get_vulnerabilities(); // Password list from: https://github.com/danielmiessler/SecLists/blob/master/Passwords/probable-v2-top207.txt. $users = get_users( array( 'role__in' => array( 'super_admin', 'administrator', 'editor', 'author', 'contributor' ) ) ); $passwords = file( $this->dir . '/assets/passwords.txt', FILE_IGNORE_NEW_LINES ); $found = array(); foreach ( $users as $user ) { $username = $user->user_login; foreach ( $passwords as $password ) { if ( wp_check_password( $password, $user->data->user_pass, $user->ID ) ) { array_push( $found, $username ); break; } } } if ( ! empty( $found ) ) { if ( 1 === count( $found ) ) { $text = sprintf( __( 'The %s user was found to have a weak password. The user\'s password should be updated immediately.', 'wpscan' ), esc_html( $found[0] ) ); } else { $found = implode( ', ', $found ); $text = sprintf( __( 'The %s users were found to have weak passwords. The users\' passwords should be updated immediately.', 'wpscan' ), esc_html( $found ) ); } $this->add_vulnerability( $text, 'high', 'weak-passwords', 'https://blog.wpscan.com/wpscan/2019/09/17/wpscan-brute-force.html' ); } } }