WordPress Fuzzing

Collection of curls and explanations where, within the directories, to fuzz for plugins or themes

TIP: Review Custom Browser Search

Extracting Plugins

curl -s http://example.com | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'wp-content/plugins/*' | cut -d"'" -f2

What can now be done is to copy and store all the plugin names and paste it within WPScan website!

https://wpscan.com/plugin/<PLUGIN>/

The highlighted text in yellow are the plugin names that can be used in the URL above

wp-plugins

Be sure to fuzz the /wp-content/plugins/ directory. Exchange <PLUGIN> with the plugins.txt wordlist. This Plugin Scraper can be a good tool to generate a brand new list of currently active plugins. Do test an old list as well because some plugins violate WordPress guidelines or are archived/closed where new vulnerabilities won't be patched and thus removed from the store. The vulnerable WordPress website, may however installed it in a custom way or when the plugin was active once upon a time. Do note the / in the end of the directory

/wp-content/plugins/<PLUGIN>/

At times, depending on the configuration, you must have pointed the URL towards a file, such as a readme.txt. This is because, depending on the configuration, the app won't respond accordingly to the responses below.

Plugin StatusResponse
Existing Plugin403 Forbidden or 200 OK (blank response)
Non-Existing Plugin404 Not Found

CloudFlare/WAF may block some plugins too with a 403 Forbidden response. However, once the plugins have been identified, fuzz through each text file within each existing plugin with readme.txt, README.txt, changelog.txt or CHANGELOG.txt.

Example: The plugin Contact Form 7 have been identified and readme.txt was the text file fuzzed

/wp-content/plugins/contact-form-7/readme.txt

The Stable Tag: X.X.X indicated the version for the plugin.

Extracting Themes

curl -s http://example.com | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'themes' | cut -d"'" -f2

As observed in the plugin-segment above, you can do the same search on WPScan website!

https://wpscan.com/theme/<THEME>

Be sure to fuzz the /wp-content/themes/ directory. Exchange <FUZZ> with the beast.txt wordlist. The reason why it is very important to fuzz the Theme directory, is because most companies want their own custom made theme. Usually a developer lacking in security awareness will program these theme's. For some reason they aren't seen as "sensitive" and therefore may reveal very interesting and useful files like metafiles.

Example: The theme astra have been identified. Fuzz from this directory and onwards

/wp-content/themes/astra/<FUZZ>