x

WordPress

https://hacktricks.boitatech.com.br/pentesting/pentesting-web/wordpress#main-wordpress-files
https://github.com/relarizky/wpxploit

Collecting Info on Plugins and Themes

Identify plugiuns 

wp-content/plugins

Can bruteforce the directory to gather plugin info 

https://<target-website>/wp-content/plugins/

Plugin files
Identify plugins by checking existence of plugin files. I.e. search for files related to popular plugins 

https://<target-website>/wp-content/plugins/<PLUGIN-NAME>/readme.txt
https://<target-website>/wp-content/plugins/<PLUGIN-NAME>/<PLUGIN-NAME>.php

Theme Files
Identify by searching for active theme and style files 

https://<target-website>/wp-content/themes/<THEME-NAME>/style.css

Source Code Examinatiuon

You can identify the active theme by examining the HTML source code of the page. Look for references to theme files: 

<link rel='stylesheet' href='https://<target-website>/wp-content/themes/<THEME-NAME>/style.css' />

Auto-Scanning to Detect Themes 

wpscan --url https://<target-website> --enumerate t

WPScan

WP Scan - WordPress scanner

https://hacktricks.boitatech.com.br/pentesting/pentesting-web/wordpress
This can reveal plugins & version numbers, make sure to run it a few times as sometimes it doesn't get a connection. 

wpscan --url http://$IP/wp/
WP Brute Forcing

https://hackviser.com/tactics/tools/wpcan
https://medium.com/@rameezrasheed1290/coldbox-easy-walkthrough-1955182c94fb
This is definitely worth running against any users you find. 

wpscan --url http://$IP/wp/wp-login.php -U Admin --passwords /usr/share/wordlists/rockyou.txt --password-attack wp-login

wpscan --url http://192.168.133.239 -U c0ldd -P /usr/share/wordlists/rockyou.txt

Enumerate users 

wpscan --url http://example.com --enumerate u

Passive
Info gathering ops with minimal traces and no changes to target 

wpscan --url https://example.com --detection-mode passive

Aggressive
More extensive and intensive info gathering operations 

wpscan --url https://example.com --detection-mode aggressive

Mixed
Combination, existing info with additional requests to gather more 

wpscan --url https://example.com --detection-mode mixed

Enumerate users with a wordlist, optionally use cewl and try different depths and minimum word lengths 

cewl -d 3 http://dc-2 > users1.txt

wpscan --url http://dc-2 --enumerate -P users1.txt

Info about plugins

A backup is wpxploit 

python3 exploit.py http://192.168.133.239 5 15

Vulnerable plugins 

wpscan --url https://example.com --enumerate vp

All plugins 

wpscan --url https://example.com --enumerate ap

Popular plugins 

wpscan --url https://example.com --enumerate p

Information about themes

Vulnerable 

wpscan --url https://example.com --enumerate vt

All 

wpscan --url https://example.com --enumerate at

Popular 

wpscan --url https://example.com --enumerate t

Collecting information about users 

wpscan --url https://example.com --enumerate u
Left-click: follow link, Right-click: select node, Scroll: zoom
x