Word Press

wp hints

wpscan

$ wpscan --url http://10.10.13.37/wp/ --api-token <API_TOKEN> --force -e ap [--plugins-detection aggressive] --disable-tls-checks -o wpscan.out
$ wpscan --url http://10.10.13.37/wp/ --api-token <API_TOKEN> --force --passwords /usr/share/sec

Basic Information

Main files and directories

wp-config.php - contains information required by WordPress to connect to the database such as the database name, database host, username and password, authentication keys and salts, and the database table prefix. This configuration file can also be used to activate DEBUG mode, which can useful in troubleshooting.

wp-activate.php - is used for the email activation process when setting up a new WordPress site.

license.txt - contains useful information such as the version WordPress installed.

/wp-admin/login.php | /wp-admin/wp-login.php | /login.php | /wp-login.php - Login routes.

xmlrpc.php - file that represents a feature of WordPress that enables data to be transmitted with HTTP acting as the transport mechanism and XML as the encoding mechanism.

wp-content - main directory where plugins and themes are stored.

wp-content/uploads/ - directory where any files uploaded to the platform are stored.

wp-includes/ - directory where core files are stored, such as certificates, fonts, JavaScript files, and widgets.

wp-admin/setup-config.php - WordPress installation script that creates or configures the wp-config.php file to connect to the database.

wp-signup.php - WordPress script that handles user registration.

/wp-content/debug.log - default WordPress error log file where PHP errors, warnings, and notices are recorded when debugging is enabled

Users roles

  • Administrator: Can do everything

  • Editor: Publish and manages his and others posts

  • Author: Publish and manage his own posts

  • Contributor: Write and manage his posts but cannot publish them

  • Subscriber: Browser posts and edit their profile

WordPress in a specific route

Sometimes wordpress starts with a specific directory in the application, for example /blog/, so during scanning and other actions, do not forget to specify the full wordpress's URL: https://site.com/blog/

Also always check wappalyzer to see if there is wordpress on the site. Maybe you just haven't found the directory where it is located yet.

Information gathering

WordPress version

  1. Check if you can find the files /license.txt or /readme.html

  2. Via HTML:

  • meta name <meta name="generator" content="WordPress 5.6-beta3-49545" />

  • CSS links <link rel='stylesheet' id='dashicons-css' href='https://site.com/wp-includes/css/dashicons.min.css?ver=6.6.2' media='all' />

  • JS links <script src='https://site.com/support/wp-content/themes/pub/wporg-support/js/forums.js?ver=20200318'>

Plugins

curl -s -X GET https://site.com/support/article/pages/ | grep -E 'wp-content/plugins/' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2

Themes

curl -s -X GET https://site.com/support/article/pages/ | grep -E 'wp-content/themes' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2

Extract versions in general

curl -s -X GET https://site.com/support/article/pages/ | grep http | grep -E '?ver=' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2

Nuclei

Default templates

Command: nuclei -u https://site.com/ -rl 15 -tags wordpress

Nuclei-wordfence-cve templates

Link to templates: https://github.com/topscoder/nuclei-wordfence-cve Command: nuclei -t nuclei-wordfence-cve/nuclei-templates -u https://site.com/ -rl 15

WPScan (Aggressive scan with rate limits)

Command: wpscan --url https://site.com/ --api-token <token> --plugins-detection aggressive --max-threads 1 --disable-tls-checks

Where to find poc for CVE

Once you have compiled a list of potential CVEs, I recommend searching for PoCs on the following resources:

  1. Search globally in Telegram among all your chats

  2. Through Google, duckduckgo and other search engines

  3. x.com

  4. Hackerone

  5. wpscan sometimes gives links to POCs

User Enum

Brute Forcing users IDs

wp-json

/blog/wp-json/oembed/1.0/embed

/blog/feed/rdf/

SSRF

xmlrpc.php

/wp-json/oembed/1.0/proxy

XMLRPC features

List Methods

Credentials Bruteforce

DDoS or port scanning

Upload file

wp-cron.php DoS

This file usually exists under the root of the Wordpress site: /wp-cron.php When this file is accessed a "heavy" MySQL query is performed, so it could be used by attackers to cause a DoS. Also, by default, the wp-cron.php is called on every page load (anytime a client requests any Wordpress page), which on high-traffic sites can cause problems (DoS). Furthermore attacker can use xmlrpc.php to send requests to the wp-cron.

debug.log

Sometimes you can check the WordPress debug.log file, which records PHP errors, warnings, and other stuff. This file may contain various useful information.

setup-config.php

The WordPress 'setup-config.php' installation page allows users to install WordPress in local or remote MySQL databases. This typically requires a user to have valid MySQL credentials to complete. However, a malicious user can host their own MySQL database server and can successfully complete the WordPress installation aka WordPress Takeover.

Useful Links

  • https://github.com/projectdiscovery/nuclei-templates/tree/main/http/vulnerabilities/wordpress

  • https://hackerone.com/reports/1626205

  • https://hacktricks.boitatech.com.br/pentesting/pentesting-web/wordpress#wp-cron.php-dos

  • https://gist.github.com/verticalgrain/eb694cfbc8ac7da7ae8d876858019921

  • https://gist.github.com/loorlab/3278c30b964567bc82d0

PreviousBitrixNextJira

Last updated