WPScan

WordPress Security Scanner

"WordPress-specific vulnerability scanner — plugins, themes, users, and core vulnerabilities."

What it does

WordPress powers 43% of all websites. It's also one of the most targeted CMSes because of its plugin ecosystem — thousands of third-party plugins with varying security quality. WPScan is the industry-standard WordPress vulnerability scanner, maintained by the WPScan team with a continuously updated vulnerability database.

PTK runs wpscan against WordPress installations to enumerate plugins, themes, users, and configuration issues. It checks installed plugins and themes against a database of known CVEs. Three scan modes balance speed against coverage.

Scan options

OptionDescriptionEst. time

light

Fast check — plugin list, obvious issues

~4 min/host

standardDEFAULT

Plugin + theme CVEs, user enumeration

~5 min/host

full

Aggressive plugin detection, all checks

~8 min/host

Example findings

CRITICALContact Form 7 5.3.1 — CVE-2021-39659 SQL Injectionwpscan

HIGHXML-RPC Enabled — Brute Force Amplification Riskwpscan

HIGHWordPress 6.1.0 — 3 Known Vulnerabilities (update to 6.4.3)wpscan

MEDIUMreadme.html Exposed — WordPress Version Disclosedwpscan

← Back to all tools ▶ Scan with WPScan

What it finds

▸Vulnerable WordPress plugins (CVEs with CVSS scores)
▸Vulnerable WordPress themes
▸Outdated WordPress core version
▸User enumeration via author pages
▸XML-RPC endpoint exposed (brute force amplification)
▸WordPress readme.html exposed (reveals exact version)
▸Upload directory listing enabled
▸Default admin username in use

Works well with

HTTPX →Nuclei →Nikto →