caon.io
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

Wordpress

Pro tip To maximize results, configure a key in wpscan.

Code Analysis

Wordpress exposes public interfaces that can be used in exploitation scenarios

Considerations:

When doing dynamic testing for XSS the following setting in the wp-config.php file may reduce false positive results as it prevents administrative and editor users from being able to embed/execute JavaScript/HTML

define( 'DISALLOW_UNFILTERED_HTML', true );

Ajax Actions:

Ajax actions can be called directly by intracting with the /wp-admin/admin-ajax.php endpoint. The actions are defined in the code in the following way:

add_action( 'wp_ajax_fcn_name', 'callback_function' );
add_action( 'wp_ajax_nopriv_fcn_name', 'callback_function' );

Where all actions have the preffix wp_ajax, thus, the action name to be used is fcn_name. Actions with nopriv should be used by unlogged users, actions without it can be used by logged in users only.

Example:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: HOST
Content-Length: 38
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

action=fcn_name

In wordpress, actions can be called wth do_action()

Shortcodes

Shortcodes are defined using

add_shortcode( 'shortcode_name', 'callback_func' );

where shortcode_name is the code to be used when creating a post.

Usage:

[shortcode_name param_one="value" param_two="value"]

Rest Routes

Usually registered with:

register_rest_route()

Routes can be retrieved by calling

rest_get_server()->get_routes()

Default Wordpress Rest Routes

wp-json/wp/v2/users/
wp-json/wp/v2/comments/
wp-json/wp/v2/pages
index.php?rest_route=<custom_rest_route>

Rest route to generate Nonce for rests:

POST wp-admin/admin-ajax.php?action=rest-nonce

Dangerous Wordpress Functions

Below are some wp functions that cause interesting behaviors and can usually lead to vulnerabilities:

is_admin and is_user_admin()

The is_admin function does not checks if the user is admin, it checks if the user is running the call from an administrative page.

is_admin() `is_user_admin()ยด

Determines whether the current request is for an administrative interface page.

https://developer.wordpress.org/reference/functions/is_admin/

REST Validation

REST validations are handled by permission_callback. If a REST endpoint has __return_true, it means there’s no auth validation (at least wehere it was supposed to be)

Wordpress CVE boilerplates for reporting

Get some examples here

gdoc_arrow_left_alt Google GCP Drupal gdoc_arrow_right_alt