Open in app

Sign in

Write

Sign in

Common Vulnerabilities in Wordpress Sites

Sriharan Mahendran
5 min readMay 11, 2024

--

Hello guys myself Sriharan Mahendran an individual Penetration Tester and a Security Researcher. Throughout my career, I’ve successfully secured numerous company websites against cyber threats. Today marks the first blog of my cybersecurity journey , where I aim to share insights and experiences with you

I will try to mention some of the common wordpress misconfiguration and vulnerabilities that i know in this blog

! Let’s begin hacking Wordpress !

→ What Is WordPress?

WordPress is a free and open-source content management system that lets anyone create and manage websites easily. Starting as a blogging platform, the WordPress software has evolved to help users build various sites, from blogs and portfolios to eCommerce stores.

WordPress

→ Why Use WordPress?

With so many website builders on the market, you may wonder what makes WordPress different. Here’s why millions of site owners use WordPress:

Easy to Use

With WordPress, users can create their own website without code. The admin panel is intuitive, letting you easily manage content, media, appearance, and plugins.

→ How Does WordPress Work?

WordPress runs on a database system that enables users to add, modify, and organize files, themes, plugins, and other types of content.

→ Detecting wordpress :

Using Wappalyzer Extension For Chrome For Firefox

Wappalyzers used for :

Identify technologies on websites

Find out the technology stack of any website. Create lists of websites that use certain technologies, with company and contact details. Use our tools for lead generation, market analysis and competitor research.

wappalyzer sample image

After detecting the WordPress CMS , We can use Manual analysis and automated tools based vulnerability testing

Vulnerability 1 : Severity High [ Configuration File Leakage ] :

Accessing sensitive files like wp-config.php on a production server is indeed a critical security issue. It can expose crucial information such as database credentials, which could be exploited by attackers to compromise the website or steal data.

sample image of wp-config.txt datas

Attempting to access the wp-config.php file using different extensions is a common technique for attackers looking to find vulnerabilities. While accessing sensitive files like this is generally forbidden, it’s still a common oversight that developers make.

For example :

/wp-config.md

/wp-config.zip

/wp-config.txt

/wp-config.php.bak

/wp-config.php_orig

/wp-config.bak

and Automated scan can be done using WP-scan and other automation tools

next next

Vulnerability 2 : Severity medium : Admin Username enumeration via REST API

The WordPress REST API poses a security risk by disclosing user data associated with authors of public posts. Initially classified as a P4 vulnerability according to Bugcrowd’s Vulnerability Rating Taxonomy (VRT) under Enumeration -> Usernames -> Non-Bruteforce,

username REST API smaple image

this threat level can be increased to P1 or P2 when coupled with next Following steps

  1. Open your target WordPress site in your BurpSuite-configured browser.
  2. Apppend /wp-login.php to the target website’s URL. This will take you to the WordPress login page.
  3. Enter any random credentials (e.g., admin:admin) and capture that request using BurpSuite’s proxy feature. Ensure that you intercept the request before it is sent to the server.
  4. Once you’ve captured the request, send it to Intruder by right-clicking on the request and selecting “Send to Intruder.”
  5. In the Intruder tab, navigate to the “Positions” sub-tab. Here, select the parameter you want to brute-force. In this case, it’s the log parameter for the username.
  6. Clear all positions and add the value of pwd parameter as §admin§. This indicates that we will replace the password with our payload during the brute-force attack.
  7. Switch to the “Payloads” tab. Here, you can input your wordlist containing potential passwords.
  8. Once your wordlist is loaded, click on the “Start attack” button to begin the brute-force attack. BurpSuite will iterate through the wordlist, sending login requests with different passwords for the specified username.
  9. Monitor the attack progress in the Intruder tab. Once the correct password is found, BurpSuite will capture the response, indicating a successful login attempt.
wp-login sample image

Vulnerability 3 : Severity low — high : Xmlrpc.php

XML-RPC, or XML Remote Procedure Call, is an API (application program interface) used on WordPress websites. It enables developers to interact with a WordPress site programmatically, allowing them to create mobile apps, desktop apps, and other services that communicate with the site.

The XML-RPC API provided by WordPress offers developers the ability to perform various tasks that would otherwise require manual interaction through the web interface.

These tasks include:

Publishing a post

Editing a post

Deleting a post

Uploading a new file (such as an image for a post)

Retrieving a list of comments

Editing comments

BruteForce attack

  1. This is what you originally see when you try to open the xmlrpc.php located at
    http://<targetWebSite.com>/<wordpress directory>/xmlrpc.php
  2. Open your proxy (I am using burp )and resend the request by changing the GET request to POST request
  3. To list all available methods using XML-RPC on a WordPress site, you need to send a POST request with specific POST data. Here’s an example of how you can do this:
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

Before proceeding with the attack, we need to verify the availability of the following methods:

wp.getUserBlogs

wp.getCategories

metaWeblog.getUsersBlogs

there are a few more methods but these are most commonly available & I have dealt with these

4. If any of these methods are available, we can proceed with the brute-force login attack using the following POST request structure:

<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>admin</value></param>
<param><value>pass</value></param>
</params>
</methodCall>

We can also attack high severe vulnnerability like SSRF using this xmlrpc.php

  1. List all the methods and search for the following ‘pingback.ping’
  2. If you discover the availability of the pingback.ping method, we can proceed to trigger a pingback to our server using BurpSuite Collaborator. Here’s how you can do it:
  3. Start BurpSuite and configure Burp Collaborator. Go to “Burp” > “Burp Collaborator Client” and ensure that the Collaborator client is running.
  4. In BurpSuite, intercept the POST request to the XML-RPC endpoint containing the pingback.ping method.
  5. Modify the request to include Burp Collaborator’s URL in the POST data:
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>http://YOUR_COLLABORATOR_URL/pingback:<port></string></value>
</param>
<param>
<value><string>http://SOME_VALID_BLOG_FROM_THE_SITE</string></value>
</param>
</params>
</methodCall>

Using these Vulnerabilities in wordpress i was able to Earn some bounties

Also Contact me / Follow me in

LinkedInhttps://www.linkedin.com/in/sriharan-mahendran/

G-Mail → sriharanmahimala125@gmail.com

Penetration Testing
Cybersecurity
Information Security
Information Technology
Vulnerability

--

--

Sriharan Mahendran

Written by Sriharan Mahendran

45 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams