WP pentesting - muhammeddardir/wordpress-pentesting GitHub Wiki

Important Paths

wp-config.php : you can find the root password of the database
wp-content : Folder is the main directory where plugins and themes are stored
wp-activate.php : Email activation process,when setting up a new WordPress
xmlrpc.php : Feature that enables data to be transmitted with HTTP
license.txt : information such as the version WordPress
/readme.html
wp-includes/ : stored Core Files such as certificates, fonts, JS files, and widgets.
Login folders
- /wp-admin/login.php
- /wp-admin/wp-login.php
- /login.php
- /wp-login.php

Plugins and Themes
Users
- ID Brute : curl -s -I -X GET http://blog.example.com/?author=1 if 200,30X, that means that the id is valid.
- wp-json : /wp-json/wp/v2/users
- login user Enum
- WPScan Auto
XML-RPC
- If xml-rpc.php is active you can perform a credentials brute-force or use it to launch DoS attacks to other resources wpxploit
- We Can Extract Perform Attacks
  - listMethods
  - Credentials Bruteforce
  - Bypass 2FA
  - port scanning

Outdated versions : <meta name=”generator” content=”WordPress 4.8.11″ />
Outdated versions themes and plugins : WPScan use Vulnerability Database_ API key
Old versions of PHP and web servers curl -s -D – http://example.com/ -o /dev/null | grep -i "Server\|X-Powered-By"
Missing Rate limite
Web server misconfiguration
- Directory listing /wp-content/themes/twentyseventeen/assets
- Backup files http://www.example.com/wp-config.php.bak
- Temporary files : vim ext wp-config.php.ext~ Accessible in plain text
- Exposed MySQL : shodan product: MySql