# Wordpress

## Search for existing vuln:

<https://www.wordfence.com/threat-intel/vulnerabilities/?page=1#jump>

## Main Wordpress File:

* `index.php`
* `license.txt` contains useful information such as the version WordPress installed.
* `/readme.html`
* `wp-activate.php` is used for the email activation process when setting up a new WordPress site.
* `/wp-admin/login.php`
* `/wp-admin/wp-login.php`
* `/login.php`
* `/wp-login.php`
* `xmlrpc.php`
* `wp-content` folder is the main directory where plugins and themes are stored.
* `wp-content/uploads/` Is the directory where any files uploaded to the platform are stored.
* `wp-includes/` This is the directory where core files are stored, such as certificates, fonts, JavaScript files, and widgets.
* `wp-sitemap.xml` In Wordpress versions 5.5 and greater, Worpress generates a sitemap XML file with all public posts and publicly queryable post types and taxonomies.
* The `wp-config.php`
* /wp-content/debug.log

## Passive Enumeration:

## Dork:

```
intext:wordpress inurl:wp-config ext:txt
intext:wordpress ext:sql

```

&#x20;

### **Get WordPress version:**

Check if you can find the files `/license.txt` or `/readme.html`

* Grep:   `curl https://victim.com/ | grep 'content="WordPress'`&#x20;
* meta name: &#x20;
* CSS link files:
* JavaScript files:

### Get Plugins:

```
curl -H 'Cache-Control: no-cache, no-store' -L -ik -s https://wordpress.org/support/article/pages/ | grep -E 'wp-content/plugins/' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
```

### Get themes:

```
curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-content/themes' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
```

### Extract versions in general:

```
curl -H 'Cache-Control: no-cache, no-store' -L -ik -s https://wordpress.org/support/article/pages/ | grep http | grep -E '?ver=' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
```

## Active Enumeration:

### Plugins and Themes:

You probably won't be able to find all the Plugins and Themes passible. In order to discover all of them, you will need to **actively Brute Force a list of Plugins and Themes** (hopefully for us there are automated tools that contains this lists).

### Users:

#### ID Brute:

```
curl -s -I -X GET http://blog.example.com/?author=1
```

If the responses are **200** or **30X**, that means that the id is **valid**. If the the response is **400**, then the id is **invalid**.

#### wp-json:

```
curl http://blog.example.com/wp-json/wp/v2/users
```

```
curl http://blog.example.com/wp-json/oembed/1.0/embed?url=POST-URL
```

Note that this endpoint only exposes users that have made a post. **Only information about the users that has this feature enable will be provided**.

#### Login username enumeration:

When login in **`/wp-login.php`** the **message** is **different** is the indicated **username exists or not.**

## API

### REST:

```
/wp-json/wp/v2
wp-json/wp/v2/pages/
https://target.com/wp-json/?rest_route=/wp/v2/users/
curl https://target.com/?_method=GET -d rest_route=/wp/v2/users    //bypassing restriction
http://target.com/?rest_route=/
```

### XML-RPC: (post request in ***`/xmlrpc.php`\*\*\*\*)***

```xml
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>
```

<pre class="language-xml"><code class="lang-xml"><strong>&#x3C;methodCall>
</strong>&#x3C;methodName>wp.getUsersBlogs&#x3C;/methodName>
&#x3C;params>
&#x3C;param>&#x3C;value>admin&#x3C;/value>&#x3C;/param>
&#x3C;param>&#x3C;value>pass&#x3C;/value>&#x3C;/param>
&#x3C;/params>
&#x3C;/methodCall>
</code></pre>

```xml
<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://<YOUR SERVER >:<port></string></value>
</param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
</value></param></params>
</methodCall>
```

{% hint style="info" %}
automotion&#x20;

<https://github.com/relarizky/wpxploit>

In details about xmlrpc exploit:

<https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/wordpress>
{% endhint %}

## Tools:

```bash
cmsmap -s http://www.domain.com -t 2 -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0"
wpscan --rua -e ap,at,tt,cb,dbe,u,m --url http://www.domain.com [--plugins-detection aggressive] --api-token <API_TOKEN> --passwords /usr/share/wordlists/external/SecLists/Passwords/probable-v2-top1575.txt #Brute force found users and search for vulnerabilities using a free API token (up 50 searchs)
#You can try to bruteforce the admin user using wpscan with "-U admin"
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://shahidulandshamim.gitbook.io/web-application/service-based-vulnerability/wordpress.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.