Wordpress

Standard pages and folders

License files

  • /license.txt

  • /readme.html

Login pages

  • /wp-admin/login.php

  • /wp-admin/wp-login.php

  • /login.php

  • /wp-login.php

Resource folders

  • wp-content/uploads/ resources folder

  • wp-content/themes/ themes folder

  • wp-includes/ plugins, scripts and widgets

Plugin enumeration

Enumeration can be executed with the tool wpscan downloadable here

Authenticated RCE

These attacks require access to the administrative console

Template editor

It is possible to use the template editor to modify a php page. The best target is the 404 page since it can be triggered easily. If not possible the modified files are usually located under /wp-content/themes/<theme>/<page>.php

Plugin upload functionality

It is possible to upload and execute a reverse shell payload by abusing the install plugin functionality

Create a .php file as follows then zip it and upload the archive. Once uploaded press the "Activate" button

Pivoting

This file contains plain-text username and password for database login. Sometimes these credentials can also be used to authenticate as another user on target machine.

XML-RPC

Check if active

Send the following request to /xmlrpc.php

Credentials bruteforce

You can use wp.getUsersBlogs, wp.getCategories or metaWeblog.getUsersBlogs as value for the methodName field

File upload

Requires valid credentials

PreviousJoomlaNextWebDAV

Last updated