Tools

Definition

Wordpress is the most popular CSM currently, written in PHP. WPScan is an automated tool that scans for vulnerabilities and retrieves critical data like usernames or exposed endpoints. It's very straight forward to use but you do need some knowledge about what the output means.

Usage

WPScan accepts different ways to operate, from scanning to bruteforcing. I will try to mention all useful ways to use it.

Most simple usage
wpscan --url https://www.example.com
User enumerating
wpscan --url https://www.example.com -enumerate u
Bruteforcing login
$sudo nmap 192.168.1.1/24 -sn
UDP Scan
wpscan --url https://www.example.com --usernames usernames.txt --passwords passwords.txt

Output

Example output
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.20
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: https://www.example.com/ [127.0.0.1]
[+] Started: Tue Dec 21 19:50:47 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache
 |  - X-UA-Compatible: IE=edge
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: https://www.example.com/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] WordPress readme found: https://www.example.com/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] This site has 'Must Use Plugins': https://www.example.com/wp-content/mu-plugins/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 80%
 | Reference: http://codex.wordpress.org/Must_Use_Plugins

[+] Registration is enabled: https://www.example.com/wp-login.php?action=register
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: https://www.example.com/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.8.2 identified (Latest, released on 2021-11-10).
 | Found By: Style Etag (Aggressive Detection)
 |  - https://www.example.com/wp-admin/load-styles.php, Match: '5.8.2'
 | Confirmed By: Query Parameter In Install Page (Aggressive Detection)
 |  - https://www.example.com/wp-includes/css/dashicons.min.css?ver=5.8.2
 |  - https://www.example.com/wp-includes/css/buttons.min.css?ver=5.8.2
 |  - https://www.example.com/wp-admin/css/forms.min.css?ver=5.8.2
 |  - https://www.example.com/wp-admin/css/l10n.min.css?ver=5.8.2
 |  - https://www.example.com/wp-admin/css/install.min.css?ver=5.8.2

^C[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Dec 21 19:51:02 2021
[+] Requests Done: 41
[+] Cached Requests: 7
[+] Data Sent: 11.241 KB
[+] Data Received: 764.284 KB
[+] Memory used: 178.977 MB
[+] Elapsed time: 00:00:14
On this page
DefinitionUsageOutput