Wordpress Hacking

General

Default WordPress Structure

tree -L 1 /var/www/html
.
├── index.php
├── license.txt
├── readme.html
├── wp-activate.php
├── wp-admin
├── wp-blog-header.php
├── wp-comments-post.php
├── wp-config.php
├── wp-config-sample.php
├── wp-content
├── wp-cron.php
├── wp-includes
├── wp-links-opml.php
├── wp-load.php
├── wp-login.php
├── wp-mail.php
├── wp-settings.php
├── wp-signup.php
├── wp-trackback.php
└── xmlrpc.php
  • index.php : homepage
  • wp-activate.php : used for email and website activation
  • wp-admin : folder containing multiple backend/dashboard sites
  • xmlrpc.php : XML API (soon-ish deprecated because of the new REST API)
  • wp-config.php : contains info like db name and credentials and other configs for wordpress

    Wordpress User Roles

Role Description
Administrator This user has access to administrative features within the website. This includes adding and deleting users and posts, as well as editing source code.
Editor An editor can publish and manage posts, including the posts of other users.
Author Authors can publish and manage their own posts.
Contributor These users can write and manage their own posts but cannot publish them.
Subscriber These are normal users who can browse posts and edit their profiles.

source: HTB Academy

Enumeration

Core Version Enumeration

Via source code in html-head:

<meta name="generator" content="WordPress 5.3.3" />

or as bash command:

curl -s -X GET https://<wordpress-page> | grep '<meta name="generator"'

Sometimes the version can be in the CSS files that are linked:

<link rel='stylesheet' id='bootstrap-css'  href='<url>/wp-content/themes/ben_theme/css/bootstrap.css?ver=5.3.3' type='text/css' media='all' />
<link rel='stylesheet' id='transportex-style-css'  href='<url>/wp-content/themes/ben_theme/style.css?ver=5.3.3' type='text/css' media='all' />
<link rel='stylesheet' id='transportex_color-css'  href='<url>/wp-content/themes/ben_theme/css/colors/default.css?ver=5.3.3' type='text/css' media='all' />
<link rel='stylesheet' id='smartmenus-css'  href='<url>/wp-content/themes/ben_theme/css/jquery.smartmenus.bootstrap.css?ver=5.3.3' type='text/css' media='all' />

Or in the JavaScript files that are linked into the index page/homepage

Plugins and Themes Enumeration

Plugins

curl -s -X GET <url> | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'wp-content/plugins/*' | cut -d"'" -f2

Themes

curl -s -X GET <url> | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'themes' | cut -d"'" -f2

Tools

Tools like ffuf and/or WPScan can help here - you could fuzz the content/plugin dir.