Approaching a Wordpress Site for Bugs :)
Hi Geeks, This is Aravind here with another blog which may help you in finding bugs on Wordpress sites easily. I have also attached few of my personal catches in this blog. Hope this might help you guys.
What is Wordpress ?
WordPress is an open-source content management system (CMS). It’s a popular tool for individuals without any coding experience who want to build websites and blogs. The software doesn’t cost anything. Anyone can install, use, and modify it for free. To know more about wordpress, refer the below article.
Is hacking Wordpress sites easy ?
Yesss…. The thing is wordpress have there own plugins, extensions and many CVEs for them. But major bugs in wordpress sites occurs due to misconfiguration by the developers. There are few best practices for wordpress sites to make the site secure, but most ppl doesn't follow it efficiently. Refer the below article to know few reasons why wordpress sites get hacked.
My approach to Wordpress Sites
- Data Exposure
If you are lucky enough, wordpress sites may give you good bounties by this kind on bugs. To find this kind of bugs, we should first enumerate the urls of the site and for that I use tools such as gau and waybackurls. Juicy infos can be found in urls that contain, wp-includes, wp-content, wp-config, wp-json and few more.
One of my recent bounty was from a wordpress site which was disclosing user data via the path (/wp-json/wp/v2/users/) This endpoint was exposing the admin usernames. This can be used by the attackers to bypass the wp-admin login by bruteforcing the password.
https://hackerone.com/reports/356047 https://hackerone.com/reports/540301 https://hackerone.com/reports/384782
2. xmlrpc.php Enabled
XML-RPC is a feature of WordPress that enables data to be transmitted, with HTTP acting as the transport mechanism and XML as the encoding mechanism. Since WordPress isn’t a self-enclosed system and occasionally needs to communicate with other systems, this was sought to handle that job.
Many wordpress have their xmlrpc.php path enabled by mistake and whith help of this there are lot of attacks like DOS, Data exposure, IDOR are possible. So when you take a wordpress site as target, always check for this path. If its enabled you can access it by sending a post request. Refer the below reports for a good bounty.
https://hackerone.com/reports/752073 https://hackerone.com/reports/1147449 https://hackerone.com/reports/138869
3. Using Wpscan
WPSCAN is an awesome tool that comes built-in in Kali Linux. This tool helps is enumerating details of a wordpress site. After scanning with this tool we need to manually verify the output for some good bugs. The general bugs like version outdated, vulnerable plugins, sensitive data exposure can be found with this tools. I highly recommend this tool for scanning wordpress sites. To know more about the tool, visit there official site.
https://wpscan.com/wordpress-security-scanner
That's it guys, hope this blog helped you in learning something. Thanks for reading and meet you up in another awesome writeup or article.
Instagram: aravind_0x7
Twitter: gnana_aravind07
LinkedIn: gnana-aravind
Happy Hacking :)
