"Because why scan blind when WordPress exposes itself?"
WPProbe is a fast and efficient WordPress plugin scanner that leverages REST API enumeration (?rest_route) to detect installed plugins without brute-force.
Unlike traditional scanners that hammer websites with requests, WPProbe takes a smarter approach by querying the exposed REST API. This technique allows us to identify plugins stealthily, reducing detection risks and speeding up the scan process.
π Currently, over 3030 plugins can be identified using the stealthy method, and thousands more with the brute-force capabilities!
1οΈβ£ Fetch a list of known WordPress plugins from a precompiled database (Wordfence).
2οΈβ£ Scan the target site for exposed REST API routes (?rest_route=/).
3οΈβ£ Match the discovered endpoints with known plugin signatures.
4οΈβ£ Retrieve the installed version (when possible) by extracting metadata from files like readme.txt.
5οΈβ£ Correlate detected plugins with publicly known vulnerabilities (CVE mapping).
6οΈβ£ Output the results in a structured format (CSV or JSON) for easy analysis.
π₯ This means fewer requests, faster scans, and a lower chance of getting blocked by WAFs or security plugins!
1οΈβ£ Load a comprehensive list of WordPress plugins (10k+ common plugins by default).
2οΈβ£ Check for the existence of each plugin by directly requesting its directory.
3οΈβ£ Detect plugins based on HTTP response codes (non-404 responses indicate plugin exists).
4οΈβ£ Retrieve versions and check for vulnerabilities as in stealthy mode.
5οΈβ£ Output the results in your preferred format.
1οΈβ£ Start with a stealthy scan using REST API endpoints.
2οΈβ£ Record all plugins found via the stealthy method.
3οΈβ£ Continue with a brute-force scan, skipping plugins already detected.
4οΈβ£ Combine results from both methods for maximum detection coverage.
5οΈβ£ Process vulnerability information and output results.
π Hybrid mode gives you the best of both worlds: the stealth of REST API scanning with the thoroughness of brute-force!
- β
Multiple scanning modes:
- Stealthy mode β Uses REST API to detect plugins with minimal footprint
- Brute-force mode β Comprehensive plugin detection using direct requests
- Hybrid mode β Starts with stealthy scanning then uses brute-force only for remaining plugins
- β High-speed scanning β Multithreaded scanning with a sleek progress bar.
- β Vulnerability mapping β Automatically associates detected plugins with known CVEs.
- β Multiple output formats β Save results in CSV or JSON.
- β Resilient scanning β Handles sites with missing version info gracefully.
- β Optimized detection β Intelligently combines methods to maximize plugin discovery.
πΉ Some plugins don't expose REST API endpoints, making them undetectable via this method.
πΉ If a plugin is outdated, disabled, or hidden by security plugins, it may not be detected.
πΉ The technique relies on a predefined plugin-to-endpoint mapping, which is regularly updated.
πΉ Generates more HTTP requests, which may trigger security mechanisms or rate limits.
πΉ Less stealthy than REST API scanning as it directly probes for plugin directories.
πΉ Limited by the plugin list's comprehensiveness.
πΉ Still generates a significant number of requests after the stealthy phase.
πΉ May take longer to complete than pure stealthy mode.
go install github.com/Chocapikk/wpprobe@latest- Requires Go 1.22+
- Ensure
$(go env GOPATH)/binis in your$PATH
- Clone the repository
git clone https://github.com/Chocapikk/wpprobe cd wpprobe - Install dependencies
go mod tidy
- Build the binary
Move or copy
go build -o wpprobe
wpprobeinto a directory listed in your$PATH.
- Build Image
docker build -t wpprobe . - Run
docker run -it --rm wpprobe
Update WPProbe to the latest version:
./wpprobe updateUpdate the local Wordfence vulnerability database:
./wpprobe update-dbScan a single WordPress site using the default stealthy mode:
./wpprobe scan -u https://example.comScan a WordPress site using brute-force detection:
./wpprobe scan -u https://example.com --mode bruteforceScan a WordPress site using hybrid mode (stealthy first, then brute-force for remaining plugins):
./wpprobe scan -u https://example.com --mode hybridUse a custom list of plugins for brute-force or hybrid scanning:
./wpprobe scan -u https://example.com --mode bruteforce --plugin-list my-plugins.txtScan multiple sites from a targets.txt file using 20 threads:
./wpprobe scan -f targets.txt -t 20Save scan results to a CSV file:
./wpprobe scan -f targets.txt -t 20 -o results.csvSave scan results to a JSON file:
./wpprobe scan -f targets.txt -t 20 -o results.jsonURL,Plugin,Version,Severity,AuthType,CVEs,CVE Links,CVSS Score,CVSS Vector,Title
http://localhost:5555,give,2.20.1,critical,Unauth,CVE-2025-22777,https://www.cve.org/CVERecord?id=CVE-2025-22777,9.8,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,GiveWP <= 3.19.3 - Unauthenticated PHP Object Injection
http://localhost:5555,give,2.20.1,high,Privileged,CVE-2024-9130,https://www.cve.org/CVERecord?id=CVE-2024-9130,7.2,CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H,GiveWP <= 3.16.1 - Authenticated SQL Injection
http://localhost:5555,give,2.20.1,medium,Auth,CVE-2024-1957,https://www.cve.org/CVERecord?id=CVE-2024-1957,6.4,CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N,GiveWP <= 3.6.1 - Stored XSS via Shortcode
http://localhost:5555,give,2.20.1,medium,Unauth,CVE-2024-47315,https://www.cve.org/CVERecord?id=CVE-2024-47315,4.3,CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N,GiveWP <= 3.15.1 - Cross-Site Request Forgery
http://localhost:5555,give,2.20.1,medium,Privileged,CVE-2022-28700,https://www.cve.org/CVERecord?id=CVE-2022-28700,5.5,CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N,GiveWP <= 2.20.2 - Authenticated Arbitrary File Creation
http://localhost:5555,jetpack,14.3,,,,,,,No vulnerabilities found
http://localhost:5555,woocommerce,9.6.0,,,,,,,No vulnerabilities found
{
"url": "http://localhost:5555",
"plugins": {
"give": [
{
"version": "2.20.1",
"severities": {
"critical": [
{
"auth_type": "Unauth",
"vulnerabilities": [
{
"cve": "CVE-2025-22777",
"cve_link": "https://www.cve.org/CVERecord?id=CVE-2025-22777",
"cvss_score": 9.8,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"title": "GiveWP <= 3.19.3 - Unauthenticated PHP Object Injection"
}
]
}
],
"high": [
{
"auth_type": "Privileged",
"vulnerabilities": [
{
"cve": "CVE-2024-9130",
"cve_link": "https://www.cve.org/CVERecord?id=CVE-2024-9130",
"cvss_score": 7.2,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"title": "GiveWP <= 3.16.1 - Authenticated SQL Injection"
}
]
}
],
"medium": [
{
"auth_type": "Auth",
"vulnerabilities": [
{
"cve": "CVE-2024-1957",
"cve_link": "https://www.cve.org/CVERecord?id=CVE-2024-1957",
"cvss_score": 6.4,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"title": "GiveWP <= 3.6.1 - Stored XSS via Shortcode"
}
]
}
]
}
}
],
"woocommerce": [
{
"version": "9.6.0",
"severities": {}
}
]
}
}π‘ The idea behind WPProbe comes from the realization that WordPress exposes plugin data through its REST API (?rest_route). Instead of wasting time brute-forcing plugin paths, this tool matches REST endpoints with known plugin signatures, allowing for faster and more stealthy scans.
Over 3030 plugins are currently detectable using this method, making WPProbe one of the most effective tools for WordPress reconnaissance.
π οΈ Expanding the plugin database β More plugins, better detection.
β‘ Adding more fingerprinting techniques β Beyond REST API, integrating alternative detection methods.
π Enhanced reporting β JSON output and integration with security dashboards.
Developed by @Chocapikk π«, inspired by modern recon methodologies and the REST API enumeration trick.
π Stay stealthy, scan smart! π