wordpress-vulnerable-scanner

Crates.io	wordpress-vulnerable-scanner
lib.rs	wordpress-vulnerable-scanner
version	1.0.0
created_at	2025-11-25 19:11:11.119198+00
updated_at	2025-11-25 19:11:11.119198+00
description	WordPress vulnerability scanner - detects known CVEs in core, plugins, and themes
homepage
repository	https://github.com/robdotec/wordpress-vulnerable-scanner
max_upload_size
id	1950308
size	123,191

rob.ec (robdotec)

documentation

https://docs.rs/wordpress-vulnerable-scanner

README

wordpress-vulnerable-scanner

A fast, safe Rust CLI tool for detecting known CVE vulnerabilities in WordPress core, plugins, and themes using the WPVulnerability.net API.

Features

Multiple input modes - scan live sites, JSON manifests, or specify components directly
Parallel API requests - fast vulnerability lookups using concurrent requests
Version-aware filtering - only reports vulnerabilities affecting installed versions
CVSS scoring - severity levels (Critical/High/Medium/Low) from CVSS scores
Multiple output formats - human-readable tables or JSON for automation
Exit codes - integrate with CI/CD pipelines
Security hardened - URL encoding, file size limits, safe HTTP defaults

Installation

Pre-built binaries

Download from GitHub Releases:

Platform	Architecture	File
Linux	x86_64	`wordpress-vulnerable-scanner-linux-x86_64.tar.gz`
Linux	x86_64 (static)	`wordpress-vulnerable-scanner-linux-x86_64-musl.tar.gz`
Linux	ARM64	`wordpress-vulnerable-scanner-linux-aarch64.tar.gz`
macOS	Intel	`wordpress-vulnerable-scanner-macos-x86_64.tar.gz`
macOS	Apple Silicon	`wordpress-vulnerable-scanner-macos-aarch64.tar.gz`
Windows	x86_64	`wordpress-vulnerable-scanner-windows-x86_64.zip`

Cargo

cargo install wordpress-vulnerable-scanner

Build from source

git clone https://github.com/robdotec/wordpress-vulnerable-scanner
cd wordpress-vulnerable-scanner
cargo build --release

Quick Start

Scan a live WordPress site

wordpress-vulnerable-scanner https://example.com

Scan with auto-detected scheme

wordpress-vulnerable-scanner example.com

Check specific components

# Check WordPress core version
wordpress-vulnerable-scanner -c 6.4.1

# Check plugins (slug:version format)
wordpress-vulnerable-scanner -p "elementor:3.18.0,contact-form-7:5.8"

# Check themes
wordpress-vulnerable-scanner -t "flavor:1.3.4,flavor-developer:1.3.4"

# Combined check
wordpress-vulnerable-scanner -c 6.4.1 -p "elementor:3.18.0" -t "flavor:1.3.4"

Use JSON manifest from wordpress-audit

# First, audit a WordPress installation
wordpress-audit https://example.com -o json > manifest.json

# Then scan for vulnerabilities
wordpress-vulnerable-scanner -m manifest.json

Filter by severity

# Only show high and critical vulnerabilities
wordpress-vulnerable-scanner example.com --severity high

JSON output for automation

wordpress-vulnerable-scanner example.com -o json | jq '.summary'

Input Modes

Mode	Flag	Description
URL scan	(positional)	Scan a live WordPress site
Core version	`-c, --core`	Check specific WordPress version
Plugins	`-p, --plugins`	Check plugins (slug:version,...)
Themes	`-t, --themes`	Check themes (slug:version,...)
Manifest	`-m, --manifest`	JSON file from wordpress-audit

Output Formats

Format	Flag	Description
Human	`-o human`	Colored table (default)
JSON	`-o json`	Machine-readable JSON
None	`-o none`	Silent (exit code only)

Exit Codes

Code	Meaning
0	No vulnerabilities found
1	Vulnerabilities found (non-critical)
2	Critical vulnerabilities found
10	Error (network, parsing, etc.)

Severity Levels

Based on CVSS v3 scores:

Level	CVSS Range	Color
Critical	9.0 - 10.0	Red
High	7.0 - 8.9	Orange
Medium	4.0 - 6.9	Yellow
Low	0.1 - 3.9	Green

Security

Input Validation

URL encoding - Component slugs are URL-encoded to prevent injection
File size limits - Manifest files limited to 10 MB to prevent memory exhaustion
Safe HTTP defaults - TLS verification enabled, reasonable timeouts

Data Source

Vulnerability data is fetched from WPVulnerability.net, a free CVE database for WordPress.

API Reference

The scanner can also be used as a library:

use wordpress_vulnerable_scanner::{Analyzer, Scanner, Severity};
use wordpress_vulnerable_scanner::output::{OutputConfig, OutputFormat, output_analysis};

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Scan a site
    let scanner = Scanner::new("https://example.com")?;
    let scan_result = scanner.scan().await?;

    // Analyze for vulnerabilities
    let analyzer = Analyzer::new()?;
    let analysis = analyzer.analyze(&scan_result).await;

    // Output results
    let config = OutputConfig::new(OutputFormat::Human, Severity::Low);
    let mut stdout = std::io::stdout();
    output_analysis(&analysis, &config, &mut stdout)?;

    Ok(())
}

License

MIT License - see LICENSE for details.

Commit count: 0

wordpress-vulnerable-scanner

documentation

README

wordpress-vulnerable-scanner

Features

Installation

Pre-built binaries

Cargo

Build from source

Quick Start

Scan a live WordPress site

Scan with auto-detected scheme

Check specific components

Use JSON manifest from wordpress-audit

Filter by severity

JSON output for automation

Input Modes

Output Formats

Exit Codes

Severity Levels

Security

Input Validation

Data Source

API Reference

License

cargo fmt