Skip to content


CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs.

The main purpose of CMSmap is to integrate common vulnerabilities for different types of CMSs in a single tool.

At the moment, CMSs supported by CMSmap are WordPress, Joomla, Drupal and Moodle.

Usage: cmsmap [options]



target-f W/J/D, –force W/J/D               target URL (e.g.’’)force scan (W)ordpress (J)oomla or (D)rupal
  -F  –fullscanfull scan using large plugin lists. False positives and slow!
  -t   –threads        number of threads (Default 5)
  -a  –agentset custom user-agent
  -H  –header       add custom header (e.g. ‘Authorization: Basic ABCD…’)
  -i   –input            scan multiple targets listed in a given file
  -o  –output         save output in a file
  -E  –noedb          enumerate plugins without searching exploits
  -c  –nocleanurls  disable clean urls for Drupal only
  -s  –nosslcheck   don’t validate the server’s certificate
  -d  –dictattack     run low intense dictionary attack during scanning(5attemptsperuser) 


  -u     –usrusername or username file
  -p     –pswpassword or password file
  -x     –noxmlrpcbrute forcing WordPress without XML-RPC

Post Exploitation:

  -k      –crackpassword hashes file (Require hashcat installed. For WordPress   and Joomla only)
  -w     –wordlistwordlist file


  -v   –verboseverbose mode (Default false)
  -h   –helpshow this help message and exit
  -D   –defaultrum CMSmap with default options
  -U   –updateuse (C)MSmap, (P)lugins or (PC) for both


Run cmsmap with verbose enabled: -v

Run full scan on Joomla target -f J -F

Run cmsmap on targets listed in targets.txt file and save the results in output.txt file -i targets.txt -o output.txt

Run cmsmap on target with username as admin and use passwords as listed in passwords.txt file -u admin -p passwords.txt

Run cmsmap for cracking passwords using hashes and passwords listed in hashes.txt and passwords.txt files -k hashes.txt -w passwords.txt