v3.5.0

Changes/Improvements:

• All enumeration processes, and most other checks now use HEAD requests and then perform a GET when suitable (related to the long wanted #211). This reduces the data received, especially with custom 404 returning a lot of data
• Make sure files which can return a lot of data, such as SQL dumps, are checked with a Range header - #1322
• Running Stats (Requests done, Memory used and so on) are now always displayed at the end of the scan, when the scan is valid, ie not CLI errors, not Wordpress Error etc (so once the URL and Started time are displayed, stats will be output at the end no matter what)
• More accurate memory usage, by getting the starting memory when a scan is initialised
• Additional detection of the WP-JSON API via the source of the homepage -#1319
• Detection of wp-content dir from RAW JavaScript
• Password Attack against the wp-login.php improved to avoid False Positive
• Minified version of static files also checked when trying to determine WP version - #1311
• Check errors 500 as well as custom 401/403 during plugin/theme enumeration - #1090

Removals:

• WPScan is no longer checking for the changelog URLs when displaying plugins and themes. Versions detection from changelogs are still performed

Fixes:

• Regression of the wp-content detection, when a sub-dir was present - #1318 (was due to ab5f46e#diff-20e4355dc81ed51bf07e7536399f448d)
• Empty usernames being detected from RSS feed - #1317
• BackTrace error always displayed when wp-content dir not detected - #1313

Dev Stuff:

• Profiling executable added - #1321
• frozen_string_literal comment is now used everywhere, to reduce object allocations
• Better code for WpVersion#all
• Models and Errors moved into their own namespace - #1315

v3.4.5

• Adds detection of wp-cron.php - #1299
• Handles uncaught exceptions when --password-attack was used but the XML-RPC was not detected - #1307
• Improves Debug Log and XML-RPC detections (via CMSSCanner 0.0.41.4)

v3.4.4

• Display enumeration methods (passive/aggressive) in output. (#1284)
• Improves WordPress detection when no clues are present in the homepage (#1277)
• Check for multi page results when gathering users via the WP JSON API (#1285 - Thanks to @melalj)

v3.4.3

• Updates dependencies and specs

v3.4.1

Fixes #1264

v3.4.0

Fixes #1246
Fixes #1245
Fixes #1242
Fixes #1244
Fixes #1241

v3.3.3

Fixes #1228
Fixes #1232
Fixes #1236
Fixes #1237

v3.3.2

• Adds a --hh cli option to display the full help. -h now displays a simplified help.

• Displays the release date of the WP version detected.

v3.3.1

Fixes #1215

3.3.0

v3.x is a brand new codebase with many new features and enhancements.