WordPress
aka wp, wp-admin
The most common PHP CMS. wp-config.php holds DB creds, xmlrpc enables amplified brute force, and an admin login plus a writable theme/plugin is reliable PHP RCE.
Ports
| Port | Proto | Notes |
|---|---|---|
80 | tcp | HTTP |
443 | tcp | HTTPS |
Fingerprint
- /wp-login.php, /wp-admin, wp-content paths
- meta generator WordPress and the readme.html version
Key files
| Path | Holds | Sensitive |
|---|---|---|
wp-config.php | DB credentials and auth salts | sensitive |
wp-content/uploads/ | writable upload area | |
.htaccess | rewrite and access rules |
Default / weak creds
admin via weak password / reuse
Known CVEs
| CVE | Impact |
|---|---|
| plugin/theme CVEs | the vast majority of WordPress RCE/LFI/SQLi lives in third-party plugins |
Exploitation primitives
- wpscan enumerates users, themes and vulnerable plugins
- xmlrpc.php system.multicall amplifies password brute force
- Admin -> Appearance/Plugin editor: edit a PHP file for RCE; or upload a malicious plugin
- wp-config.php DB creds are frequently reused for SSH/su
Overview
WordPress is everywhere, and almost all of its real-world compromise comes from weak admin creds or vulnerable plugins rather than core. Once you are admin, the built-in editor is a PHP shell.
Enumeration
Enumerate users, vulnerable themes and plugins:
wpscan --url http://<TARGET>/ -e u,vp,vt --api-token <token>Brute force the login via xmlrpc:
wpscan --url http://<TARGET>/ -U admin -P rockyou.txtAdmin to RCE
Appearance to Theme File Editor, drop system($_GET['c']) into 404.php, then browse it. Or upload a zipped malicious plugin.
Hardening
Strong admin passwords + 2FA, disable file editing (DISALLOW_FILE_EDIT), block xmlrpc, and keep plugins updated.