Changeset 2452411

wpscan/tags/1.14/app/Account.php

-                      r2429586
+                      r2452411
         $this->parent = $parent;
-        add_action( 'wpscan/api/get/after', array( $this, 'update_account_status' ), 10, 2 );
         add_action( 'admin_init', array( $this, 'add_account_summary_meta_box' ) );
+    }
     /**
      * Update account status after the api request.
+     * Update account status by calling the /status endpoint.
+     *
      * @since 1.0.0
+     * @param string $endpoint endpoint.
+     * @param string $response response.
+     * @param string $api_token
      * @access public
      * @return void
      */
+    public function update_account_status( $endpoint, $response ) {
+        $wp_endpoit = '/wordpresses/' . str_replace( '.', '', get_bloginfo( 'version' ) );
+    public function update_account_status( $api_token = null ) {
+        $current = get_option( $this->parent->OPT_ACCOUNT_STATUS, array() );
+        $updated = $current;
+        $req = $this->parent->api_get( '/status', $api_token );
+        if ( is_object( $req ) ) {
+            $updated['plan'] = $req->plan;
+        if ( $endpoint === $wp_endpoit ) {
+            $current = get_option( $this->parent->OPT_ACCOUNT_STATUS, array() );
+            $updated = $current;
+            $updated['limit']     = wp_remote_retrieve_header( $response, 'x-ratelimit-limit' );
+            $updated['remaining'] = wp_remote_retrieve_header( $response, 'x-ratelimit-remaining' );
+            $updated['reset']     = wp_remote_retrieve_header( $response, 'x-ratelimit-reset' );
+            if ( ! isset( $current['plan'] ) || $current['limit'] !== $updated['limit'] ) {
+                $req = $this->parent->api_get( '/status' );
+                // Plan.
+                if ( is_object( $req ) ) {
+                    $updated['plan'] = $req->plan;
+                }
+                // For enterprise users.
+                if ( -1 === $req->requests_remaining ) {
+                    $updated['limit']     = __( 'unlimited', 'wpscan' );
+                    $updated['remaining'] = __( 'unlimited', 'wpscan' );
+                    $updated['reset']     = __( 'unlimited', 'wpscan' );
+                }
+            // Enterprise users.
+            if ( -1 === $req->requests_remaining ) {
+                $updated['limit']     = __( 'unlimited', 'wpscan' );
+                $updated['remaining'] = __( 'unlimited', 'wpscan' );
+                $updated['reset']     = __( 'unlimited', 'wpscan' );
+            } else {
+                $updated['limit']     = $req->requests_limit;
+                $updated['remaining'] = $req->requests_remaining;
+                $updated['reset']     = $req->requests_reset;
+            }
 …
     public function get_account_status() {
         $defaults = array(
             'plan'      => 'NO DATA',
+            'plan'      => 'None',
             'limit'     => 50,
             'remaining' => 50,

wpscan/tags/1.14/app/Checks/Check.php

-                      r2429586
+                      r2452411
     final public function add_vulnerability( $title, $severity, $id ) {
         $vulnerability = array(
-            'id'       => $id,
             'title'    => $title,
             'severity' => $severity,
+            'id'       => $id,
         );
 …
         if ( is_array( $this->vulnerabilities ) ) {
             $updated['security-checks'][ $this->id ]['vulnerabilities'] = $this->vulnerabilities;
+            $this->parent->maybe_fire_issue_found_action('security-check', $this->id, $updated['security-checks'][ $this->id ]);
         } else {
             $updated['security-checks'][ $this->id ]['vulnerabilities'] = array();

wpscan/tags/1.14/app/Checks/System.php

-                      r2429586
+                      r2452411
  */
 class System {
+    public $OPT_FATAL_ERRORS = 'wpscan_fatal_errors';
     /**
      * A list of registered checks.
 …
     public function __construct( $parent ) {
         $this->parent = $parent;
+        register_shutdown_function( array( $this, 'catch_errors' ) );
+        add_action( 'admin_notices', array( $this, 'display_errors' ) );
         add_action( 'plugins_loaded', array( $this, 'load_checks' ) );
 …
     /**
+     * Register a shutdown hook to catch errors
+     *
+     * @since 1.0.0
+     * @access public
+     * @return void
+     */
+    public function catch_errors() {
+        $error = error_get_last();
+        if ($error && $error['type']) {
+            if ( basename($error['file']) == 'check.php' ) {
+                $errors = get_option($this->OPT_FATAL_ERRORS, array() );
+                array_push( $errors, $error );
+                update_option( $this->OPT_FATAL_ERRORS, array_unique( $errors ) );
+                $report = $this->parent->get_report();
+                $report['cache'] = strtotime( current_time( 'mysql' ) );
+                update_option( $this->parent->OPT_REPORT, $report );
+                $this->parent->classes['account']->update_account_status();
+                delete_transient( $this->parent->WPSCAN_TRANSIENT_CRON );
+            }
+        }
+    }
+    /**
+     * Display fatal errors
+     *
+     * @since 1.0.0
+     * @access public
+     * @return void
+     */
+    public function display_errors() {
+        $screen = get_current_screen();
+        $errors = get_option($this->OPT_FATAL_ERRORS, array() );
+        if ( strstr( $screen->id, $this->parent->classes['report']->page ) ) {
+            foreach ($errors as $err ) {
+                $msg = explode('Stack', $err['message'])[0];
+                $msg = trim($msg);
+                echo "<div class='notice notice-error'><p>$msg</p></div>";
+            }
+        }
+    }
+    /**
      * List vulnerabilities in the report.
+     *

wpscan/tags/1.14/app/Dashboard.php

-                      r2429586
+                      r2452411
         foreach ( $vulns as $vuln ) {
+            echo "<div><span class='dashicons dashicons-warning is-red'></span>&nbsp; " . esc_html($vuln) . "</div><br/>";
+            $vuln = wp_kses( $vuln, array( 'a' => array( 'href' => array() ) ) ); // Only allow a href HTML tags.
+            echo "<div><span class='dashicons dashicons-warning is-red'></span>&nbsp; " . $vuln . "</div><br/>";
+        }

wpscan/tags/1.14/app/Notification.php

-                      r2429586
+                      r2452411
      */
     public function add_meta_box_notification() {
+        if ( $this->parent->is_wp_cron_disabled() ) {
+            return;
+        }
         add_meta_box(
             'wpscan-metabox-notification',

wpscan/tags/1.14/app/Plugin.php

-                      r2429586
+                      r2452411
     public $report;
+    // Action fired when an issue is found
+    public $WPSCAN_ISSUE_FOUND = 'wpscan_issue_found';
     /**
      * Class constructor.
 …
         add_action( 'admin_bar_menu', array( $this, 'admin_bar' ), 65 );
         add_action( $this->WPSCAN_SCHEDULE, array( $this, 'check_now' ) );
+        add_action( 'in_admin_header', array( $this, 'deactivate_screen' ) );
+        // Check if wp cron is disabled
+        if ( $this->is_wp_cron_disabled() ) {
+            add_action( 'admin_notices', array( $this, 'wp_cron_alert' ) );
+        }
         if ( defined( 'WPSCAN_API_TOKEN' ) ) {
 …
      */
     public function deactivate() {
+        delete_option( $this->OPT_SCANNING_INTERVAL );
+        delete_option( $this->OPT_SCANNING_TIME );
         wp_clear_scheduled_hook( $this->WPSCAN_SCHEDULE );
+    }
+    /**
+     * Deactivate screen
+     *
+     * @since 1.14.0
+     * @access public
+     * @return void
+     */
+    public function deactivate_screen() {
+        global $pagenow;
+        if ( 'plugins.php' === $pagenow ) {
+            include_once plugin_dir_path( WPSCAN_PLUGIN_FILE ) . 'views/deactivate.php';
+        }
+    }
+    /**
+     * Check if WP-Cron is disabled
+     *
+     * @since 1.14.0
+     * @access public
+     * @return bool
+     */
+    public function is_wp_cron_disabled() {
+        return defined('DISABLE_WP_CRON') && DISABLE_WP_CRON;
+    }
+    /**
+     * Display cron disabled alert
+     *
+     * @since 1.14.0
+     * @access public
+     * @return void
+     */
+    public function wp_cron_alert() {
+        echo "<div class='notice notice-error'><p>". __( 'WP-Cron has been disabled in the wp-config.php file using the <code>DISABLE_WP_CRON</code> constant. Automated scans and other features that rely on cron will not work.', 'wpscan' ) ."</p></div>";
+    }
 …
      */
     public function admin_enqueue( $hook ) {
+        global $pagenow;
         $screen = get_current_screen();
 …
             wp_localize_script('wpscan', 'wpscan', $localized);
+        }
+        if ( 'plugins.php' === $pagenow ) {
+            wp_enqueue_style(
+                'wpscan-deactivate',
+                plugins_url( 'assets/css/deactivate.css', WPSCAN_PLUGIN_FILE ),
+                array(),
+                $this->wpscan_plugin_version()
+            );
+            wp_enqueue_script(
+                'wpscan-deactivate',
+                plugins_url( 'assets/js/deactivate.js', WPSCAN_PLUGIN_FILE ),
+                    array( 'jquery' ),
+                    $this->wpscan_plugin_version()
+            );
+        }
+    }
 …
         // Hook before the request.
         do_action( 'wpscan/api/get/before', $endpoint );
+        //do_action( 'wpscan/api/get/before', $endpoint );
         // Start the request.
 …
         // Hook after the request.
         do_action( 'wpscan/api/get/after', $endpoint, $response );
+        //do_action( 'wpscan/api/get/after', $endpoint, $response );
         if ( 200 === $code ) {
 …
         // Reset errors.
         update_option( $this->OPT_ERRORS, array() );
+        update_option( $this->classes['checks/system']->OPT_FATAL_ERRORS, array() );
         // Plugins.
         $report['plugins'] = $this->verify_plugins( $ignored['plugins'] );
+        $this->report['plugins'] = $this->verify_plugins( $ignored['plugins'] );
         // Themes.
         $report['themes'] = $this->verify_themes( $ignored['themes'] );
+        $this->report['themes'] = $this->verify_themes( $ignored['themes'] );
         // WordPress.
         if ( ! isset( $ignored['wordpress'] ) ) {
             $report['wordpress'] = $this->verify_wordpress();
+            $this->report['wordpress'] = $this->verify_wordpress();
         } else {
             $report['wordpress'] = array();
+            $this->report['wordpress'] = array();
+        }
         // Security checks.
         $report['security-checks'] = array();
+        $this->report['security-checks'] = array();
         foreach ( $this->classes['checks/system']->checks as $id => $data ) {
             $data['instance']->perform();
             $report['security-checks'][ $id ]['vulnerabilities'] = array();
+            $this->report['security-checks'][ $id ]['vulnerabilities'] = array();
             if ( $data['instance']->vulnerabilities ) {
+                $report['security-checks'][ $id ]['vulnerabilities'] = $data['instance']->get_vulnerabilities();
+                $this->report['security-checks'][ $id ]['vulnerabilities'] = $data['instance']->get_vulnerabilities();
+                $this->maybe_fire_issue_found_action('security-check', $id, $this->report['security-checks'][ $id ]);
+            }
+        }
         // Caching.
         $report['cache'] = strtotime( current_time( 'mysql' ) );
+        $this->report['cache'] = strtotime( current_time( 'mysql' ) );
         // Saving.
+        update_option( $this->OPT_REPORT, $report, true );
+        update_option( $this->OPT_REPORT, $this->report, true );
+        // Updates account status (API calls etc).
+        $this->classes['account']->update_account_status();
+    }
+    /**
+    * Fires the wpscan_issue_found action if needed
+    *
+    * @since 1.14.0
+    *
+    * @param string $type - The affected component type: plugin, theme, wordpress or security-check
+    * @param string $slug - The affected component slug.
+    *                       For wordpress, it will be the version (ie 5.5.3)
+    *                       For security-checks, it will be the id of the check, ie xmlrpc-enabled
+    * @param array $details - An array containing some keys, such as vulnerabilities
+    * @param array additional_details - An array with the plugin details, such as Version etc
+    **/
+    public function maybe_fire_issue_found_action($type, $slug, $details, $additional_details = []) {
+        if ( !count($details['vulnerabilities']) > 0) {
+            return;
+        }
+        do_action($this->WPSCAN_ISSUE_FOUND, $type, $slug, $details, $additional_details);
+    }
 …
                     $plugins[ $slug ]['closed'] = false;
+                }
+                $this->maybe_fire_issue_found_action('plugin', $slug, $plugins[ $slug ], $details );
             } else {
                 if ( 404 === $result ) {
 …
                     $themes[ $slug ]['closed'] = false;
+                }
+                $this->maybe_fire_issue_found_action('theme', $slug, $themes[ $slug ], $details );
             } else {
                 if ( 404 === $result ) {
 …
      */
     public function verify_wordpress() {
         $wordperss = array();
+        $wordpress = array();
         $version = get_bloginfo( 'version' );
 …
         if ( is_object( $result ) ) {
+            $wordperss[ $version ]['vulnerabilities'] = $this->get_vulnerabilities( $result, $version );
+        }
+        return $wordperss;
+            $wordpress[ $version ]['vulnerabilities'] = $this->get_vulnerabilities( $result, $version );
+            $this->maybe_fire_issue_found_action('wordpress', $version, $wordpress[ $version ] );
+        }
+        return $wordpress;
+    }
 …
      */
     public function delete_doing_cron_transient() {
+        $option = get_option( '_transient_wpscan_doing_cron' );
+        if ( $option ) {
+            delete_option( '_transient_wpscan_doing_cron' );
+        }
+        delete_transient( $this->WPSCAN_TRANSIENT_CRON );
+    }
+}

wpscan/tags/1.14/app/Report.php

r2429586	r2452411
16	16	{
17	17	// Page slug.
18		p~~rivate~~ $page;
	18	public $page;
19	19
20	20	/**

wpscan/tags/1.14/app/Settings.php

-                      r2429586
+                      r2452411
         add_action( 'admin_init', array( $this, 'admin_init' ) );
         add_action( 'admin_notices', array( $this, 'got_api_token' ) );
         add_action( 'admin_enqueue_scripts', array( $this, 'admin_enqueue' ) );
+        add_action( 'add_option_' . $this->parent->OPT_SCANNING_INTERVAL, array( $this, 'schedule_event' ), 10, 2 );
+        add_action( 'update_option_' . $this->parent->OPT_SCANNING_INTERVAL, array( $this, 'schedule_event' ), 10, 3 );
+        add_action( 'update_option_' . $this->parent->OPT_SCANNING_TIME, array( $this, 'schedule_event' ), 10, 3 );
+        add_action( 'update_option_' . $this->parent->OPT_IGNORE_ITEMS, array( $this, 'update_ignored_items' ), 10, 3 );
+        if ( ! $this->parent->is_wp_cron_disabled() ) {
+            add_action( 'add_option_' . $this->parent->OPT_SCANNING_INTERVAL, array( $this, 'schedule_event' ), 10, 2 );
+            add_action( 'update_option_' . $this->parent->OPT_SCANNING_INTERVAL, array( $this, 'schedule_event' ), 10, 2 );
+            add_action( 'update_option_' . $this->parent->OPT_SCANNING_TIME, array( $this, 'schedule_event' ), 10, 2 );
+        }
+        add_action( 'update_option_' . $this->parent->OPT_IGNORE_ITEMS, array( $this, 'update_ignored_items' ), 10, 2 );
+    }
 …
                 'wpscan-settings',
                 plugins_url( 'assets/css/settings.css', WPSCAN_PLUGIN_FILE ),
                 array(),
                 $this->parent->wpscan_plugin_version()
+                    array(),
+                    $this->parent->wpscan_plugin_version()
             );
+        }
 …
      */
     public function admin_init() {
+        register_setting( $this->page, $this->parent->OPT_API_TOKEN, array( $this, 'sanitize_api_token' ) );
+        register_setting( $this->page, $this->parent->OPT_SCANNING_INTERVAL, 'sanitize_text_field' );
+        register_setting( $this->page, $this->parent->OPT_SCANNING_TIME, 'sanitize_text_field' );
+        // No need to sanitise the API token from the Settings form if we are using the token from the
+        // WPSCAN_API_TOKEN constant. register_setting() is run before WPSCAN_API_TOKEN is placed in the database,
+        // causing a NULL API token to be passed to some functions if called when using a WPSCAN_API_TOKEN constant.
+        if ( ! defined( 'WPSCAN_API_TOKEN' ) ) {
+            register_setting( $this->page, $this->parent->OPT_API_TOKEN, array( 'sanitize_callback' => array( $this, 'sanitize_api_token' ) ) );
+        }
         register_setting( $this->page, $this->parent->OPT_IGNORE_ITEMS );
+        if ( ! $this->parent->is_wp_cron_disabled() ) {
+            register_setting( $this->page, $this->parent->OPT_SCANNING_INTERVAL, 'sanitize_text_field' );
+            register_setting( $this->page, $this->parent->OPT_SCANNING_TIME, 'sanitize_text_field' );
+        }
         $section = $this->page . '_section';
 …
         );
+        add_settings_field(
+            $this->parent->OPT_SCANNING_INTERVAL,
+            __( 'Automated Scanning', 'wpscan' ),
+            array( $this, 'field_scanning_interval' ),
+            $this->page,
+            $section
+        );
+        add_settings_field(
+            $this->parent->OPT_SCANNING_TIME,
+            __( 'Scanning Time', 'wpscan' ),
+            array( $this, 'field_scanning_time' ),
+            $this->page,
+            $section
+        );
+        if ( ! $this->parent->is_wp_cron_disabled() ) {
+            add_settings_field(
+                $this->parent->OPT_SCANNING_INTERVAL,
+                __( 'Automated Scanning', 'wpscan' ),
+                array( $this, 'field_scanning_interval' ),
+                $this->page,
+                $section
+            );
+            add_settings_field(
+                $this->parent->OPT_SCANNING_TIME,
+                __( 'Scanning Time', 'wpscan' ),
+                array( $this, 'field_scanning_time' ),
+                $this->page,
+                $section
+            );
+        }
         add_settings_field(
 …
             echo '</form>';
         echo '</div>';
+  }
+    }
     /**
 …
     public function field_scanning_time() {
         $opt      = $this->parent->OPT_SCANNING_TIME;
         $value    = esc_attr( get_option( $opt, '12:00' ) );
+        $value    = esc_attr( get_option( $opt, date('H:i') ) );
         $disabled = $this->parent->is_interval_scanning_disabled() ? "disabled='true'" : null;
 …
             : __( 'Plugins', 'wpscan' );
         echo "<div class='wpscan-ignore-items-section'>";
 …
     public function sanitize_api_token( $value ) {
         $value  = trim( $value );
+        $result = $this->parent->api_get( '/status', $value );
+        // update_account_status() calls the /status API endpoint, verifying the validity of the Token passed via $value and updates the account status if needed.
+        if ( empty( $value ) ) {
+            delete_option( $this->parent->OPT_ACCOUNT_STATUS );
+        } else {
+            $this->parent->classes['account']->update_account_status( $value );
+        }
         $errors = get_option( $this->parent->OPT_ERRORS );
 …
         if ( ! empty( $api_token ) && $old_value !== $value ) {
             $interval = esc_attr( get_option( $this->parent->OPT_SCANNING_INTERVAL, 'daily' ) );
             $time     = esc_attr( get_option( $this->parent->OPT_SCANNING_TIME, '12:00 +1day' ) );
+            $time     = esc_attr( get_option( $this->parent->OPT_SCANNING_TIME, date('H:i') . ' +1day' ) );
             wp_clear_scheduled_hook( $this->parent->WPSCAN_SCHEDULE );

wpscan/tags/1.14/app/Summary.php

-                      r2429586
+                      r2452411
         ?>
+        <?php
+            if ( ! empty( $errors ) ) {
+                foreach ( $errors as $err ) {
+                    // $err should not contain user input. If you like to add an esc_html() here, be sure to update the error text that use HTML
+                    echo '<p class="wpscan-summary-res is-red"><span class="dashicons dashicons-megaphone"></span> <strong>' . $err . '</strong></p>';
+                }
+            } elseif ( empty( $this->parent->get_report() ) ) { // No scan run yet.
+                echo '<p class="wpscan-summary-res is-red"><span class="dashicons dashicons-megaphone"></span> <strong>' . __( 'No scan run yet!', 'wpscan' ) . '</strong></p>';
+            } elseif ( empty( $errors ) && 0 === $total ) {
+                echo '<p class="wpscan-summary-res is-green"><span class="dashicons dashicons-awards"></span> <strong>' . __( 'No known vulnerabilities found', 'wpscan' ) . '</strong></p>';
+            } elseif( ! get_option( $this->parent->OPT_API_TOKEN ) ) {
+                echo '<p class="wpscan-summary-res is-red"><span class="dashicons dashicons-megaphone"></span> <strong>' . __( 'You need to add a WPScan API Token to the settings page', 'wpscan' ) . '</strong></p>';
+            } else {
+                echo '<p class="wpscan-summary-res is-red"><span class="dashicons dashicons-megaphone"></span> <strong>' . __( 'Some vulnerabilities were found', 'wpscan' ) . '</strong></p>';
+            }
+        ?>
         <p>
             <?php _e( 'The last full scan was run on: ', 'wpscan' ) ?>
 …
         </p>
+            <?php
+                // Only show next scan time if there's a scheduled cron job.
+                if ( wp_next_scheduled( $this->parent->WPSCAN_SCHEDULE ) ) {
+            ?>
+            <?php if ( ! $this->parent->is_wp_cron_disabled() && wp_next_scheduled( $this->parent->WPSCAN_SCHEDULE ) ) { ?>
                 <p>
                     <?php _e( 'The next scan will automatically be run on ', 'wpscan' ) ?>
 …
         <?php } ?>
+        <?php
+            if ( ! empty( $errors ) ) {
+                foreach ( $errors as $err ) {
+                    // $err should not contain user input. If you like to add an esc_html() here, be sure to update the error text that use HTML
+                    echo '<p class="wpscan-summary-res is-red"><span class="dashicons dashicons-megaphone"></span> <strong>' . $err . '</strong></p>';
+        <p class="description">
+            <?php
+                if ( get_option( $this->parent->OPT_API_TOKEN ) ) {
+                    _e( 'Click the Run All button to run a full vulnerability scan against your WordPress website.', 'wpscan' );
+                } else {
+                    _e( 'Add your API token to the settings page to be able to run a full scan.', 'wpscan' );
+                }
+            } elseif ( empty( $this->parent->get_report() ) ) { // No scan run yet.
+                echo '<p class="wpscan-summary-res is-red"><span class="dashicons dashicons-megaphone"></span> <strong>' . __( 'No scan run yet!', 'wpscan' ) . '</strong></p>';
+            } elseif ( empty( $errors ) && 0 === $total ) {
+                echo '<p class="wpscan-summary-res is-green"><span class="dashicons dashicons-awards"></span> <strong>' . __( 'No known vulnerabilities found', 'wpscan' ) . '</strong></p>';
+            } elseif( ! get_option($this->parent->OPT_API_TOKEN) ) {
+                echo '<p class="wpscan-summary-res is-red"><span class="dashicons dashicons-megaphone"></span> <strong>' . __( 'You need to add a WPScan API Token to the settings page', 'wpscan' ) . '</strong></p>';
+            } else {
+                echo '<p class="wpscan-summary-res is-red"><span class="dashicons dashicons-megaphone"></span> <strong>' . __( 'Some vulnerabilities were found', 'wpscan' ) . '</strong></p>';
+            }
+        ?>
+        <p class="description">
+            <?php _e( 'Click the Run All button to run a full vulnerability scan against your WordPress website.', 'wpscan' ) ?>
+            ?>
         </p>

wpscan/tags/1.14/assets/css/style.css

-                      r2417112
+                      r2452411
   margin-bottom: 5px;
   margin-right: 12px;
+  white-space: normal !important;
+}
+.column-name {
+  word-break: break-word;
+  width: 250px;
+}

wpscan/tags/1.14/assets/js/scripts.js

-                      r2424629
+                      r2452411
       success: function( ) {
         check_cron();
+      },
+      error: function () {
+        location.reload();
+      }
     } );
 …
         },
         error: function ( ) {
           check_cron();
+          location.reload();
+        }
       } );

wpscan/tags/1.14/readme.txt

-                      r2433081
+                      r2452411
 Tags: wpscan, wpvulndb, security, vulnerability, hack, scan, exploit, secure, alerts
 Requires at least: 3.4
 Tested up to: 5.5.3
 Stable tag: 1.13.2
+Tested up to: 5.6
+Stable tag: 1.14
 Requires PHP: 5.5
 License: GPLv3
 …
 . Save the API token to the WPScan settings page or within the wp-config.php file
 == FAQ ==
+== Frequently Asked Questions ==
+* How many API calls are made?
+= How many API calls are made? =
   There is one API call made for the WordPress version, one call for each installed plugin and one for each theme. By default there is one scan per day. The number of daily scans can be configured when configuring notifications.
+* How can I configure the API token in the wp-config.php file?
+= How can I configure the API token in the wp-config.php file? =
   To configure your API token in the wp-config.php file, use the following PHP code: `define( 'WPSCAN_API_TOKEN', '$your_api_token' );`
+* How do I disable vulnerability scanning altogether?
+= How do I disable vulnerability scanning altogether? =
   You can set the following PHP constant in the wp-config.php file to disable scanning; `define( 'WPSCAN_DISABLE_SCANNING_INTERVAL', true );`.
+* Why is the "Summary" section and the "Run All" button not showing?
+= Why is the "Summary" section and the "Run All" button not showing? =
   The cron job did not run, which can be due to:
 …
 == Changelog ==
+= 1.14 =
+* Uses the status endpoint to get account data
+* Fixes the account status not being updated unless a scan is performed when the API token is updated/set
+* Adds vulnerability found hook
+* New security check: Check for weak user passwords
+* New security check: HTTPS
+* Clear plan info if API Token set to null
+* Fixes automated scanning when plugin deactivated and reactivated
+* Fixes cron job not being created when using the WPSCAN_API_TOKEN constant
+* Change default scanning time to the current time
+* Many other small improvements
 = 1.13.2 =

wpscan/tags/1.14/security-checks/xmlrpc-enabled/check.php

-                      r2433081
+                      r2452411
         } else {
             if ( preg_match( '/<string>Incorrect username or password.<\/string>/', $authenticated_response['body'] ) ) {
                 $this->add_vulnerability( __( 'The XML-RPC interface is enabled. This significantly increases your site\'s attack surface.', 'wpscan' ), 'medium', sanitize_title( $url ) );
+                $this->add_vulnerability( __( 'The XML-RPC interface is enabled. This significantly increases your site\'s attack surface', 'wpscan' ), 'medium', sanitize_title( $url ) );
                 return;
             } else {
 …
                 if ( preg_match( '/<string>Hello!<\/string>/', $unauthenticated_response['body'] ) ) {
                     $this->add_vulnerability( __( 'The XML-RPC interface is partly disabled, but still allows unauthenticated requests.', 'wpscan' ), 'low', sanitize_title( $url ) );
+                    $this->add_vulnerability( __( 'The XML-RPC interface is partly disabled, but still allows unauthenticated requests', 'wpscan' ), 'low', sanitize_title( $url ) );
+                }
+            }

wpscan/tags/1.14/views/report.php

-                      r2429586
+                      r2452411
 <div class="wrap">
+  <?php echo file_get_contents($this->parent->plugin_dir. 'assets/svg/logo.svg'); ?>
+  <h1>
+    <?php echo file_get_contents($this->parent->plugin_dir. 'assets/svg/logo.svg'); ?>
+  </h1>
   <hr class="wp-header-end">
 …
               <tr>
                 <td scope="col" class="manage-column check-column">&nbsp;</td>
                 <th scope="col" class="manage-column column-name column-primary" width="250"><?php _e( 'Name', 'wpscan' ) ?></th>
+                <th scope="col" class="manage-column column-name column-primary"><?php _e( 'Name', 'wpscan' ) ?></th>
                 <th scope="col" class="manage-column column-description"><?php _e( 'Vulnerabilities', 'wpscan' ) ?></th>
               </tr>
 …
                 <tr>
                   <td scope="col" class="manage-column check-column">&nbsp;</td>
                   <th scope="col" class="manage-column column-name column-primary" width="250"><?php _e( 'Name', 'wpscan' ) ?></th>
+                  <th scope="col" class="manage-column column-name column-primary"><?php _e( 'Name', 'wpscan' ) ?></th>
                   <th scope="col" class="manage-column column-description"><?php _e( 'Vulnerabilities', 'wpscan' ) ?></th>
                 </tr>
 …
                 <?php
                   foreach ( get_plugins() as $name => $details ) {
                     $slug = $this->parent->get_plugin_slug( $name, $details );
+                    $slug      = $this->parent->get_plugin_slug( $name, $details );
                     $is_closed = $this->is_item_closed('plugins', $slug);
                 ?>
 …
                 <tr>
                   <td scope="col" class="manage-column check-column">&nbsp;</td>
                   <th scope="col" class="manage-column column-name column-primary" width="250"><?php _e( 'Name', 'wpscan' ) ?></th>
+                  <th scope="col" class="manage-column column-name column-primary"><?php _e( 'Name', 'wpscan' ) ?></th>
                   <th scope="col" class="manage-column column-description"><?php _e( 'Vulnerabilities', 'wpscan' ) ?></th>
                 </tr>
 …
                     <tr>
                         <td scope="col" class="manage-column check-column"></td>
                         <th scope="col" class="manage-column column-name column-primary" width="250"><?php _e('Name', 'wpscan') ?></th>
+                        <th scope="col" class="manage-column column-name column-primary"><?php _e('Name', 'wpscan') ?></th>
                         <th scope="col" class="manage-column column-description"><?php _e('Result', 'wpscan') ?></th>
                         <th scope="col" class="manage-column column-description"><?php _e('Actions', 'wpscan') ?></th>

wpscan/tags/1.14/wpscan.php

r2433081	r2452411
4	4	* Plugin URI: http://wordpress.org/plugins/wpscan/
5	5	* Description: WPScan WordPress Security Scanner. Scans your system for security vulnerabilities listed in the WPScan Vulnerability Database.
6		* Version: 1.1~~3.2~~
	6	* Version: 1.14
7	7	* Author: WPScan Team
8	8	* Author URI: https://wpscan.com/

wpscan/trunk/app/Account.php

-                      r2429586
+                      r2452411
         $this->parent = $parent;
-        add_action( 'wpscan/api/get/after', array( $this, 'update_account_status' ), 10, 2 );
         add_action( 'admin_init', array( $this, 'add_account_summary_meta_box' ) );
+    }
     /**
      * Update account status after the api request.
+     * Update account status by calling the /status endpoint.
+     *
      * @since 1.0.0
+     * @param string $endpoint endpoint.
+     * @param string $response response.
+     * @param string $api_token
      * @access public
      * @return void
      */
+    public function update_account_status( $endpoint, $response ) {
+        $wp_endpoit = '/wordpresses/' . str_replace( '.', '', get_bloginfo( 'version' ) );
+    public function update_account_status( $api_token = null ) {
+        $current = get_option( $this->parent->OPT_ACCOUNT_STATUS, array() );
+        $updated = $current;
+        $req = $this->parent->api_get( '/status', $api_token );
+        if ( is_object( $req ) ) {
+            $updated['plan'] = $req->plan;
+        if ( $endpoint === $wp_endpoit ) {
+            $current = get_option( $this->parent->OPT_ACCOUNT_STATUS, array() );
+            $updated = $current;
+            $updated['limit']     = wp_remote_retrieve_header( $response, 'x-ratelimit-limit' );
+            $updated['remaining'] = wp_remote_retrieve_header( $response, 'x-ratelimit-remaining' );
+            $updated['reset']     = wp_remote_retrieve_header( $response, 'x-ratelimit-reset' );
+            if ( ! isset( $current['plan'] ) || $current['limit'] !== $updated['limit'] ) {
+                $req = $this->parent->api_get( '/status' );
+                // Plan.
+                if ( is_object( $req ) ) {
+                    $updated['plan'] = $req->plan;
+                }
+                // For enterprise users.
+                if ( -1 === $req->requests_remaining ) {
+                    $updated['limit']     = __( 'unlimited', 'wpscan' );
+                    $updated['remaining'] = __( 'unlimited', 'wpscan' );
+                    $updated['reset']     = __( 'unlimited', 'wpscan' );
+                }
+            // Enterprise users.
+            if ( -1 === $req->requests_remaining ) {
+                $updated['limit']     = __( 'unlimited', 'wpscan' );
+                $updated['remaining'] = __( 'unlimited', 'wpscan' );
+                $updated['reset']     = __( 'unlimited', 'wpscan' );
+            } else {
+                $updated['limit']     = $req->requests_limit;
+                $updated['remaining'] = $req->requests_remaining;
+                $updated['reset']     = $req->requests_reset;
+            }
 …
     public function get_account_status() {
         $defaults = array(
             'plan'      => 'NO DATA',
+            'plan'      => 'None',
             'limit'     => 50,
             'remaining' => 50,

wpscan/trunk/app/Checks/Check.php

-                      r2429586
+                      r2452411
     final public function add_vulnerability( $title, $severity, $id ) {
         $vulnerability = array(
-            'id'       => $id,
             'title'    => $title,
             'severity' => $severity,
+            'id'       => $id,
         );
 …
         if ( is_array( $this->vulnerabilities ) ) {
             $updated['security-checks'][ $this->id ]['vulnerabilities'] = $this->vulnerabilities;
+            $this->parent->maybe_fire_issue_found_action('security-check', $this->id, $updated['security-checks'][ $this->id ]);
         } else {
             $updated['security-checks'][ $this->id ]['vulnerabilities'] = array();

wpscan/trunk/app/Checks/System.php

-                      r2429586
+                      r2452411
  */
 class System {
+    public $OPT_FATAL_ERRORS = 'wpscan_fatal_errors';
     /**
      * A list of registered checks.
 …
     public function __construct( $parent ) {
         $this->parent = $parent;
+        register_shutdown_function( array( $this, 'catch_errors' ) );
+        add_action( 'admin_notices', array( $this, 'display_errors' ) );
         add_action( 'plugins_loaded', array( $this, 'load_checks' ) );
 …
     /**
+     * Register a shutdown hook to catch errors
+     *
+     * @since 1.0.0
+     * @access public
+     * @return void
+     */
+    public function catch_errors() {
+        $error = error_get_last();
+        if ($error && $error['type']) {
+            if ( basename($error['file']) == 'check.php' ) {
+                $errors = get_option($this->OPT_FATAL_ERRORS, array() );
+                array_push( $errors, $error );
+                update_option( $this->OPT_FATAL_ERRORS, array_unique( $errors ) );
+                $report = $this->parent->get_report();
+                $report['cache'] = strtotime( current_time( 'mysql' ) );
+                update_option( $this->parent->OPT_REPORT, $report );
+                $this->parent->classes['account']->update_account_status();
+                delete_transient( $this->parent->WPSCAN_TRANSIENT_CRON );
+            }
+        }
+    }
+    /**
+     * Display fatal errors
+     *
+     * @since 1.0.0
+     * @access public
+     * @return void
+     */
+    public function display_errors() {
+        $screen = get_current_screen();
+        $errors = get_option($this->OPT_FATAL_ERRORS, array() );
+        if ( strstr( $screen->id, $this->parent->classes['report']->page ) ) {
+            foreach ($errors as $err ) {
+                $msg = explode('Stack', $err['message'])[0];
+                $msg = trim($msg);
+                echo "<div class='notice notice-error'><p>$msg</p></div>";
+            }
+        }
+    }
+    /**
      * List vulnerabilities in the report.
+     *

wpscan/trunk/app/Dashboard.php

-                      r2429586
+                      r2452411
         foreach ( $vulns as $vuln ) {
+            echo "<div><span class='dashicons dashicons-warning is-red'></span>&nbsp; " . esc_html($vuln) . "</div><br/>";
+            $vuln = wp_kses( $vuln, array( 'a' => array( 'href' => array() ) ) ); // Only allow a href HTML tags.
+            echo "<div><span class='dashicons dashicons-warning is-red'></span>&nbsp; " . $vuln . "</div><br/>";
+        }

wpscan/trunk/app/Notification.php

-                      r2429586
+                      r2452411
      */
     public function add_meta_box_notification() {
+        if ( $this->parent->is_wp_cron_disabled() ) {
+            return;
+        }
         add_meta_box(
             'wpscan-metabox-notification',

wpscan/trunk/app/Plugin.php

-                      r2429586
+                      r2452411
     public $report;
+    // Action fired when an issue is found
+    public $WPSCAN_ISSUE_FOUND = 'wpscan_issue_found';
     /**
      * Class constructor.
 …
         add_action( 'admin_bar_menu', array( $this, 'admin_bar' ), 65 );
         add_action( $this->WPSCAN_SCHEDULE, array( $this, 'check_now' ) );
+        add_action( 'in_admin_header', array( $this, 'deactivate_screen' ) );
+        // Check if wp cron is disabled
+        if ( $this->is_wp_cron_disabled() ) {
+            add_action( 'admin_notices', array( $this, 'wp_cron_alert' ) );
+        }
         if ( defined( 'WPSCAN_API_TOKEN' ) ) {
 …
      */
     public function deactivate() {
+        delete_option( $this->OPT_SCANNING_INTERVAL );
+        delete_option( $this->OPT_SCANNING_TIME );
         wp_clear_scheduled_hook( $this->WPSCAN_SCHEDULE );
+    }
+    /**
+     * Deactivate screen
+     *
+     * @since 1.14.0
+     * @access public
+     * @return void
+     */
+    public function deactivate_screen() {
+        global $pagenow;
+        if ( 'plugins.php' === $pagenow ) {
+            include_once plugin_dir_path( WPSCAN_PLUGIN_FILE ) . 'views/deactivate.php';
+        }
+    }
+    /**
+     * Check if WP-Cron is disabled
+     *
+     * @since 1.14.0
+     * @access public
+     * @return bool
+     */
+    public function is_wp_cron_disabled() {
+        return defined('DISABLE_WP_CRON') && DISABLE_WP_CRON;
+    }
+    /**
+     * Display cron disabled alert
+     *
+     * @since 1.14.0
+     * @access public
+     * @return void
+     */
+    public function wp_cron_alert() {
+        echo "<div class='notice notice-error'><p>". __( 'WP-Cron has been disabled in the wp-config.php file using the <code>DISABLE_WP_CRON</code> constant. Automated scans and other features that rely on cron will not work.', 'wpscan' ) ."</p></div>";
+    }
 …
      */
     public function admin_enqueue( $hook ) {
+        global $pagenow;
         $screen = get_current_screen();
 …
             wp_localize_script('wpscan', 'wpscan', $localized);
+        }
+        if ( 'plugins.php' === $pagenow ) {
+            wp_enqueue_style(
+                'wpscan-deactivate',
+                plugins_url( 'assets/css/deactivate.css', WPSCAN_PLUGIN_FILE ),
+                array(),
+                $this->wpscan_plugin_version()
+            );
+            wp_enqueue_script(
+                'wpscan-deactivate',
+                plugins_url( 'assets/js/deactivate.js', WPSCAN_PLUGIN_FILE ),
+                    array( 'jquery' ),
+                    $this->wpscan_plugin_version()
+            );
+        }
+    }
 …
         // Hook before the request.
         do_action( 'wpscan/api/get/before', $endpoint );
+        //do_action( 'wpscan/api/get/before', $endpoint );
         // Start the request.
 …
         // Hook after the request.
         do_action( 'wpscan/api/get/after', $endpoint, $response );
+        //do_action( 'wpscan/api/get/after', $endpoint, $response );
         if ( 200 === $code ) {
 …
         // Reset errors.
         update_option( $this->OPT_ERRORS, array() );
+        update_option( $this->classes['checks/system']->OPT_FATAL_ERRORS, array() );
         // Plugins.
         $report['plugins'] = $this->verify_plugins( $ignored['plugins'] );
+        $this->report['plugins'] = $this->verify_plugins( $ignored['plugins'] );
         // Themes.
         $report['themes'] = $this->verify_themes( $ignored['themes'] );
+        $this->report['themes'] = $this->verify_themes( $ignored['themes'] );
         // WordPress.
         if ( ! isset( $ignored['wordpress'] ) ) {
             $report['wordpress'] = $this->verify_wordpress();
+            $this->report['wordpress'] = $this->verify_wordpress();
         } else {
             $report['wordpress'] = array();
+            $this->report['wordpress'] = array();
+        }
         // Security checks.
         $report['security-checks'] = array();
+        $this->report['security-checks'] = array();
         foreach ( $this->classes['checks/system']->checks as $id => $data ) {
             $data['instance']->perform();
             $report['security-checks'][ $id ]['vulnerabilities'] = array();
+            $this->report['security-checks'][ $id ]['vulnerabilities'] = array();
             if ( $data['instance']->vulnerabilities ) {
+                $report['security-checks'][ $id ]['vulnerabilities'] = $data['instance']->get_vulnerabilities();
+                $this->report['security-checks'][ $id ]['vulnerabilities'] = $data['instance']->get_vulnerabilities();
+                $this->maybe_fire_issue_found_action('security-check', $id, $this->report['security-checks'][ $id ]);
+            }
+        }
         // Caching.
         $report['cache'] = strtotime( current_time( 'mysql' ) );
+        $this->report['cache'] = strtotime( current_time( 'mysql' ) );
         // Saving.
+        update_option( $this->OPT_REPORT, $report, true );
+        update_option( $this->OPT_REPORT, $this->report, true );
+        // Updates account status (API calls etc).
+        $this->classes['account']->update_account_status();
+    }
+    /**
+    * Fires the wpscan_issue_found action if needed
+    *
+    * @since 1.14.0
+    *
+    * @param string $type - The affected component type: plugin, theme, wordpress or security-check
+    * @param string $slug - The affected component slug.
+    *                       For wordpress, it will be the version (ie 5.5.3)
+    *                       For security-checks, it will be the id of the check, ie xmlrpc-enabled
+    * @param array $details - An array containing some keys, such as vulnerabilities
+    * @param array additional_details - An array with the plugin details, such as Version etc
+    **/
+    public function maybe_fire_issue_found_action($type, $slug, $details, $additional_details = []) {
+        if ( !count($details['vulnerabilities']) > 0) {
+            return;
+        }
+        do_action($this->WPSCAN_ISSUE_FOUND, $type, $slug, $details, $additional_details);
+    }
 …
                     $plugins[ $slug ]['closed'] = false;
+                }
+                $this->maybe_fire_issue_found_action('plugin', $slug, $plugins[ $slug ], $details );
             } else {
                 if ( 404 === $result ) {
 …
                     $themes[ $slug ]['closed'] = false;
+                }
+                $this->maybe_fire_issue_found_action('theme', $slug, $themes[ $slug ], $details );
             } else {
                 if ( 404 === $result ) {
 …
      */
     public function verify_wordpress() {
         $wordperss = array();
+        $wordpress = array();
         $version = get_bloginfo( 'version' );
 …
         if ( is_object( $result ) ) {
+            $wordperss[ $version ]['vulnerabilities'] = $this->get_vulnerabilities( $result, $version );
+        }
+        return $wordperss;
+            $wordpress[ $version ]['vulnerabilities'] = $this->get_vulnerabilities( $result, $version );
+            $this->maybe_fire_issue_found_action('wordpress', $version, $wordpress[ $version ] );
+        }
+        return $wordpress;
+    }
 …
      */
     public function delete_doing_cron_transient() {
+        $option = get_option( '_transient_wpscan_doing_cron' );
+        if ( $option ) {
+            delete_option( '_transient_wpscan_doing_cron' );
+        }
+        delete_transient( $this->WPSCAN_TRANSIENT_CRON );
+    }
+}

wpscan/trunk/app/Report.php

r2429586	r2452411
16	16	{
17	17	// Page slug.
18		p~~rivate~~ $page;
	18	public $page;
19	19
20	20	/**

wpscan/trunk/app/Settings.php

-                      r2429586
+                      r2452411
         add_action( 'admin_init', array( $this, 'admin_init' ) );
         add_action( 'admin_notices', array( $this, 'got_api_token' ) );
         add_action( 'admin_enqueue_scripts', array( $this, 'admin_enqueue' ) );
+        add_action( 'add_option_' . $this->parent->OPT_SCANNING_INTERVAL, array( $this, 'schedule_event' ), 10, 2 );
+        add_action( 'update_option_' . $this->parent->OPT_SCANNING_INTERVAL, array( $this, 'schedule_event' ), 10, 3 );
+        add_action( 'update_option_' . $this->parent->OPT_SCANNING_TIME, array( $this, 'schedule_event' ), 10, 3 );
+        add_action( 'update_option_' . $this->parent->OPT_IGNORE_ITEMS, array( $this, 'update_ignored_items' ), 10, 3 );
+        if ( ! $this->parent->is_wp_cron_disabled() ) {
+            add_action( 'add_option_' . $this->parent->OPT_SCANNING_INTERVAL, array( $this, 'schedule_event' ), 10, 2 );
+            add_action( 'update_option_' . $this->parent->OPT_SCANNING_INTERVAL, array( $this, 'schedule_event' ), 10, 2 );
+            add_action( 'update_option_' . $this->parent->OPT_SCANNING_TIME, array( $this, 'schedule_event' ), 10, 2 );
+        }
+        add_action( 'update_option_' . $this->parent->OPT_IGNORE_ITEMS, array( $this, 'update_ignored_items' ), 10, 2 );
+    }
 …
                 'wpscan-settings',
                 plugins_url( 'assets/css/settings.css', WPSCAN_PLUGIN_FILE ),
                 array(),
                 $this->parent->wpscan_plugin_version()
+                    array(),
+                    $this->parent->wpscan_plugin_version()
             );
+        }
 …
      */
     public function admin_init() {
+        register_setting( $this->page, $this->parent->OPT_API_TOKEN, array( $this, 'sanitize_api_token' ) );
+        register_setting( $this->page, $this->parent->OPT_SCANNING_INTERVAL, 'sanitize_text_field' );
+        register_setting( $this->page, $this->parent->OPT_SCANNING_TIME, 'sanitize_text_field' );
+        // No need to sanitise the API token from the Settings form if we are using the token from the
+        // WPSCAN_API_TOKEN constant. register_setting() is run before WPSCAN_API_TOKEN is placed in the database,
+        // causing a NULL API token to be passed to some functions if called when using a WPSCAN_API_TOKEN constant.
+        if ( ! defined( 'WPSCAN_API_TOKEN' ) ) {
+            register_setting( $this->page, $this->parent->OPT_API_TOKEN, array( 'sanitize_callback' => array( $this, 'sanitize_api_token' ) ) );
+        }
         register_setting( $this->page, $this->parent->OPT_IGNORE_ITEMS );
+        if ( ! $this->parent->is_wp_cron_disabled() ) {
+            register_setting( $this->page, $this->parent->OPT_SCANNING_INTERVAL, 'sanitize_text_field' );
+            register_setting( $this->page, $this->parent->OPT_SCANNING_TIME, 'sanitize_text_field' );
+        }
         $section = $this->page . '_section';
 …
         );
+        add_settings_field(
+            $this->parent->OPT_SCANNING_INTERVAL,
+            __( 'Automated Scanning', 'wpscan' ),
+            array( $this, 'field_scanning_interval' ),
+            $this->page,
+            $section
+        );
+        add_settings_field(
+            $this->parent->OPT_SCANNING_TIME,
+            __( 'Scanning Time', 'wpscan' ),
+            array( $this, 'field_scanning_time' ),
+            $this->page,
+            $section
+        );
+        if ( ! $this->parent->is_wp_cron_disabled() ) {
+            add_settings_field(
+                $this->parent->OPT_SCANNING_INTERVAL,
+                __( 'Automated Scanning', 'wpscan' ),
+                array( $this, 'field_scanning_interval' ),
+                $this->page,
+                $section
+            );
+            add_settings_field(
+                $this->parent->OPT_SCANNING_TIME,
+                __( 'Scanning Time', 'wpscan' ),
+                array( $this, 'field_scanning_time' ),
+                $this->page,
+                $section
+            );
+        }
         add_settings_field(
 …
             echo '</form>';
         echo '</div>';
+  }
+    }
     /**
 …
     public function field_scanning_time() {
         $opt      = $this->parent->OPT_SCANNING_TIME;
         $value    = esc_attr( get_option( $opt, '12:00' ) );
+        $value    = esc_attr( get_option( $opt, date('H:i') ) );
         $disabled = $this->parent->is_interval_scanning_disabled() ? "disabled='true'" : null;
 …
             : __( 'Plugins', 'wpscan' );
         echo "<div class='wpscan-ignore-items-section'>";
 …
     public function sanitize_api_token( $value ) {
         $value  = trim( $value );
+        $result = $this->parent->api_get( '/status', $value );
+        // update_account_status() calls the /status API endpoint, verifying the validity of the Token passed via $value and updates the account status if needed.
+        if ( empty( $value ) ) {
+            delete_option( $this->parent->OPT_ACCOUNT_STATUS );
+        } else {
+            $this->parent->classes['account']->update_account_status( $value );
+        }
         $errors = get_option( $this->parent->OPT_ERRORS );
 …
         if ( ! empty( $api_token ) && $old_value !== $value ) {
             $interval = esc_attr( get_option( $this->parent->OPT_SCANNING_INTERVAL, 'daily' ) );
             $time     = esc_attr( get_option( $this->parent->OPT_SCANNING_TIME, '12:00 +1day' ) );
+            $time     = esc_attr( get_option( $this->parent->OPT_SCANNING_TIME, date('H:i') . ' +1day' ) );
             wp_clear_scheduled_hook( $this->parent->WPSCAN_SCHEDULE );

wpscan/trunk/app/Summary.php

-                      r2429586
+                      r2452411
         ?>
+        <?php
+            if ( ! empty( $errors ) ) {
+                foreach ( $errors as $err ) {
+                    // $err should not contain user input. If you like to add an esc_html() here, be sure to update the error text that use HTML
+                    echo '<p class="wpscan-summary-res is-red"><span class="dashicons dashicons-megaphone"></span> <strong>' . $err . '</strong></p>';
+                }
+            } elseif ( empty( $this->parent->get_report() ) ) { // No scan run yet.
+                echo '<p class="wpscan-summary-res is-red"><span class="dashicons dashicons-megaphone"></span> <strong>' . __( 'No scan run yet!', 'wpscan' ) . '</strong></p>';
+            } elseif ( empty( $errors ) && 0 === $total ) {
+                echo '<p class="wpscan-summary-res is-green"><span class="dashicons dashicons-awards"></span> <strong>' . __( 'No known vulnerabilities found', 'wpscan' ) . '</strong></p>';
+            } elseif( ! get_option( $this->parent->OPT_API_TOKEN ) ) {
+                echo '<p class="wpscan-summary-res is-red"><span class="dashicons dashicons-megaphone"></span> <strong>' . __( 'You need to add a WPScan API Token to the settings page', 'wpscan' ) . '</strong></p>';
+            } else {
+                echo '<p class="wpscan-summary-res is-red"><span class="dashicons dashicons-megaphone"></span> <strong>' . __( 'Some vulnerabilities were found', 'wpscan' ) . '</strong></p>';
+            }
+        ?>
         <p>
             <?php _e( 'The last full scan was run on: ', 'wpscan' ) ?>
 …
         </p>
+            <?php
+                // Only show next scan time if there's a scheduled cron job.
+                if ( wp_next_scheduled( $this->parent->WPSCAN_SCHEDULE ) ) {
+            ?>
+            <?php if ( ! $this->parent->is_wp_cron_disabled() && wp_next_scheduled( $this->parent->WPSCAN_SCHEDULE ) ) { ?>
                 <p>
                     <?php _e( 'The next scan will automatically be run on ', 'wpscan' ) ?>
 …
         <?php } ?>
+        <?php
+            if ( ! empty( $errors ) ) {
+                foreach ( $errors as $err ) {
+                    // $err should not contain user input. If you like to add an esc_html() here, be sure to update the error text that use HTML
+                    echo '<p class="wpscan-summary-res is-red"><span class="dashicons dashicons-megaphone"></span> <strong>' . $err . '</strong></p>';
+        <p class="description">
+            <?php
+                if ( get_option( $this->parent->OPT_API_TOKEN ) ) {
+                    _e( 'Click the Run All button to run a full vulnerability scan against your WordPress website.', 'wpscan' );
+                } else {
+                    _e( 'Add your API token to the settings page to be able to run a full scan.', 'wpscan' );
+                }
+            } elseif ( empty( $this->parent->get_report() ) ) { // No scan run yet.
+                echo '<p class="wpscan-summary-res is-red"><span class="dashicons dashicons-megaphone"></span> <strong>' . __( 'No scan run yet!', 'wpscan' ) . '</strong></p>';
+            } elseif ( empty( $errors ) && 0 === $total ) {
+                echo '<p class="wpscan-summary-res is-green"><span class="dashicons dashicons-awards"></span> <strong>' . __( 'No known vulnerabilities found', 'wpscan' ) . '</strong></p>';
+            } elseif( ! get_option($this->parent->OPT_API_TOKEN) ) {
+                echo '<p class="wpscan-summary-res is-red"><span class="dashicons dashicons-megaphone"></span> <strong>' . __( 'You need to add a WPScan API Token to the settings page', 'wpscan' ) . '</strong></p>';
+            } else {
+                echo '<p class="wpscan-summary-res is-red"><span class="dashicons dashicons-megaphone"></span> <strong>' . __( 'Some vulnerabilities were found', 'wpscan' ) . '</strong></p>';
+            }
+        ?>
+        <p class="description">
+            <?php _e( 'Click the Run All button to run a full vulnerability scan against your WordPress website.', 'wpscan' ) ?>
+            ?>
         </p>

wpscan/trunk/assets/css/style.css

-                      r2417112
+                      r2452411
   margin-bottom: 5px;
   margin-right: 12px;
+  white-space: normal !important;
+}
+.column-name {
+  word-break: break-word;
+  width: 250px;
+}

wpscan/trunk/assets/js/scripts.js

-                      r2424629
+                      r2452411
       success: function( ) {
         check_cron();
+      },
+      error: function () {
+        location.reload();
+      }
     } );
 …
         },
         error: function ( ) {
           check_cron();
+          location.reload();
+        }
       } );

wpscan/trunk/readme.txt

-                      r2433081
+                      r2452411
 Tags: wpscan, wpvulndb, security, vulnerability, hack, scan, exploit, secure, alerts
 Requires at least: 3.4
 Tested up to: 5.5.3
 Stable tag: 1.13.2
+Tested up to: 5.6
+Stable tag: 1.14
 Requires PHP: 5.5
 License: GPLv3
 …
 . Save the API token to the WPScan settings page or within the wp-config.php file
 == FAQ ==
+== Frequently Asked Questions ==
+* How many API calls are made?
+= How many API calls are made? =
   There is one API call made for the WordPress version, one call for each installed plugin and one for each theme. By default there is one scan per day. The number of daily scans can be configured when configuring notifications.
+* How can I configure the API token in the wp-config.php file?
+= How can I configure the API token in the wp-config.php file? =
   To configure your API token in the wp-config.php file, use the following PHP code: `define( 'WPSCAN_API_TOKEN', '$your_api_token' );`
+* How do I disable vulnerability scanning altogether?
+= How do I disable vulnerability scanning altogether? =
   You can set the following PHP constant in the wp-config.php file to disable scanning; `define( 'WPSCAN_DISABLE_SCANNING_INTERVAL', true );`.
+* Why is the "Summary" section and the "Run All" button not showing?
+= Why is the "Summary" section and the "Run All" button not showing? =
   The cron job did not run, which can be due to:
 …
 == Changelog ==
+= 1.14 =
+* Uses the status endpoint to get account data
+* Fixes the account status not being updated unless a scan is performed when the API token is updated/set
+* Adds vulnerability found hook
+* New security check: Check for weak user passwords
+* New security check: HTTPS
+* Clear plan info if API Token set to null
+* Fixes automated scanning when plugin deactivated and reactivated
+* Fixes cron job not being created when using the WPSCAN_API_TOKEN constant
+* Change default scanning time to the current time
+* Many other small improvements
 = 1.13.2 =

wpscan/trunk/security-checks/xmlrpc-enabled/check.php

-                      r2433081
+                      r2452411
         } else {
             if ( preg_match( '/<string>Incorrect username or password.<\/string>/', $authenticated_response['body'] ) ) {
                 $this->add_vulnerability( __( 'The XML-RPC interface is enabled. This significantly increases your site\'s attack surface.', 'wpscan' ), 'medium', sanitize_title( $url ) );
+                $this->add_vulnerability( __( 'The XML-RPC interface is enabled. This significantly increases your site\'s attack surface', 'wpscan' ), 'medium', sanitize_title( $url ) );
                 return;
             } else {
 …
                 if ( preg_match( '/<string>Hello!<\/string>/', $unauthenticated_response['body'] ) ) {
                     $this->add_vulnerability( __( 'The XML-RPC interface is partly disabled, but still allows unauthenticated requests.', 'wpscan' ), 'low', sanitize_title( $url ) );
+                    $this->add_vulnerability( __( 'The XML-RPC interface is partly disabled, but still allows unauthenticated requests', 'wpscan' ), 'low', sanitize_title( $url ) );
+                }
+            }

wpscan/trunk/views/report.php

-                      r2429586
+                      r2452411
 <div class="wrap">
+  <?php echo file_get_contents($this->parent->plugin_dir. 'assets/svg/logo.svg'); ?>
+  <h1>
+    <?php echo file_get_contents($this->parent->plugin_dir. 'assets/svg/logo.svg'); ?>
+  </h1>
   <hr class="wp-header-end">
 …
               <tr>
                 <td scope="col" class="manage-column check-column">&nbsp;</td>
                 <th scope="col" class="manage-column column-name column-primary" width="250"><?php _e( 'Name', 'wpscan' ) ?></th>
+                <th scope="col" class="manage-column column-name column-primary"><?php _e( 'Name', 'wpscan' ) ?></th>
                 <th scope="col" class="manage-column column-description"><?php _e( 'Vulnerabilities', 'wpscan' ) ?></th>
               </tr>
 …
                 <tr>
                   <td scope="col" class="manage-column check-column">&nbsp;</td>
                   <th scope="col" class="manage-column column-name column-primary" width="250"><?php _e( 'Name', 'wpscan' ) ?></th>
+                  <th scope="col" class="manage-column column-name column-primary"><?php _e( 'Name', 'wpscan' ) ?></th>
                   <th scope="col" class="manage-column column-description"><?php _e( 'Vulnerabilities', 'wpscan' ) ?></th>
                 </tr>
 …
                 <?php
                   foreach ( get_plugins() as $name => $details ) {
                     $slug = $this->parent->get_plugin_slug( $name, $details );
+                    $slug      = $this->parent->get_plugin_slug( $name, $details );
                     $is_closed = $this->is_item_closed('plugins', $slug);
                 ?>
 …
                 <tr>
                   <td scope="col" class="manage-column check-column">&nbsp;</td>
                   <th scope="col" class="manage-column column-name column-primary" width="250"><?php _e( 'Name', 'wpscan' ) ?></th>
+                  <th scope="col" class="manage-column column-name column-primary"><?php _e( 'Name', 'wpscan' ) ?></th>
                   <th scope="col" class="manage-column column-description"><?php _e( 'Vulnerabilities', 'wpscan' ) ?></th>
                 </tr>
 …
                     <tr>
                         <td scope="col" class="manage-column check-column"></td>
                         <th scope="col" class="manage-column column-name column-primary" width="250"><?php _e('Name', 'wpscan') ?></th>
+                        <th scope="col" class="manage-column column-name column-primary"><?php _e('Name', 'wpscan') ?></th>
                         <th scope="col" class="manage-column column-description"><?php _e('Result', 'wpscan') ?></th>
                         <th scope="col" class="manage-column column-description"><?php _e('Actions', 'wpscan') ?></th>

wpscan/trunk/wpscan.php

r2433081	r2452411
4	4	* Plugin URI: http://wordpress.org/plugins/wpscan/
5	5	* Description: WPScan WordPress Security Scanner. Scans your system for security vulnerabilities listed in the WPScan Vulnerability Database.
6		* Version: 1.1~~3.2~~
	6	* Version: 1.14
7	7	* Author: WPScan Team
8	8	* Author URI: https://wpscan.com/

Plugin Directory

Context Navigation

Legend:

wpscan/tags/1.14/app/Account.php

wpscan/tags/1.14/app/Checks/Check.php

wpscan/tags/1.14/app/Checks/System.php

wpscan/tags/1.14/app/Dashboard.php

wpscan/tags/1.14/app/Notification.php

wpscan/tags/1.14/app/Plugin.php

wpscan/tags/1.14/app/Report.php

wpscan/tags/1.14/app/Settings.php

wpscan/tags/1.14/app/Summary.php

wpscan/tags/1.14/assets/css/style.css

wpscan/tags/1.14/assets/js/scripts.js

wpscan/tags/1.14/readme.txt

wpscan/tags/1.14/security-checks/xmlrpc-enabled/check.php

wpscan/tags/1.14/views/report.php

wpscan/tags/1.14/wpscan.php

wpscan/trunk/app/Account.php

wpscan/trunk/app/Checks/Check.php

wpscan/trunk/app/Checks/System.php

wpscan/trunk/app/Dashboard.php

wpscan/trunk/app/Notification.php

wpscan/trunk/app/Plugin.php

wpscan/trunk/app/Report.php

wpscan/trunk/app/Settings.php

wpscan/trunk/app/Summary.php

wpscan/trunk/assets/css/style.css

wpscan/trunk/assets/js/scripts.js

wpscan/trunk/readme.txt

wpscan/trunk/security-checks/xmlrpc-enabled/check.php

wpscan/trunk/views/report.php

wpscan/trunk/wpscan.php

Download in other formats: