top of page

Wordpress penetration testing

In this article we will see how we can enumerate a wordpress website and how we can find login credentials of a particular website . In this tutorial we will use wpscan tool available in Kali Linux OS.

Table of Content :

  1. Introduction to WPscan

  2. Normal Scan

  3. Enumerating plugins

  4. Enumerating vulnerable plugins

  5. Enumerating themes

  6. Enumerating vulnerable themes

  7. Getting a session using metasploit

  8. Enumerating users and finding credentials

  9. Uploading a file to get reverse shell

  10. Uploading a payload

Introduction to WPscan

use this link to get the latest version git clone then change directory to wpscan using cd command and then go to bin directory and from there we will execute wpscan

this tool performs black box testing to find vulnerable wordpress themes ,plugins and version.

Normal Scan

In this section will try to find the wordpress version by using a simple command.

We have detected the Wordpress version successfully. Command used :

./wpscan --url

Please change the URL of the targeted website. As I am hosting a wordpress website on my local machine so i have used this URL

Enumerating plugins

Plugins are a small piece of code of a program which can be added to a WordPress website to extend its functionality.

With the help of command : ./wpscan --url --enumerate p

we can easily find installed plugins on the target wordpress website, as shown in the image

Enumerating vulnerable plugins

In this case only a single plugin is present so not a problem and this can be vulnerable. But if we detect so many plugins then by running the command

./wpscan --url --enumerate vp

we can detect vulnerable plugins installed in the wordpress website.

Enumerating themes

theme controls overall look of the website like font ,font color,font size and other things.

Now in the same fashion we can detect Wordpress themes installed . command used:

./wpscan --url --enumerate t

Enumerating vulnerable themes

To scan the installed vulnerable theme of WordPress website type following command: ./wpscan --url --enumerate vt

No vulnerable themes find.

Getting a session using meteasploit

We have detected a vulnerable plugin so after searching in the metasploit we found a exploit for the vulnerable plugin and we will use that exploit to get a session.

exploit used : exploit/unix/webapp/wp_reflexgallery_file_upload

We can see that we have successfully opened a meterpreter session

Enumerating users and finding credentials

There is a page in wordpress website to login into the panel of website ,from there we can control the complete website and it is

Now to login into the main panel we need username and password and for that we need to find username . To find username we will use the command:

./wpscan --u --enumerate u