Wordpress
Standard pages and folders
License files
/license.txt
/readme.html
Login pages
/wp-admin/login.php
/wp-admin/wp-login.php
/login.php
/wp-login.php
Resource folders
wp-content/uploads/
resources folderwp-content/themes/
themes folderwp-includes/
plugins, scripts and widgets
Plugin enumeration
Authenticated RCE
These attacks require access to the administrative console
Template editor
It is possible to use the template editor to modify a php page. The best target is the 404 page since it can be triggered easily. If not possible the modified files are usually located under /wp-content/themes/<theme>/<page>.php
Plugin upload functionality
It is possible to upload and execute a reverse shell payload by abusing the install plugin functionality
Create a .php file as follows then zip it and upload the archive. Once uploaded press the "Activate" button
Pivoting
This file contains plain-text username and password for database login. Sometimes these credentials can also be used to authenticate as another user on target machine.
XML-RPC
Check if active
Send the following request to /xmlrpc.php
Credentials bruteforce
You can use wp.getUsersBlogs
, wp.getCategories
or metaWeblog.getUsersBlogs
as value for the methodName
field
File upload
Requires valid credentials
Last updated