Wordpress
Wordpress Common Misconfiguration
Here I will try my best to mention all common security misconfigurations for Wordpress I saw before or officially referenced. I will be attaching all poc and reference as well
Index
Wordpress Detection
General Scan Tool
xmlrpc.php
Directory listing
CVE-2018-6389
CVE-2021-24364
WP Cornjob DOS
WP User Enumeration
Wordpress Detection
Well, if you are reading this you already know about technology detection tool and methods. Still adding them below
Wappalyzer
WhatRuns
BuildWith
Geneal Scan Tool
WpScan
xmlrpc.php
This is one of the common issue on wordpress. To get some bucks with this misconfiguration you must have to exploit it fully, and have to show the impact properly as well.
Detection
visit site.com/xmlrpc.php
Get the error message about POST request only
Exploit
Intercept the request and change the method GET to POST
List all Methods
Check the
pingback.pingmentod is there or notPerform DDOS
Perform SSRF (Internal PORT scan only)
Tool To Automate XMLRPC-Scan.
References
Directory listing
Sometimes developers forget to disable the directory listing on /wp-content/uploads. So this is the common issue on wordpress sites.
Detection
/wp-content/uploads
Pro tip
Add this path to your fuzzing wordlist
References
H1 Report H1 Report H1 Report H1 Report
CVE-2018-6389
This issue can down any Wordpress site under 4.9.3 So while reporting make sure that your target website is running wordpress under 4.9.3
Detection
Use the URL from my gist called loadsxploit, you will get a massive js data in response.
Exploit
You can use any Dos tool i found Doser really fast and it shut down the webserver within 30 second
References
CVE-2021-24364
The Jannah WordPress theme before 5.4.4 did not properly sanitize the options JSON parameter in its tie_get_user_weather AJAX action before outputting it back in the page, leading to a Reflected Cross-Site Scripting (XSS) vulnerability.
Detection and Exploit
Replace <Your_WP-Site-here> to your WP-site <Your_WP-Site-here>/wp-admin/admin-ajax.php?action=tie_get_user_weather&options=%7B%27location%27%3A%27Cairo%27%2C%27units%27%3A%27C%27%2C%27forecast_days%27%3A%275%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3Ecustom_name%27%3A%27Cairo%27%2C%27animated%27%3A%27true%27%7D
Wait for the pop-up!
Reference
WP Cornjob DOS
This is another area where you can perform a DOS attack.
Detection
visit site.com/wp-cron.php
You will see a Blank page with 200 HTTP status code
Exploit
You can use the same tool Doser for exploiting this
Reference
WP User Enumeration
This issue will only acceptable when target website is hiding their current users or they are not publically available. So attacker can use those user data for bruteforcing and other staff
Detection
visit site.com/wp-json/wp/v2/users/
You will see json data with user info in response
Exploit
If you have xmlrpc.php and this User enumeration both presence there. Then you can chain them out by collecting username from wp-json and perform Bruteforce on them via xmlrpc.php. It will surely show some extra effort and increase the impact as well
Reference
Researcher Note
Please do not depend on those issues at all. I saw people only looking for those issues and nothing else. Those are good to have a look while testing for other vulnerabilities and most of the time they work good for chaining with other low bugs.
Author
Name: Mehedi Hasan Remon
Handle: @remonsec
Last updated