WordPress

WordPress is a web content management system. It was originally created as a tool to publish blogs but has evolved to support publishing other web content, including more traditional websites, mailing lists and Internet forum, media galleries, membership sites, learning management systems and online stores.

Programmed in: PHP Hypertext Preprocessor

Back-end SQL: MySQL (Majority use this) or MariaDB

OS: 90% it's ran on Unix-like system, but can be ran on Windows

WordPress Roles:

Super Admin - Can manage network settings, users, themes, and plugins across all site(s)

Administrator - Has full access to all features and settings within the site

Editor - Can publish and manage posts, including those of other users

Author - Can publish and manage their own posts

Contributor - Can write and manage their own posts but cannot publish them

Subscriber - Can only read content and manage their own profile

Defaut Crefentials:

Source

Now days it generates a password, but back in the days, this was the defult.

admin:password

WordPress Documentation

WordPress Methodology

  • Missing Headers
    • Content-Security-Policy
    • X-Content-Type-Options
    • X-Frame-Options - RFC7034 Documentation
    • Strict-Transport-Security - RFC6797 Documentation
      • max-age attribute must be above 31536000 seconds (365 days)
      • includeSubdomains attribute set? (To include subdomains)
      • prelaod attribute must be set
      • Is the domain registered within the preload list? (Specifically TLD+1)
  • Fuzz through all the HTTP Methods/Verbs
  • Mess with the Host header. See Host Header Exploitation and WP <=4.7.4
    • Send without a value in Host header
    • Send only the URI without any Host header and HTTP/1.0 (eg. GET / HTTP/1.0)
  • OSINT
    • Check /robots.txt for exposed/interesting endpoints
    • Check archive.org for exposed/interesting endpoints
    • Check <INSERT_SEARCH_ENGIE> for exposed/interesting endpoints (eg site:www.example.com inurl:/author/)
    • Gather all Emails and Usernames that may hint towards an email - Check for Password leaks online
  • Check if WordPress login is Publicly Exposed
    • Check if Registration page is accessible (Disabled by default)
    • Test for Client-Side ReDOS via vulnerable zxcvbn
    • User Enumeration - Make use of WAF Bypasses
      • User Enumeration via Response Error Messages in Login /wp-login.php
      • User Enumeration via Response Error Messages in Forgot Password /wp-login.php?action=lostpassword
      • Time-Based User Enumeration in Login /wp-login.php
      • Time-Based User Enumeration in Forgot Password /wp-login.php?action=lostpassword
    • Anti-automation - Make use of WAF Bypasses
      • Anti-automation via Login /wp-login.php
      • Anti-automation via Forgot Password /wp-login.php?action=lostpassword
  • User Exposure via Multiple Endpoints
/feed/
/feed/rdf/
/feed/rss/
/feed/rss2/
/feed/atom/
/?feed=rdf
/?feed=rss
/?feed=rss2
/?feed=atom
/wp-rdf.php
/wp-rss.php
/wp-rss2.php
/wp-atom.php
/search/<FUZZ_THROUGH_ALPHABET_AND_NUMBERS>/feed/rdf/
/search/<FUZZ_THROUGH_ALPHABET_AND_NUMBERS>/feed/rss/
/search/<FUZZ_THROUGH_ALPHABET_AND_NUMBERS>/feed/rss2/
/search/<FUZZ_THROUGH_ALPHABET_AND_NUMBERS>/feed/atom/
/?author=1
/?s=<FUZZ_THROUGH_ALPHABET_AND_NUMBERS>
/?search=<FUZZ_THROUGH_ALPHABET_AND_NUMBERS>
/author-sitemap.xml
/author/<USERNAME>/
/wp-json/wp/v2/users
/wp-json/wp/v2/uSErS
/wp-json/wp/v2/users/1/
/wp-json/wp/v2/uSErS/1/
/?rest_route=/wp/v2/users
/?rest_route=/wp/v2/uSErS
/?rest_route=/wp/v2/users/1
/?rest_route=/wp/v2/uSErS/1
/wp-sitemap-users-1.xml
/wp-json/oembed/1.0/embed?url=https://<VICTIM_WEBSITE>/
/wp-json/oembed/1.0/embed?url=https://<VICTIM_WEBSITE>/&format=xml
/wp-json/oembed/1.0/embed?url=https://<VICTIM_WEBSITE>/&format=js
  • Directory discovery by fuzzing root page
  • Check for Vulnerable Components (Client-side and Server-side components)
  • Check for Vulnerable Plugins /wp-content/plugins/<PLUGIN>/
  • Check for Vulnerable Themes /wp-content/themes/<THEME>/
    • Fuzz from /wp-content/themes/<THEME>/FUZZ endpoint and onwards (only if custom made theme is in use)
  • Check for Vulnerable /xmlrpc.php - See this page
  • WAF bypass (WPEngine) - See this page
  • Check for /wp-cron.php if it's a 200 OK response
  • Non-protected Google Maps API key - See this page
  • Perform a portscan
sudo nmap -p- -sS <DOMAIN>
  • Fuzz through all the default WordPress parameters - See this page
/?s=search_term
/?search=search_term
/?p=n
/?page=n
/?author=X
  • Check common places for Directory Listing - site:www.example.com intitle:"index of"
    • Check /wp-includes/ for enabled listing
    • Check /wp-content/ for enabled listing
    • Check /wp-content/uploads/ for enabled listing
    • Check /wp-content/plugins/<PLUGIN>/ for enabled listing
    • Check /wp-content/themes/<THEME>/ for enabled listing
  • Check REST API for interesting/uncommon endpoints - Potential hidden SQLi/XSS parameters in these /wp-json/
  • Check for Log and Backup Files in root, /wp-content/* and /wp-content/uploads/* - See this page
  • Check for a potential Verbose Error Message /wp-links-opml.php?link_cat[]
  • Attempt to access WPEngine's Database Credentials /_wpeprivate/config.json || /_wpeprivate/config%2Ejson
  • Attempt to access WordPress Configuration file
/wp-config.php
/wp-config%2Ephp
/wp-config.php.save
/wp-config%2Ephp.save

TIP:

  • Manual Vulnerability Review of Component/Version:
https://wpscan.com/plugin/<PLUGIN>/
https://wpscan.com/theme/<THEME>/
https://wpscan.com/wordpress/654/
  • Check out a Plugins Source Code for vulnerabilities:
https://plugins.trac.wordpress.org/browser/<PLUGIN>/
  • SQLmap sample syntax:
sqlmap -r request.txt --random-agent -v 3 --tamper="between,randomcase,space2comment" --level 3 --technique=B --dbms=mysql --suffix=")--" --string="Test" --sql-query="select user_login,user_pass from wp_users"
  • WPscan sample syntax:
wpscan --url www.example.com --api-token <API_KEY> --random-user-agent