WordPress

Open-source Content Management System (CMS)

WordPress is one of the most popular open source Content Management Systems (CMS) in the world. Written in PHP and usually runs on Apache with MySQL as a backend. xmlrpc communication replaced by WordPress API REST.

Tools

Tool	Details
wpscan	WordPress Security Scanner. wpscan --url <URL> --random-user-agent -o <OUTPUT> -e <value> --plugins-detection aggressive --api-token <API_KEY> wpscan --url <URL> --password-attack <xmlrpc/wp-login> -U <USER> -P <WORDLIST>
droopescan	A plugin-based scanner that aids security researchers in identifying issues with several CMS. droopescan scan wordpress --url <URL>

Default File Structure

/var/www/html
├── index.php
├── license.txt   (version WordPress)
├── readme.html
├── wp-activate.php
├── wp-admin      (admin login page)
|   └── ENDPOINT: /wp-admin/login.php, /wp-admin/wp-login.php, /login.php, /wp-login.php
├── wp-blog-header.php
├── wp-comments-post.php
├── wp-config.php   (database name, database host, username and password, authentication keys and salts, and the database table prefix.)
├── wp-config-sample.php
├── wp-content
|   ├── uploads   (not always)
|   ├── index.php
|   ├── plugins
|   └── themes
├── wp-cron.php
├── wp-includes  (core files like certificates, fonts, JavaScript and widgets)
├── wp-links-opml.php
├── wp-load.php
├── wp-login.php
├── wp-mail.php
├── wp-settings.php
├── wp-signup.php
├── wp-trackback.php
└── xmlrpc.php  (WordPress feature that allows data transmission with HTTP acting as the transport mechanism and XML as the encoding mechanism)

Default Users

Role	Description
Administrator	This user has access to administrative features within the website. This includes adding and deleting users and posts, as well as editing source code.
Editor	An editor can publish and manage posts, including posts by other users.
Author	Authors can publish and manage their own posts.
Contributor	These users can write and manage their own posts but cannot publish them.
Subscriber	These are regular users who can browse posts and edit their profiles.

Manual Enumeration

Version

Source code	Meta tag of name generator: <meta name="generator" content="WordPress 5.3.3" /> In CSS links: <link ... href='http://.../bootstrap.css?ver=5.3.3' ... /> In JS links: <script ... src='http://.../jquery.validationEngine-en.js?ver=5.3.3'>
readme.html	In the WordPress root directory
license.txt	In the WordPress root directory

Plugins

Passive	curl -s -X GET <SITE> | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'wp-content/plugins/*' | cut -d"'" -f2 Not all installed plugins can be passively detected.
Active	curl -I -X GET http://blog.inlanefreight.com/wp-content/plugins/mail-masta
Directory Indexing	Even if a plugin is deactivated, it may still be accessible (both to the scripts and functions associated with it). We navigate to the plugin directory, obtaining the list of files: http://<DOMAIN>/wp-content/plugins/<PLUGIN>/

Themes

Passive	curl -s -X GET <SITE> | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'themes' | cut -d"'" -f2 Not all installed themes can be passively detected.

User Enumeration

Author param	http://<DOMAIN>/?author=1 (1 is usually admin)
Users endpoint	WordPress ≤ 4.7.1 http://<DOMAIN>/wp-json/wp/v2/users | jq Show all users who had published a post

Attacks

Built-in

Login with Admin user. Click on Appearance on the side panel and select Theme Editor. This page will let us edit the PHP source code directly. An inactive theme can be selected to avoid corrupting the primary theme. Click on Select after selecting the theme, and we can edit an uncommon page such as 404.php to add a web shell. Click on Update File at the bottom to save. We know that WordPress themes are located at /wp-content/themes/<theme_name>.

curl http://<DOMAIN>/wp-content/themes/twentynineteen/404.php?cmd=id