Metasploit WordPress

Metasploit provides modules that target known WordPress weaknesses, such as outdated plugins or misconfigurations, helping security teams assess the site’s security. Using Metasploit, teams can simulate real-world attacks on WordPress installations, identifying flaws that could be exploited by hackers. This proactive testing helps strengthen WordPress site defenses against potential cyber threats.

In this blog, explore Metasploit modules for testing vulnerabilities in WordPress. Learn about why they are needed, relevant commands, and explanations.

What is WordPress?

WordPress is a popular open-source content management system (CMS) that allows users to easily create and manage websites without needing extensive coding knowledge. It offers a wide range of themes and plugins, enabling customization and functionality for various types of sites.

Originally designed for blogging, WordPress now powers diverse websites, from e-commerce to portfolios. Users can manage content, media, and design through an intuitive dashboard. WordPress’s flexibility and large community support make it a top choice for website creation.

Why Use Metasploit for WordPress Testing?

Metasploit is an essential tool for WordPress security testing, offering several advantages that significantly improve the efficiency of vulnerability assessments and penetration testing.

Comprehensive Vulnerability Detection

With Metasploit, WordPress testing becomes more thorough, ensuring robust vulnerability detection across plugins, themes, and core files. It helps uncover common security flaws such as SQL injections, cross-site scripting (XSS), and remote code execution (RCE). By identifying these issues early, Metasploit enables more effective remediation, reducing the risk of future attacks.

Automated Exploitation and Post-Exploitation Capabilities

Metasploit streamlines the exploitation process by automating the testing of WordPress vulnerabilities, making it easier to assess different attack vectors. The tool's post-exploitation modules further enhance security testing by evaluating the impact of successful exploits, such as accessing sensitive data or escalating privileges within the system.

Remote Code Execution (RCE) in Themes

Metasploit effectively detects Remote Code Execution (RCE) vulnerabilities within WordPress themes. These vulnerabilities allow attackers to run malicious code on the server, potentially compromising the entire site. Security teams must detect and remediate RCE vulnerabilities early to maintain server security and prevent complete site takeovers.

Directory Traversal in File Upload Functionalities

The tool also excels at identifying directory traversal vulnerabilities in WordPress file upload functions. These flaws can grant attackers unauthorized access to critical files or directories on the server. By detecting and resolving these vulnerabilities, Metasploit ensures safer file management practices and stronger overall security for WordPress sites.

Common WordPress Vulnerabilities

WordPress sites are susceptible to various vulnerabilities that can compromise their security and functionality. These vulnerabilities include:

Outdated WordPress Core

Running an outdated version of WordPress often leaves the site exposed to known vulnerabilities. Hackers actively target older versions with exploits that have been publicly documented. By keeping WordPress updated, security teams ensure that security patches are applied and the site remains protected against the latest threats.

Insecure Plugins and Themes

WordPress plugins and themes are a common entry point for attackers due to poor coding practices or outdated versions. Hackers exploit vulnerabilities in these extensions to gain unauthorized access or execute malicious code. Regularly updating plugins and choosing reputable ones help minimize this risk and safeguard the site.

Weak Passwords

Weak or default passwords allow attackers to brute force their way into WordPress accounts. By guessing simple or reused passwords, they can compromise administrative accounts and take control of the site. Enforcing strong password policies and using multi-factor authentication (MFA) helps prevent unauthorized access.

Improper File Permissions

Incorrect file permissions on a WordPress server can give attackers access to sensitive files. This could lead to the modification of critical files or the upload of malicious content. Ensuring that the file permissions are correctly set, such as restricting write access, significantly improves site security.

Vulnerable REST API Endpoints

WordPress's REST API can be a powerful tool, but improperly secured endpoints may allow attackers to manipulate or access site content. Vulnerabilities in API permissions can expose sensitive data or lead to unauthorized changes. Regularly auditing and securing API endpoints help prevent such exploits.

Using Metasploit Modules for WordPress

Metasploit includes several modules designed to exploit WordPress vulnerabilities. These modules target common weaknesses in themes, plugins, and the core WordPress system, allowing security teams to simulate attacks and assess the security of the WordPress installation.

Searching for WordPress-Related Modules

To find WordPress-related modules in Metasploit, use the search functionality within the Metasploit console:

This command will display a list of available modulesthat target WordPress vulnerabilities, providing teams with the tools needed to conduct thorough security assessments.

Metasploit Modules for WordPress

Here are the Metasploit modules specifically designed for WordPress and the commands used to interact with them:

WordPress XMLRPC GHOST Vulnerability Scanner

The GHOST vulnerability, identified as CVE-2015-0235, is a critical flaw in the GNU C Library (glibc) that affects many Linux-based systems, including those running WordPress. It allows remote attackers to execute arbitrary code via the gethostbyname function, which is used in network-related operations. Attackers who exploit this vulnerability can gain control over the server, potentially causing severe damage.

Load the GHOST Vulnerability Scanner Module

This module helps detect if a WordPress site is vulnerable to the GHOST vulnerability via its XMLRPC interface. By scanning for this flaw, security teams can determine if the vulnerability exists before attackers exploit this vulnerability.

Loads the GHOST vulnerability scanner module.

Display Available Actions

Displays available actions that can be taken within the module.

Set the Desired Action for the Scan

set

Sets the desired action for the scan.

Show Configurable Scan Options

Lists the available options for customizing the scan.

Execute the Vulnerability Scan

Executes the vulnerability scan on the target.

WordPress Content Injection Vulnerability

Attackers exploit the WordPress Content Injection vulnerability to modify posts or create new content without proper authentication, potentially compromising the integrity of a WordPress site.

Load the WordPress Content Injection Exploit Module

This command loads the WordPress content injection exploit module in Metasploit. It prepares the framework to use the specific vulnerability targeting WordPress sites with the REST API flaw in versions 4.7.0 and 4.7.1. Loading the module is essential to start configuring the exploit for the attack.

Set the Target’s IP Address

set

This command sets the target's IP address, defining where the exploit will be directed. By specifying the correct IP, the exploit module knows which WordPress server to attack, making this step critical for executing the vulnerability against the right system.

Define the WordPress Installation Path

set

This command defines the path to the WordPress installation on the target server. It ensures that Metasploit knows the exact location of the WordPress directory, allowing it to properly craft requests and exploit the vulnerability through the correct REST API endpoint.

Run the Exploit

The run command initiates the exploit against the specified WordPress target. It uses the previously configured parameters to inject content into the vulnerable site. If successful, the exploit allows the attacker to modify posts or pages, potentially inserting malicious content without needing authentication.

WordPress Plugin File Upload Vulnerability

The wp_plugin_ninja_forms_file_upload module exploits an arbitrary file upload vulnerability in the Ninja Forms WordPress plugin. Attackers can upload malicious files, such as a web shell, to the server without proper authentication. The attacker then executes arbitrary code, gaining unauthorized access to the system.

Load the WordPress Plugin File Upload Vulnerability

This command loads the exploit module targeting the file upload vulnerability in the Ninja Forms WordPress plugin. Loading this module prepares Metasploit to exploit the vulnerability and upload malicious files to the server.

Set the Target’s IP Address

set

This command sets the target machine's IP address where the Ninja Forms plugin is installed. It ensures that the exploit is directed at the correct server.

Define the WordPress Installation Path

set

This command defines the URI path of the WordPress installation on the target server. It is necessary to direct the exploit to the exact location where the vulnerability exists in the WordPress plugin.

Set the Payload for Reverse TCP Meterpreter

set

This command specifies the payload that will be delivered once the exploit succeeds. The chosen payload is a PHP Meterpreter reverse TCP shell, which allows the attacker to gain control of the target server once the payload is executed.

Set host IP Address

set

This command sets the attacker's IP address to establish a reverse connection. It tells the server where to connect back once the payload is uploaded and executed.

Set the Port

set

This command defines the listening port on the attacker’s machine for the reverse connection. It allows the reverse shell to connect back to the specified port for remote control of the target.

Run the Exploit

The attacker initiates the exploit by running the command, which uploads the malicious file (payload) to the target WordPress server. Upon successful execution, the payload establishes a reverse shell connection between the target server and the attacker's machine. This connection grants the attacker unauthorized control over the target system.

WordPress Plugin Slider Revolution Arbitrary File Download

The wp_revslider_file_read module targets a vulnerability in the WordPress Slider Revolution (RevSlider) plugin, which allows attackers to read arbitrary files from the server. This vulnerability can expose sensitive information like configuration files, credentials, or other critical data stored on the server. By exploiting this flaw, attackers can gain unauthorized access to the server's internal files, leading to further exploitation and potential server compromise if not patched.

Load the WordPress Slider Revolution File Read Exploit Module

This command loads the exploit module designed to target the file read vulnerability in the Slider Revolution plugin. Loading this module prepares Metasploit to exploit the vulnerability, enabling the attacker to retrieve arbitrary files from the server.

Set the Target’s IP Address

set

This command sets the target's IP address, directing the attack to the correct server where the vulnerable Slider Revolution plugin is installed. Identifying the target is crucial for ensuring the exploit is executed against the appropriate system.

Specify the File Path to Download

set

This command specifies the path of the file on the target server that the attacker wishes to download. By setting the correct file path, the attacker can retrieve sensitive information, such as configuration files, credentials, or other critical data.

Run the File Download Exploit

The run command initiates the file download process. Once executed, it retrieves the specified file from the target server, allowing the attacker to access potentially sensitive data that can lead to further exploitation of the system.

WordPress RevSlider File Upload

The wp_revslider_upload_execute module exploits a file upload vulnerability in the WordPress Slider Revolution (RevSlider) plugin. Attackers upload a malicious PHP file and execute it to gain control over the server. This exploitation allows attackers to remotely execute arbitrary code, taking control of the WordPress site and its underlying system.

WordPress RevSlider File Upload

This command loads the exploit module that targets the file upload vulnerability in the Slider Revolution plugin. By loading this module, Metasploit is prepared to exploit the vulnerability by uploading a malicious PHP file to the target server.

Load the WordPress Slider Revolution File Upload Exploit Module

set

This command sets the target's IP address, indicating the WordPress site that is vulnerable to the Slider Revolution file upload flaw. Defining the correct target is critical to ensure that the attack is directed toward the intended server.

Specify the WordPress Installation Path

set

This command specifies the path where WordPress is installed on the target server. Defining the correct URI ensures that Metasploit can locate the vulnerable Slider Revolution plugin within the WordPress directory structure.

Set the PHP Meterpreter Reverse TCP Payload

set

This command selects the PHP Meterpreter reverse TCP payload. The payload will establish a reverse shell connection, allowing the attacker to gain control over the target once the malicious file is executed.

Set the Attacker’s IP Address (LHOST)

set

This command sets the attacker's IP address, specifying where the reverse connection should be established after the exploit succeeds. It ensures that the target system will connect back to the attacker's machine.

Set the Listening Port (LPORT)

set

This command specifies the port on the attacker's machine that will listen for the reverse connection. It is crucial to establish communication between the target and the attacker once the exploit is executed.

Run the Exploit

The run command initiates the exploit, uploading the malicious payload to the target server. Once the payload is executed, it creates a reverse shell connection, granting the attacker remote access to the system and control over the WordPress site and its underlying server.

Metasploit WordPress Scanner and Reconnaissance

Effective scanning and reconnaissance techniques form the foundation of a thorough WordPress security assessment, enabling security teams to gather crucial information about the target site.

Launch the Metasploit Console

This command launches the Metasploit console, the main interface for accessing Metasploit’s tools, modules, and exploits. The console provides an interactive platform where users can run commands, load modules, and execute attacks or reconnaissance operations.

Load the WordPress Version Scanner Module

This command loads the WordPress version scanner module, which is designed to detect if the target site is running WordPress and identify the version in use. Knowing the version is critical, as it helps determine if the site is vulnerable to known exploits associated with specific WordPress versions.

Set the Target’s IP Address or Domain

set

This command specifies the IP address or domain name of the target WordPress site. By setting the correct target, the scanner knows where to direct its requests in order to determine if WordPress is running and which version is installed.

Set the WordPress Installation Path

set

This command sets the URI path where WordPress is installed on the target server. For most sites, this would be either the root directory (/) or /wp-admin. Defining the path helps the scanner correctly locate WordPress files, ensuring the scan is accurate.

Run the Version Scan

This command initiates the scanning process. The module scans the target site for version indicators in HTTP headers, metadata, and page content. The result reveals whether the site is running WordPress and which version is installed, helping assess whether the site is vulnerable to specific exploits associated with that version.

Enumerate WordPress Themes

WordPress themes are templates that define the design, layout, and visual appearance of a WordPress website. They control the look and feel of the site, including elements like fonts, colors, and page structures. Themes allow users to customize their site's design without needing to modify the core code.

Load the Module

Loads the module for theme enumeration on the WordPress site.

Set the Target

set

Defines the target IP or domain to scan for themes.

Set the Target URI

set

Sets the path to the WordPress installation.

Run the Module

Executes the scan, providing information on the installed themes.

Identifying Users and Roles

Metasploit offers modules to enumerate users and roles on a WordPress site, helping to identify potential targets for further exploitation.

Enumerate WordPress Users

This command loads the WordPress user's enumeration module, which identifies usernames on the target WordPress site.

Set the Target

set

Defines the IP address of the target WordPress site.

Set the Target URI

set

Specifies the WordPress installation path, commonly /wp-admin.

Run the Module

Executes the module, retrieving usernames and roles that could be further targeted in attacks.

Mitigating WordPress Vulnerabilities

Mitigating WordPress vulnerabilities is crucial for maintaining a secure website and protecting against potential cyber threats.

Regularly Update WordPress and Plugins

Ensure that WordPress core, themes, and plugins are always up to date to mitigate vulnerabilities. Updates often include critical security patches that address known exploits. Automating updates or checking for them frequently is a key step in protecting the site from emerging threats.

Implement Strong Authentication

Enhance WordPress security by enforcing strong passwords and enabling two-factor authentication (2FA). Limiting login attempts and monitoring login behavior can prevent brute-force attacks and unauthorized access, making it harder for attackers to breach the site.

Use Security Plugins

Install security plugins like Wordfence or Sucuri to monitor, detect, and block vulnerabilities in real-time. These tools help prevent malicious activity, provide firewall protection, and scan for malware, adding a vital layer of defense to your WordPress site.

Restrict File Permissions

Set appropriate file permissions (e.g., 755 for directories and 644 for files) to prevent unauthorized changes to critical files. Disabling file editing through the WordPress dashboard also helps ensure attackers cannot modify sensitive files in the event of a breach.

Limit API Access

Restrict access to APIs that WordPress uses, particularly those linked to third-party plugins or themes. Continuously monitor and secure these APIs to prevent exploitation of vulnerabilities and ensure safe communication between the site and external services.

Backup Regularly

Regularly back up the WordPress site to ensure quick recovery after a breach or attack. Securely store and automate backups to minimize downtime and reduce the impact of potential data loss or corruption.

Final Thoughts

Metasploit empowers security teams to efficiently identify and exploit vulnerabilities in WordPress sites, making it an invaluable tool for penetration testing. By leveraging its comprehensive suite of scanning and exploitation modules, you can detect weak configurations, outdated software, and vulnerable plugins that could compromise the security of your WordPress installation.

Akto provides automated vulnerability detection for APIs, including those used by WordPress plugins. Akto can help identify vulnerabilities like the MStore API plugin vulnerability (CVE-2023-3197) by securing the APIs these plugins use.

By leveraging tools like Metasploit for broader web application penetration testing, alongside Akto for API security, organizations can proactively detect and mitigate security risks across web applications and APIs, ensuring comprehensive protection.

Book your demo today!