Search

/?s=search_term

/?search=search_term

You can search within this fielt if the s or search parameter is blocked

/search/{search_here}/

These are the parameters used on WordPress sites. There have been instances of SQL injection on this parameter despite this is a default parameter. I would assume it's because the admin have done something custom, or because some plugin they have installed is vulnerable to this. In some instances, a search function isn't seen on the website. Adding the search parameter, may allow you to still search within the application if the function isn't disabled.

Page Enumeration

/?p=n

/?page=n

Replace n with an integer to enumerate the application's pages. If you are lucky, a sensitive function might be exposed, like a file upload or other sensitive information. Many times it's a lot of garbage posts and you may need to enumerate for a long time. Remember that if the WordPress site is old, that eg 0-1k may not result in pages, but 1k and onwards might result in positive responses. This is because some pages/posts may have been removed at some point.

User Enumeration

/?author=X

Replace X with an integer to enumerate the application's usernames. This will reveal the username by either redirecting you through a 3xx response code and may reveal the username within the location header or forward you directly with a 200 OK response to the authors page through /author/admin where admin is the username used to sign into the application.

These are a couple of other bypasses if a WAF, plugin or filter blocks your requests. In this instance, a user with the integer X is enumerated (Change to a desired value):

/?author={num:X}
/?author={X}
/?author=%X
/?author=%25X
/?author=aX
/?author[]=X

WAF Bypass - Rest API

This could potentially bypass a WAF if the WAF only checks the path and not the parameter value

/?rest_route=

/?rest_route=/wp/v2/users

WAF bypass - Feed endpoint

/?feed=rss
/?feed=rss2
/?feed=rdf
/?feed=atom