v3.8.7

Minor:

• Updated WP Duplicator installer-log.txt detection, Thanks to @dwisiswant0 - Ref #1540

v3.8.6

Minor:

• Added detection of usernames from author sitemap in WP 5.5 - Ref #1529

v3.8.5

Minor:

• Be more informative in CLI output with InterestingFindings - Ref #1510
• Better CLI error messages for Path validators

v3.8.4

• Minor:
  • Fixed Theme author incorrectly detected - Ref #1520
  • Password Attack: Fixed disabled XMLRPC method not being correctly detected in blog with a language other than English - Ref #1522

v3.8.3

• Minor
  • Fixes a potential InvalidProgressBar error with the xmlrpc_multicall pwd attack
  • Long option/s now displayed when a required one is missing - Ref #1500
  • Fixes Crash when URL does not contain a TLD, such as dc-2
  • Password Attack: When an error occurs, the response body is only displayed when --verbose is used
  • When using an output format other than the CLI (such as -f json), the progress bar log will only contain unique errors (before duplicate could occur, leading to an increase of Memory usage)
  • Check for wp-login.php availability before doing password attack on it - Ref #1519
  • Uses an enumerator to read the wordlist (rather than the whole file at once) during password attacks, reducing the memory usage - Ref #1518

v3.8.2

• Minor
  • Fixes a potential InvalidProgressBar error with the xmlrpc_multicall pwd attack
  • Long option/s now displayed when a required one is missing - Ref #1500
  • Fixes Crash when URL does not contain a TLD, such as dc-2

v3.8.1

• Added Youtube references from the API in output
• Added CVSS score and vector output. This will only be displayed for users with an enterprise token

v3.8.0

Major:

• Support for Ruby 2.4 removed as EOL reached.

Minor:

• Icon displayed when valid credentials found during password attack changed from notice [i] to warning [!]
• Help messages for --plugins-detection and --plugins-version-detection updated - Ref #1472

v3.7.11

• Fixes incorrect detection of error responses when performing Password Attack via XMLRPC in some cases.
• Fixes non detection of users via the WP JSON method when blog uses Basic Auth or a proxy is given.
• Fixes reference error when debug log is identified
• Fixes wrong number of argument error with old versions of activesupport (< 5.2) from opt_parse_validator.

v3.7.10

• Message added to error raised when there is a checksum mismatch during update, asking the user to try again in a few minute.
• Fixes non detection of plugins/themes when the main 404 is a redirection and the plugins/themes checked return empty 200 responses
• API Token can now be loaded from the ENV variable WPSCAN_API_TOKEN if present.