How to effectively hunt for vulnerabilities in Wordpress Sites

Hi Sleepyheads! Miss me?

Hehe!!!

Today is the day when I am going so share some tricks that may end up helping you earn $$$$ bounties.

Wordpress is very famous for it’s plugins and themes and at the same time it is very infamous for the vulnerabilities that these plugins and themes bring with them.

We have some browser plugins like Wappalyzer that helps us knowing if a site is running on wordpress:

At the same time it also gives us a bit of insight about the wordpress plugins the site is using:

Sometimes it provides us the version information about the wordpress and plugins, sometimes it doesn’t.

But lemme tell you, I don’t completely rely on wappalyzer.

The CLI tool that I use the most for finding wordpress vulnerabilities is wpscan.( You can install it from here: https://github.com/wpscanteam/wpscan).

Here is the command to run wpscan:

wpscan — url https://redacted.com -e vp — api-token YOUR_API_TOKEN — random-user-agent — ignore-main-redirect — force — disable-tls-checks

You have to create an account on https://wpscan.com/ to get your free API-Token.

Sometimes, it is not necessary the wordpress has been hosted on the main site or on the root directory.

It might have been hosted like this:

https://redacted.com/blog/wp-content

or

https://redacted.com/news/articles/wp-content

Most of the hackers only checks if wordpress is hosted on the main site or not but we also have to check the potential paths.

To find such endpoints, we can use the tools waybackurls and httpx.

The command would be:

waybackurls zerodha.com | grep “wp-content” | httpx -mc 200

(Along with waybackurls , use gau, gauplus etc. This may end up providing you different results)

Now once we have the specific endpoint we can again use wp-scan modifying the command. For the case mentioned above, the command would be like this:

wpscan — url https://zerodha.com/varsity -e vp — api-token YOUR-API-TOKEN — random-user-agent — ignore-main-redirect — force — disable-tls-checks

If the wp-content directory is in the main directory like this “https://redacted.com/wp-content”, then you can use the command normally without specifying the specific directory:

Sometimes it may show error that the tool cannot find wp-content directory. In such situation it is better to specify the directory and use command like this:

wpscan — url https://redacted.com/news/artcile/wp-content — wp-content-dir -e vp — api-token YOUR_API_TOKEN — random-user-agent — ignore-main-redirect — force — disable-tls-checks

This may end up showing you vulnerabilities like this:

All you have to do now, is to verify which of these vulnerabilities are exploitable and which are not. For example in the above results you can see most of these vulnerabilities due to outdated elementor plugin are authenticated-vulnerabilities. In order to exploit them one needs to be authenticated on wordpress panel. Hence, as an external attacker, these vulnerabilities would be not applicable.

However the last in the list (Elementor < 3.4.8 — DOM Cross-Site-Scripting (CVE-2021–24891)) can be exploitable.

All you need to do is to search for it’s exploit. In this case the exploit is very simple. You have to add /#elementor-action:action=lightbox&settings=eyJ0eXBlIjoibnVsbCIsImh0bWwiOiI8c2NyaXB0PmFsZXJ0KCd4c3MnKTwvc2NyaXB0PiJ9 in your target wherever the wp-content begins and load the url:

Like this:

https://redacted.com/blog/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoibnVsbCIsImh0bWwiOiI8c2NyaXB0PmFsZXJ0KCd4c3MnKTwvc2NyaXB0PiJ9

It would give you a cute little pop-up like this:

For different wordpress vulnerabilities, we have different exploits. You just need to find them.

The same way you can exploit vulnerable themes. All you need to do is to replace vp with vt in the wpscan command like this:

wpscan — url https://redacted.com/blog -e vt — api-token YOUR-API-TOKEN — random-user-agent — ignore-main-redirect — force — disable-tls-checks

Let’s reveal one more secret:

I don’t completely trust wpscan because sometimes it fails detecting plugins/themes version. Also, sometimes the tool may miss displaying some plugins/themes that are actually being used. For these reasons, I always check for view-source and search keyword “/plugins” and “/themes” in the source on different paths of the wordpress site. Sometimes wpscan misses detecting some plugins and themes. This technique may help in such cases.

Now once you have the plugin/theme name you can simple google “wp-user-avatar wpscan”, “elementor wpscan” etc to find exploits.

Even if you don’t have any clue about the plugin/theme, it is always good to give a shot to the exploits anyway.

It is always good to use multiple techniques of enumerating plugins/technologies instead relying on a single tool.

I used these techniques and it helped me a lot. Good recon is the real magic :)

In order to find wp-content directories even more efficiently, you can also use tools like FFUF.

I tried to keep this write-up as simple as I can. Feel free to share your opinions/queries in the comment-section.

I hope you enjoyed reading as this is MY LAST WRITE-UP.

JUST KIDDING :P

“WHY SOOOOOOO SERIOUSSSSS?”

See ya! Hackers :)