Changes/Improvements:
- All enumeration processes, and most other checks now use HEAD requests and then perform a GET when suitable (related to the long wanted #211). This reduces the data received, especially with custom 404 returning a lot of data
- Make sure files which can return a lot of data, such as SQL dumps, are checked with a Range header - #1322
- Running Stats (Requests done, Memory used and so on) are now always displayed at the end of the scan, when the scan is valid, ie not CLI errors, not Wordpress Error etc (so once the URL and Started time are displayed, stats will be output at the end no matter what)
- More accurate memory usage, by getting the starting memory when a scan is initialised
- Additional detection of the WP-JSON API via the source of the homepage -#1319
- Detection of wp-content dir from RAW JavaScript
- Password Attack against the wp-login.php improved to avoid False Positive
- Minified version of static files also checked when trying to determine WP version - #1311
- Check errors 500 as well as custom 401/403 during plugin/theme enumeration - #1090
Removals:
- WPScan is no longer checking for the changelog URLs when displaying plugins and themes. Versions detection from changelogs are still performed
Fixes:
- Regression of the wp-content detection, when a sub-dir was present - #1318 (was due to ab5f46e#diff-20e4355dc81ed51bf07e7536399f448d)
- Empty usernames being detected from RSS feed - #1317
- BackTrace error always displayed when wp-content dir not detected - #1313
Dev Stuff: