A simple and minimal wordpress security auditor!
Audit your wordpress application for security issues with even 1 request.
FastAudit
is a simple wordpress enumeration tool and security auditor, able to detect possible security issues with even one web-request.
It is inspired by the amazing WPScan tool and is of course powered by the WPScan Vulnerability Database to identify possible plugin/theme/wpVersion-related vulnerabilities. It performs basic enumeration based on classic techniques and It's nice to use for a fast scan to enumerate the basics. What is special about this tool is that in order to identify possible vulnerabilities (using -ep option), it makes only one web-request to the application, so it doesn't slow it down in any way and doesn't mess with its functionality.
This tool is only for enumeration and not for exploitation - so it doesn't perform any kind of brute-force attack or any other attack in general. This tool can be used by developers and security engineers to scan their wordpress applications for possible vulberabilities (e.g. old plugins etc...) and fix them as soon as possible - that's all!
- enumerates wp-version/theme/users/plugins
- based on the aboved results uses WPScan Vulnerability Database to search for potential vulnerabilities
- utilizes shodan-API to search for additional vulnerabilities (shodan account required for this feature, may also give false positives sometimes)
- utilizes haveibeenpwned service to search if a password (in sha1) has been used/breached before (useful for developers to test their passwords).
Note: To install the requirements:
pip install -r requirements.txt --upgrade --user
For the shodan and/or proxy to work, you have to set the appropriate values on config.cfg. Also even if --useragent
options is provided, requests to haveibeenpwned service will be made using FastAudit_Agent
as user-agent.
- integrate zoomeye search also
Feedback and contributions are welcome. If you find any bug or have a feature request feel free to open an issue, and as soon as I review it I'll try to fix it!
This tool is only for testing and academic purposes and can only be used where strict consent has been given. Do not use it for illegal purposes! It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this tool and software in general.
- Special thanks to WPScan team!
- Logo designed with fontmeme.com!
- https://winningwp.com/how-to-tell-which-plugins-a-website-uses/
- https://codeable.io/find-out-what-theme-plugins-wordpress/
- https://stackoverflow.com/questions/1390255/how-do-i-find-out-what-version-of-wordpress-is-running/1390292#1390292
This project is licensed under the GPLv3 License - see the LICENSE file for details