Enumerating WordPress with WPScan

Sharing is caring

Views: 61

  • The version of WordPress installed and any associated vulnerabilities
  • What plugins are installed and any associated vulnerabilities
  • What themes are installed and any associated vulnerabilities
  • Username enumeration
  • Users with weak passwords via password brute forcing
  • Backed up and publicly accessible wp-config.php files
  • Database dumps that may be publicly accessible
  • If error logs are exposed by plugins
  • Media file enumeration
  • Vulnerable Timthumb files
  • If the WordPress readme file is present
  • If WP-Cron is enabled
  • If user registration is enabled
  • Full Path Disclose
  • Upload directory listing and much more…

Update the local database of WPScan

The local database can be updated with the following command:

wpscan --update

Enumeration Modes

When enumerating the WordPress version, installed plugins or installed themes, you can use three different “modes”, which are:

  • passive
  • aggressive
  • mixed

The following enumeration options exist:

  • vp (Vulnerable plugins)
  • ap (All plugins)
  • p (Popular plugins)
  • vt (Vulnerable themes)
  • at (All themes)
  • t (Popular themes)
  • tt (Timthumbs)
  • cb (Config backups)
  • dbe (Db exports)
  • u (User IDs range. e.g: u1-5)
  • m (Media IDs range. e.g m1-15)

If no option is supplied to the -e flag, then the default will be: vp,vt,tt,cb,dbe,u,m

Cheat Sheet

Enumerate all plugins with known vulnerabilities

wpscan --url example.com -e vp

Password brute force attack

wpscan --url example.com -e u --passwords /path/to/password_file.txt