🔍 SCANNING & ENUMERATION PHASE
Find Login Page
https://www.mcbislamicbank.com/wp-login.php
https://www.mcbislamicbank.com/wp-admin/install.php
https://website.com/wp-json/wp/v2/users
https://website.com/?author=1
Use Nmap aggressive scan:
nmap -p- -sV -sC -T4 --script=http-wordpress-enum --script=http-enum <IP>
Important ports:
80 / 443 — WordPress website
22 — SSH (for bruteforce after WP compromise)
3306 — MySQL (if exposed = critical)
Useful NSE scripts:
WORDPRESS VERSION ENUMERATION
Passive enumeration: check page source for generator meta tag:
Check these common files/paths:
(Embedded image retained) 
WPScan example:
ENUMERATE REST API
Common endpoints:
Possible leakage:
Post IDs (useful for XSS testing)
REST API version → WordPress version → CMS fingerprinting.
ENUMERATE DIRECTORIES (Dirsearch / ffuf)
Dirsearch:
Important directories to check:
ENUMERATE USERS
Common paths and techniques:
WPScan user enumeration:
Manual enumeration:
REST API leaking: /wp-json/wp/v2/users
Author archive enumeration:
If redirected → you can get username in URL: /author/admin/ or /author/john/
ENUMERATE PLUGINS
Plugins are the No.1 vulnerability source.
Manual checks:
/wp-content/plugins/plugin-name/readme.txt
/wp-content/plugins/plugin-name/changelog.txt
WPScan plugin enumeration:
ENUMERATE THEMES
Similar approach:
/wp-content/themes/theme-name/style.css
Look for:
ENUMERATE XML-RPC
Check:
If enabled, XML-RPC can be used for:
DOS (pingback amplification)
Check with curl:
CMS Wordlists & WordPress-Specific Wordlists
Paths:
/usr/share/wordlists/wpscan/
/usr/share/wordlists/dirbuster/
/usr/share/seclists/Discovery/Web-Content/CMS/
Use WordPress-specific fuzz wordlists: plugins.txt, themes.txt, wp-paths.txt
🛡 WORDPRESS VULNERABILITY SCANNING USING WPSCAN
WPScan is the official WordPress scanner.
Basic scan:
Enumerate everything:
(Embedded image retained)
Options (wpscan):
Use API for vulnerability detection:
Skip passive detection & go aggressive:
🔓 WORDPRESS BRUTEFORCE ATTACKS
wp-login.php bruteforce
WPScan bruteforce:
Hydra:
cURL brute (example):
XML-RPC Bruteforce (More Dangerous)
XML-RPC allows multi-password attempts in one request — more efficient and noisier.
Check a simple authentication call (example):
Bruteforce with WPScan (XML-RPC):
REST API enumeration leads to bruteforce
If usernames leak via /wp-json/wp/v2/users then typical accounts to try:
(Embedded small image retained) 
💣 EXPLOITING WORDPRESS
Here are the TOP vulnerability types.
⭐ 4.1 Arbitrary File Upload (Plugins/Themes)
Common vulnerable plugins:
Slider Revolution (revslider)
Custom file upload widgets
Typical exploit path:
/wp-content/uploads/wpstorecart/products/shell.php
/wp-admin/admin-ajax.php (using vulnerable handler)
Bypass possibilities:
Upload examples:
Execute:
http://target/wp-content/uploads/.../shell.php?cmd=id
⭐ 4.2 WordPress RCE Exploits
Most RCEs come from:
Deserialization vulnerabilities
Unauthenticated Ajax function handlers
Vulnerable REST API endpoints
Example (revslider):
/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
⭐ 4.3 XSS Attacks
Common XSS locations:
Vulnerable plugins (forum plugins, gallery plugins)
Payload example:
Stored XSS in WP can give:
⭐ 4.4 Privilege Escalation
Ways to escalate:
Vulnerable plugins with admin Ajax (example: /wp-admin/admin-ajax.php?action=upload_file → leads to RCE)
⭐ 4.5 Database Access (MySQL)
If you obtain DB creds from wp-config.php then connect:
Change admin password (example):
⭐ 4.6 Credential Harvesting via XMLRPC Pingback SSRF
XML-RPC can be abused for SSRF/internal port scanning via pingback.ping and to harvest credentials or access internal resources.
Exploit example:
xmlrpc.php?pingback.ping → internal port scanning / SSRF
⭐ 4.7 Theme/Plugin Editor → RCE
If logged in (admin) and theme/plugin editor is available:
Example: modify theme functions.php with a system() call:
Access:
/wp-content/themes/theme/functions.php?cmd=id
👤 WORDPRESS BLACK-BOX PENTESTING FRAMEWORK
Hereʼs the complete methodology in order, presented as a stepper.
Phase 1 — Recon & Discovery
Tools:
Phase 2 — Vulnerability Analysis
Check for:
Outdated WordPress version
Exposed wp-config(.bak/.old)
Backup files (wp-config.php~, etc.)
Misconfigured permissions
Phase 3 — Exploitation
Try:
Arbitrary File Upload (plugins/themes/ajax endpoints)
LFI / RFI via vulnerable plugin loaders
XSS → Admin takeover (comments, plugins)
RCE (file upload, theme/plugin editor, deserialization)
Phase 4 — Post Exploitation
Once shell obtained:
Modify homepage (deface for demo)
Maintain persistence:
Upload backdoor in uploads/
Modify theme functions.php
Phase 5 — Reporting
Document:
🎯 FINAL SUMMARY
WordPress Pentesting → Enumeration → Vulnerability Discovery → Exploitation → Post-Exploitation.
WPScan is the core tool for enumeration and vulnerability scanning.
Biggest weaknesses come from Plugins & Themes.
Most real attacks: Arbitrary File Upload → Webshell → RCE.
Created By: https://linkedin.com/in/parosh-sec
(All images embedded as in the original content remain intact.)
Last updated