wpscan fails with ruby 3.4 fails with `parse error: invalid object key (must be a string)`

[gnuletik]

Subject of the issue

When running WPScan with Ruby 3.4, the wpscan stops unexpectedly.

Your environment

• Version of WPScan: v3.8.27
• Version of Ruby: 3.4
• Operating System (OS): Ubuntu 24.04.1 (Noble Numbat)

Steps to reproduce

wpscan --url http://localhost -f json -o output.json -e ap,vt,u

Expected behavior

The following crash occurs:
"/usr/local/bundle/gems/yajl-ruby-1.4.3/lib/yajl/json_gem/parsing.rb:15:in 'JSON.parse': parse error: invalid object key (must be a string) (JSON::ParserError)\n 3'\"], \"confirmed_by\": { null: { \"confidence\": 60, \n (right here) ------^\n\n\tfrom /usr/local/bundle/gems/cms_scanner-0.14.3/app/formatters/json.rb:10:in 'CMSScanner::Formatter::Json#beautify'\n\tfrom /usr/local/bundle/gems/cms_scanner-0.14.3/lib/cms_scanner/scan.rb:42:in 'CMSScanner::Scan#run'\n\tfrom /usr/local/bundle/gems/wpscan-3.8.27/bin/wpscan:17:in 'block in <top (required)>'\n\tfrom /usr/local/bundle/gems/cms_scanner-0.14.3/lib/cms_scanner/scan.rb:15:in 'CMSScanner::Scan#initialize'\n\tfrom /usr/local/bundle/gems/wpscan-3.8.27/bin/wpscan:6:in 'Class#new'\n\tfrom /usr/local/bundle/gems/wpscan-3.8.27/bin/wpscan:6:in '<top (required)>'\n\tfrom /usr/local/bundle/bin/wpscan:25:in 'Kernel#load'\n\tfrom /usr/local/bundle/bin/wpscan:25:in '<main>'\n/usr/local/bundle/gems/yajl-ruby-1.4.3/lib/yajl.rb:44:in 'Yajl::Parser#parse': parse error: invalid object key (must be a string) (Yajl::ParseError)\n 3'\"], \"confirmed_by\": { null: { \"confidence\": 60, \n (right here) ------^\n\n\tfrom /usr/local/bundle/gems/yajl-ruby-1.4.3/lib/yajl.rb:44:in 'Yajl::Parser.parse'\n\tfrom /usr/local/bundle/gems/yajl-ruby-1.4.3/lib/yajl/json_gem/parsing.rb:13:in 'JSON.parse'\n\tfrom /usr/local/bundle/gems/cms_scanner-0.14.3/app/formatters/json.rb:10:in 'CMSScanner::Formatter::Json#beautify'\n\tfrom /usr/local/bundle/gems/cms_scanner-0.14.3/lib/cms_scanner/scan.rb:42:in 'CMSScanner::Scan#run'\n\tfrom /usr/local/bundle/gems/wpscan-3.8.27/bin/wpscan:17:in 'block in <top (required)>'\n\tfrom /usr/local/bundle/gems/cms_scanner-0.14.3/lib/cms_scanner/scan.rb:15:in 'CMSScanner::Scan#initialize'\n\tfrom /usr/local/bundle/gems/wpscan-3.8.27/bin/wpscan:6:in 'Class#new'\n\tfrom /usr/local/bundle/gems/wpscan-3.8.27/bin/wpscan:6:in '<top (required)>'\n\tfrom /usr/local/bundle/bin/wpscan:25:in 'Kernel#load'\n\tfrom /usr/local/bundle/bin/wpscan:25:in '<main>'"

Actual behavior

It should not crash.

What have you already tried

Things you have tried (where relevant):

• Update WPScan to the latest version [x]
• Update Ruby to the latest version [x]
• Ensure you can reach the target site using cURL [x]
• Proxied WPScan through a HTTP proxy to view the raw traffic [ ]
• Ensure you are using a supported Operating System (Linux and macOS) [x]

[fabian-nunes]

Same thing is happening in MacOS using the brew installation and ruby 3.4, will test out on 3.3 to see if it works.

[alexsanford]

Reproduced on ruby 3.4.1 with wpscan --url https://SITE_URL/ -e u -f json

/home/alex/.rvm/gems/ruby-3.4.1/gems/yajl-ruby-1.4.3/lib/yajl/json_gem/parsing.rb:15:in 'JSON.parse': parse error: invalid object key (must be a string) (JSON::ParserError)
          1'"], "confirmed_by": {   null: {     "confidence": 100,
                     (right here) ------^

        from /home/alex/.rvm/gems/ruby-3.4.1/gems/cms_scanner-0.14.3/app/formatters/json.rb:10:in 'CMSScanner::Formatter::Json#beautify'
        from /home/alex/.rvm/gems/ruby-3.4.1/gems/cms_scanner-0.14.3/lib/cms_scanner/scan.rb:42:in 'CMSScanner::Scan#run'
        from /home/alex/.rvm/gems/ruby-3.4.1/gems/wpscan-3.8.27/bin/wpscan:17:in 'block in <top (required)>'
        from /home/alex/.rvm/gems/ruby-3.4.1/gems/cms_scanner-0.14.3/lib/cms_scanner/scan.rb:15:in 'CMSScanner::Scan#initialize'
        from /home/alex/.rvm/gems/ruby-3.4.1/gems/wpscan-3.8.27/bin/wpscan:6:in 'Class#new'
        from /home/alex/.rvm/gems/ruby-3.4.1/gems/wpscan-3.8.27/bin/wpscan:6:in '<top (required)>'
        from /home/alex/.rvm/gems/ruby-3.4.1/bin/wpscan:25:in 'Kernel#load'
        from /home/alex/.rvm/gems/ruby-3.4.1/bin/wpscan:25:in '<main>'
        from /home/alex/.rvm/gems/ruby-3.4.1/bin/ruby_executable_hooks:22:in 'Kernel#eval'
        from /home/alex/.rvm/gems/ruby-3.4.1/bin/ruby_executable_hooks:22:in '<main>'
/home/alex/.rvm/gems/ruby-3.4.1/gems/yajl-ruby-1.4.3/lib/yajl.rb:44:in 'Yajl::Parser#parse': parse error: invalid object key (must be a string) (Yajl::ParseError)
          1'"], "confirmed_by": {   null: {     "confidence": 100,
                     (right here) ------^

        from /home/alex/.rvm/gems/ruby-3.4.1/gems/yajl-ruby-1.4.3/lib/yajl.rb:44:in 'Yajl::Parser.parse'
        from /home/alex/.rvm/gems/ruby-3.4.1/gems/yajl-ruby-1.4.3/lib/yajl/json_gem/parsing.rb:13:in 'JSON.parse'
        from /home/alex/.rvm/gems/ruby-3.4.1/gems/cms_scanner-0.14.3/app/formatters/json.rb:10:in 'CMSScanner::Formatter::Json#beautify'
        from /home/alex/.rvm/gems/ruby-3.4.1/gems/cms_scanner-0.14.3/lib/cms_scanner/scan.rb:42:in 'CMSScanner::Scan#run'
        from /home/alex/.rvm/gems/ruby-3.4.1/gems/wpscan-3.8.27/bin/wpscan:17:in 'block in <top (required)>'
        from /home/alex/.rvm/gems/ruby-3.4.1/gems/cms_scanner-0.14.3/lib/cms_scanner/scan.rb:15:in 'CMSScanner::Scan#initialize'
        from /home/alex/.rvm/gems/ruby-3.4.1/gems/wpscan-3.8.27/bin/wpscan:6:in 'Class#new'
        from /home/alex/.rvm/gems/ruby-3.4.1/gems/wpscan-3.8.27/bin/wpscan:6:in '<top (required)>'
        from /home/alex/.rvm/gems/ruby-3.4.1/bin/wpscan:25:in 'Kernel#load'
        from /home/alex/.rvm/gems/ruby-3.4.1/bin/wpscan:25:in '<main>'
        from /home/alex/.rvm/gems/ruby-3.4.1/bin/ruby_executable_hooks:22:in 'Kernel#eval'
        from /home/alex/.rvm/gems/ruby-3.4.1/bin/ruby_executable_hooks:22:in '<main>'

Seems to require the -f json flag.

I tested on ruby 3.3.7 and it works as expected.

[erwanlr]

Fixed in v3.2.28 which was just released