WPscan false positives

Wednesday, April 27th, 2016

WPScanWPscan is a popular command line tool for scanning WordPress installations to find vulnerabilities. It is a frontline tool used to find access points for your site – and – if it’s good enough for that hackers, you should be using it too! I recommend downloading it immediately to test your sites.

However, I just wasted a bunch of time running scans and looking plugins/themes that weren’t actually installed…

False positives

Running ‘wpscan -enumerate’ allows you to scan for installed plugins and themes. Unfortunatly, it was telling me that I had literally hundreds of vulnerable plugins and themes installed.

The problem is that it scans by sending requests to the server based on a list of folder names. If a 404 is not returned, it assumes you have the plugin/theme. Since we had the plugin redirection installed, many of  these requests did not return the correct error code!

Just thought this might help other wpscan users.

Leave a Reply

You know you want to...