The scanner is used by a lot of security folks, as well as other service and product vendors. The plugin has historically been split license, sort-of, between GPL and some kind of home-cooked non-commercialization clause. The problem is the GPL can’t come with a clause like that.
It turns out that folks did package WPScan with commercial entities and then the WPScan folks got upset (so the story goes, at least). Now, they’ve changed the license, but without getting the approval of the contributors, which the license change requires. You may recall VVV establishing a license recently as well (Github discussion | WPTavern story), where they had to get contributor approval just to go from unlicensed to MIT.
Moral of the story: your license matters, so consider it wisely. And if you choose to adopt a license, know what you can and can’t do with it. With the GPL, one of the repercussions — or freedoms, considered differently — is that people can still monetize your freely provided code. That’s one of the things you accept.