"Because why scan blind when WordPress exposes itself?"

A fast WordPress plugin and theme scanner that detects installed plugins via REST API enumeration and themes from HTML discovery, then maps them to known vulnerabilities. Over 5000 plugins detectable without brute-force, thousands more with it.

Since March 9, 2026, Wordfence deprecated their v2 API. All WPProbe versions prior to v0.10.16 have broken update-db functionality. You need to update WPProbe.

By default, wpprobe update-db fetches a pre-built database from this repo (updated every 2h via CI), so no API key is needed. If you want to fetch directly from Wordfence yourself, you can optionally set up a free API key:

1. Create an account at wordfence.com
2. Go to Account > Integrations and generate an API key
3. Set it via environment variable or --api-key flag

go install github.com/Chocapikk/wpprobe@latest
wpprobe update-db
wpprobe scan -u https://example.com

wpprobe scan -u https://example.com --mode stealthy
wpprobe scan -u https://example.com --mode bruteforce
wpprobe scan -u https://example.com --mode hybrid

# Kali Linux (included in kali-rolling)
sudo apt install wpprobe

# Go (requires 1.22+)
go install github.com/Chocapikk/wpprobe@latest

# Nix
nix-shell -p wpprobe

# Docker
docker run -it --rm wpprobe scan -u https://example.com

# From source
git clone https://github.com/Chocapikk/wpprobe && cd wpprobe && go build -o wpprobe

# Mount current directory for input/output files
docker run -it --rm -v $(pwd):/data wpprobe scan -f /data/targets.txt -o /data/results.csv

# Persist vulnerability databases
docker run -it --rm \
  -v $(pwd):/data \
  -v wpprobe-config:/config \
  wpprobe scan -f /data/targets.txt -o /data/results.json

# Update databases
docker run -it --rm \
  -v wpprobe-config:/config \
  -e WORDFENCE_API_KEY=your_key \
  -e WPSCAN_API_TOKEN=your_token \
  wpprobe update-db

# Single target
wpprobe scan -u https://example.com

# Multiple targets with threading
wpprobe scan -f targets.txt -t 20

# Custom options
wpprobe scan -u https://example.com \
  --header "User-Agent: CustomAgent" \
  --proxy http://proxy:8080 \
  --rate-limit 10 \
  --no-check-version

# Output formats
wpprobe scan -u https://example.com -o results.csv
wpprobe scan -u https://example.com -o results.json

# Update databases (Wordfence requires free API key, WPScan requires Enterprise API token)
wpprobe update-db --api-key your_wordfence_key
# Or use env var
export WORDFENCE_API_KEY=your_key_here
wpprobe update-db

# Search vulnerabilities
wpprobe search --cve CVE-2024-1234
wpprobe search --plugin woocommerce
wpprobe search --severity critical
wpprobe search --auth Unauth
wpprobe search --title "SQL Injection" --details

# Database statistics
wpprobe list

Set WORDFENCE_API_KEY for Wordfence database updates (free). Set WPSCAN_API_TOKEN for WPScan database updates (Enterprise plan only).

wpprobe update

Stealthy mode queries exposed REST API routes (?rest_route=/) and matches discovered endpoints against a precompiled database of known plugin signatures. It also discovers active themes by parsing wp-content/themes/ references from the page HTML and fetches their version from style.css. This generates minimal requests and avoids detection by WAFs.

Brute-force mode checks plugin directories directly via GET requests. A 403 response confirms the plugin exists (directory listing forbidden). A 200 response is validated by checking for readme.txt in the directory listing to avoid false positives from WordPress instances that return 200 for all paths.

Hybrid mode combines both: stealthy first for low-noise detection, then brute-force for remaining plugins. Themes are always discovered via HTML regardless of mode.

Detected plugins and themes are correlated with known CVEs from Wordfence and WPScan databases, with version range matching to identify vulnerable installations.

URL,Plugin,Version,Severity,AuthType,CVEs,CVE Links,CVSS Score,CVSS Vector,Title
http://example.com,give,2.20.1,critical,Unauth,CVE-2025-22777,https://www.cve.org/CVERecord?id=CVE-2025-22777,9.8,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,GiveWP <= 3.19.3 - Unauthenticated PHP Object Injection

{
  "url": "http://example.com",
  "plugins": {
    "give": [
      {
        "version": "2.20.1",
        "severities": [
          {
            "critical": [
              {
                "auth_type": "Unauth",
                "vulnerabilities": [
                  {
                    "cve": "CVE-2025-22777",
                    "cve_link": "https://www.cve.org/CVERecord?id=CVE-2025-22777",
                    "title": "GiveWP <= 3.19.3 - Unauthenticated PHP Object Injection",
                    "cvss_score": 9.8,
                    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
                  }
                ]
              }
            ]
          }
        ]
      }
    ],
    "wordpress-seo": [
      {
        "version": "27.1.1"
      }
    ]
  }
}

• Stealthy: Some plugins don't expose REST API endpoints. Disabled or hidden plugins may not be detected. Theme detection relies on HTML references, so themes loaded dynamically or via child themes may be missed.
• Brute-force: Generates many requests, may trigger WAFs or rate limits. Limited by wordlist coverage. Does not brute-force themes.
• Hybrid: Slower than pure stealthy due to the brute-force phase.

Contributions are welcome. Please open an issue or submit a pull request.

MIT License - see LICENSE file for details.

Developed by @Chocapikk.