wpscanteam/wpscan v4.0.0

on GitHub

What's Changed

⚠️ Breaking Changes: This is a major version release (4.0.0) and contains breaking changes. It is not 100% backwards compatible with version 3.x. Please review the changes below.

TL;DR for upgrading from 3.x

• Ruby 3.3+ required (Ruby 4.0 supported)
• WPScan no longer auto-scans plugins by default—use -e ap to scan plugins
• New --wp-auth option for accurate WordPress authentication-based enumeration
• New --expect-saml flag for SAML authentication support
• New --format jsonl (streaming) and --format sarif output formats
• New installations use XDG directories (~/.cache/wpscan/db, ~/.config/wpscan/)

Added

• --wp-auth option for WordPress Application Password authentication providing authoritative plugin/theme inventory by @ArSn in #2021
• --format jsonl streaming output format for real-time results by @ArSn in #2012
• --format sarif output format for CI/CD integration by @ArSn in #2000
• --max-retries N option for automatic brute force request retry by @Initsogar in #2028
• --wordlist-skip N option to resume interrupted brute force attacks by @Initsogar in #2025
• --follow-redirect option to automatically follow HTTP redirects by @Initsogar in #1995
• --proxy-target-only option for selective proxy usage by @ArSn in #1975
• --expect-saml flag for SAML authentication support by @Initsogar in #2035
• --exclude-vulns option for UUID-based vulnerability exclusion by @Initsogar in #2017
• Backup folder enumeration via -e backup-folders or -e bf by @Initsogar in #2024
• Ruby 4.0 support by @Usiel in #1953
• XDG Base Directory support for new installations: ~/.cache/wpscan/db and ~/.config/wpscan/ (existing installations continue using ~/.wpscan/) by @alichtman in #1815 and @noraj in #2029
• HTTP status code tracking with warnings for excessive errors by @Initsogar in #2009
• Proof-of-Concept information in vulnerability output by @Initsogar in #2005
• Last updated date for plugins and themes from WordPress.org API by @ArSn in #2015
• Active install count for detected plugins and themes by @ArSn in #2013
• Audit information (command line and hostname) in scan output by @Initsogar in #2006
• Comprehensive test coverage: E2E integration tests, acceptance tests, and implemented skipped tests by @Initsogar and @ArSn in #1978, #1989, #2023, #2037
• Dynamic finder for SearchWP premium plugin by @ArSn in #1993
• AGENTS.md file for AI coding assistant guidance by @Initsogar in #1966

Changed

• Plugin, theme, and user results now stream to output in real-time by @ArSn in #2027
• Improved color handling: file output defaults to no color, respects NO_COLOR environment variable and TTY detection by @ArSn in #2031
• --plugins-list and --themes-list now override -e options by @ArSn in #2011
• Merged cms_scanner gem into wpscan codebase including 8.5k+ lines of tests by @ArSn in #1977, #1979
• Integrated opt_parse_validator gem into repository by @ArSn in #1980
• Temporary directory now respects $TMPDIR environment variable by @ArSn in #1994
• Limited maximum redirects to prevent infinite loops by @ArSn in #2022
• Maximum PHP log file size limit (20 MiB default) to prevent memory exhaustion by @ArSn in #1992
• Standardized on Pathname objects for path handling across codebase by @Initsogar in #2034, #2038
• Improved error messages across the board (database updates, API errors, permissions, thresholds) by @Initsogar and @ArSn in #1997, #1998, #2002, #2020, #2026, #2032
• Improved CI/CD workflow with optimizations and better coverage reporting by @Initsogar and @ArSn in #1963, #1965, #1976, #2007

Removed

• Default plugin and config backup enumeration - must use explicit -e flag by @Initsogar in #2008
• --timthumbs-detection, --config-backups-detection, --db-exports-detection, and --medias-detection options by @Initsogar in #2033
• Support for Ruby 3.0, 3.1, and 3.2 - minimum version is now 3.3 by @ArSn in #1973

Fixed

• Errno::ENAMETOOLONG error when using long comma-separated lists by @Initsogar in #1996
• Non-JSON responses from WPScan API now handled gracefully by @Initsogar in #2001
• Invalid WordPress JSON response handling by @alexsanford in #1818

Security

• Improved security and code quality tooling: Qlty CI integration, GitHub Actions pinning, template injection fix, replaced CodeClimate by @ArSn in #2039, #2040, #2042, #2043

New Contributors

• @dkmyta made their first contribution in #1905
• @l0pens made their first contribution in #1913
• @Initsogar made their first contribution in #1961
• @Usiel made their first contribution in #1953
• @lambdakilo made their first contribution in #1847
• @AMetIR made their first contribution in #1740
• @alichtman made their first contribution in #1815
• @musaabhasan made their first contribution in #2003
• @noraj made their first contribution in #2029

Thank you to everyone who contributed to this release!

Full Changelog: v3.8.28...v4.0.0