WordPress core version, enumerate installed plugins and themes with their versions, and identify exposed user accounts. Each discovered component is then cross-referenced against the WPScan Vulnerability Database API, which returns structured CVE-style records for any known vulnerabilities affecting that exact version.

The scanner operates in three enumeration modes: passive (low-noise, metadata and headers only), aggressive (active probing of predictable file paths and endpoints), and mixed (the default, balancing coverage and stealth). Beyond version-based vulnerability matching, WPScan can perform dictionary-based password audits against the wp-login.php and XML-RPC endpoints, discover accessible backup files and configuration remnants, and identify security misconfigurations such as directory listing being enabled. Results can be output as JSON, CLI text, or fed into external tooling via the API.

What makes WPScan particularly notable is the quality and longevity of its vulnerability database, maintained since 2012 and processing hundreds of new vulnerability reports monthly. Following its 2021 acquisition by Automattic, the database now powers Jetpack Protect, giving it reach across millions of WordPress sites. Pre-installed in Kali Linux and cited in countless penetration testing engagements, WPScan remains the dominant reference tool for WordPress vulnerability intelligence.