Metasploit WordPress
Metasploit provides modules that target known WordPress weaknesses, such as outdated plugins or misconfigurations, helping security teams assess the site’s security. Using Metasploit, teams can simulate real-world attacks on WordPress installations, identifying flaws that could be exploited by hackers. This proactive testing helps strengthen WordPress site defenses against potential cyber threats.
In this blog, explore Metasploit modules for testing vulnerabilities in WordPress. Learn about why they are needed, relevant commands, and explanations.
What is WordPress?
WordPress is a popular open-source content management system (CMS
) that allows users to easily create and manage websites without needing extensive coding knowledge. It offers a wide range of themes
and plugins, enabling customization
and functionality for various types of sites.
Originally designed for blogging, WordPress now powers diverse websites, from e-commerce
to portfolios. Users can manage content, media, and design through an intuitive dashboard. WordPress’s flexibility and large community support
make it a top choice for website creation.
Why Use Metasploit for WordPress Testing?
Metasploit is an essential tool for WordPress security testing, offering several advantages that significantly improve the efficiency of vulnerability assessments and penetration testing.
Comprehensive Vulnerability Detection
With Metasploit, WordPress testing becomes more thorough, ensuring robust vulnerability detection
across plugins, themes, and core files
. It helps uncover common security flaws such as SQL injections, cross-site scripting (XSS
), and remote code execution
(RCE). By identifying these issues early, Metasploit enables more effective remediation, reducing the risk of future attacks.
Automated Exploitation and Post-Exploitation Capabilities
Metasploit streamlines the exploitation process by automating the testing of WordPress vulnerabilities, making it easier to assess different attack vectors. The tool's post-exploitation
modules further enhance security testing by evaluating the impact of successful exploits, such as accessing sensitive data or escalating privileges within the system.
Remote Code Execution (RCE) in Themes
Metasploit effectively detects Remote Code Execution
(RCE) vulnerabilities within WordPress themes. These vulnerabilities allow attackers to run malicious code on the server, potentially compromising the entire site. Security teams must detect and remediate RCE vulnerabilities early to maintain server security and prevent complete site takeovers.
Directory Traversal in File Upload Functionalities
The tool also excels at identifying directory traversal vulnerabilities in WordPress file upload functions. These flaws can grant attackers unauthorized access
to critical files or directories on the server. By detecting and resolving these vulnerabilities, Metasploit ensures safer file management practices and stronger overall security for WordPress sites.
Common WordPress Vulnerabilities
WordPress sites are susceptible to various vulnerabilities that can compromise their security and functionality. These vulnerabilities include:
Outdated WordPress Core
Running an outdated version of WordPress often leaves the site exposed to known vulnerabilities. Hackers actively target older versions
with exploits that have been publicly documented
. By keeping WordPress updated, security teams ensure that security patches are applied and the site remains protected against the latest threats
.
Insecure Plugins and Themes
WordPress plugins and themes are a common entry point for attackers due to poor coding practices
or outdated versions
. Hackers exploit vulnerabilities in these extensions to gain unauthorized access or execute malicious code. Regularly updating plugins and choosing reputable ones help minimize this risk and safeguard the site.
Weak Passwords
Weak or default passwords allow attackers to brute force
their way into WordPress accounts. By guessing simple or reused passwords, they can compromise administrative accounts
and take control of the site. Enforcing strong password policies and using multi-factor authentication
(MFA) helps prevent unauthorized access.
Improper File Permissions
Incorrect file permissions on a WordPress server can give attackers access to sensitive files
. This could lead to the modification of critical files or the upload of malicious content. Ensuring that the file permissions are correctly set, such as restricting write access
, significantly improves site security.
Vulnerable REST API Endpoints
WordPress's REST API can be a powerful tool, but improperly secured endpoints
may allow attackers to manipulate or access site content. Vulnerabilities in API permissions
can expose sensitive data or lead to unauthorized changes
. Regularly auditing and securing API endpoints help prevent such exploits.
Using Metasploit Modules for WordPress
Metasploit includes several modules designed to exploit WordPress vulnerabilities. These modules target common weaknesses in themes, plugins, and the core WordPress system
, allowing security teams to simulate attacks and assess the security of the WordPress installation.
Searching for WordPress-Related Modules
To find WordPress-related modules in Metasploit, use the search functionality within the Metasploit console:
This command will display a list of available modules
that target WordPress vulnerabilities, providing teams with the tools needed to conduct thorough security assessments.
Metasploit Modules for WordPress
Here are the Metasploit modules specifically designed for WordPress and the commands used to interact with them:
WordPress XMLRPC GHOST Vulnerability Scanner
The GHOST vulnerability, identified as CVE-2015-0235
, is a critical flaw in the GNU C Library (glibc
) that affects many Linux-based systems
, including those running WordPress. It allows remote attackers to execute arbitrary code via the gethostbyname
function, which is used in network-related operations. Attackers who exploit this vulnerability can gain control over the server, potentially causing severe damage.
Load the GHOST Vulnerability Scanner Module
This module helps detect if a WordPress site is vulnerable to the GHOST
vulnerability via its XMLRPC
interface. By scanning for this flaw, security teams can determine if the vulnerability exists before attackers exploit this vulnerability.
Loads the GHOST vulnerability scanner module.
Display Available Actions
Displays available actions that can be taken within the module.
Set the Desired Action for the Scan
Sets the desired action for the scan.
Show Configurable Scan Options
Lists the available options for customizing the scan.
Execute the Vulnerability Scan
Executes the vulnerability scan on the target.
WordPress Content Injection Vulnerability
Attackers exploit the WordPress Content Injection vulnerability to modify posts or create new content
without proper authentication, potentially compromising the integrity of a WordPress site.
Load the WordPress Content Injection Exploit Module
This command loads the WordPress content injection exploit module in Metasploit. It prepares the framework to use the specific vulnerability targeting WordPress sites with the REST API
flaw in versions 4.7.0
and 4.7.1
. Loading the module is essential to start configuring the exploit for the attack.
Set the Target’s IP Address
This command sets the target's IP address
, defining where the exploit will be directed. By specifying the correct IP, the exploit module knows which WordPress server to attack, making this step critical for executing the vulnerability against the right system.
Define the WordPress Installation Path
This command defines the path to the WordPress installation
on the target server. It ensures that Metasploit knows the exact location of the WordPress directory, allowing it to properly craft requests and exploit the vulnerability through the correct REST API endpoint
.
Run the Exploit
The run
command initiates the exploit against the specified WordPress target. It uses the previously configured parameters to inject content
into the vulnerable site. If successful, the exploit allows the attacker to modify posts or pages, potentially inserting malicious content without needing authentication.
WordPress Plugin File Upload Vulnerability
The wp_plugin_ninja_forms_file_upload
module exploits an arbitrary file upload vulnerability in the Ninja Forms WordPress plugin
. Attackers can upload malicious files, such as a web shell
, to the server without proper authentication. The attacker then executes arbitrary code, gaining unauthorized access to the system.
Load the WordPress Plugin File Upload Vulnerability
This command loads the exploit module targeting the file upload vulnerability in the Ninja Forms WordPress plugin
. Loading this module prepares Metasploit to exploit the vulnerability and upload malicious files to the server.
Set the Target’s IP Address
This command sets the target machine's IP address
where the Ninja Forms plugin
is installed. It ensures that the exploit is directed at the correct server.
Define the WordPress Installation Path
This command defines the URI path
of the WordPress installation on the target server. It is necessary to direct the exploit to the exact location where the vulnerability exists in the WordPress plugin.
Set the Payload for Reverse TCP Meterpreter
This command specifies the payload that will be delivered once the exploit succeeds. The chosen payload is a PHP Meterpreter reverse TCP shell
, which allows the attacker to gain control of the target server once the payload is executed.
Set host IP Address
This command sets the attacker's IP address
to establish a reverse connection. It tells the server where to connect back once the payload is uploaded and executed.
Set the Port
This command defines the listening port on the attacker’s machine for the reverse connection
. It allows the reverse shell
to connect back to the specified port for remote control of the target.
Run the Exploit
The attacker initiates the exploit by running the command, which uploads the malicious file (payload) to the target WordPress server. Upon successful execution, the payload establishes a reverse shell connection
between the target server and the attacker's machine. This connection grants the attacker unauthorized control over the target system.
WordPress Plugin Slider Revolution Arbitrary File Download
The wp_revslider_file_read
module targets a vulnerability in the WordPress Slider Revolution (RevSlider
) plugin, which allows attackers to read arbitrary files from the server. This vulnerability can expose sensitive information like configuration files
, credentials
, or other critical data stored on the server. By exploiting this flaw, attackers can gain unauthorized access to the server's internal files, leading to further exploitation and potential server compromise if not patched.
Load the WordPress Slider Revolution File Read Exploit Module
This command loads the exploit module designed to target the file read
vulnerability in the Slider Revolution
plugin. Loading this module prepares Metasploit to exploit the vulnerability, enabling the attacker to retrieve arbitrary files from the server.
Set the Target’s IP Address
This command sets the target's IP address
, directing the attack to the correct server where the vulnerable Slider Revolution
plugin is installed. Identifying the target is crucial for ensuring the exploit is executed against the appropriate system.
Specify the File Path to Download
This command specifies the path of the file on the target server that the attacker wishes to download. By setting the correct file path, the attacker can retrieve sensitive information
, such as configuration files, credentials, or other critical data.
Run the File Download Exploit
The run
command initiates the file download process. Once executed, it retrieves the specified file from the target server, allowing the attacker to access potentially sensitive data
that can lead to further exploitation of the system.
WordPress RevSlider File Upload
The wp_revslider_upload_execute
module exploits a file upload vulnerability in the WordPress Slider Revolution (RevSlider
) plugin. Attackers upload a malicious PHP file
and execute it to gain control over the server. This exploitation allows attackers to remotely execute arbitrary code
, taking control of the WordPress site and its underlying system.
WordPress RevSlider File Upload
This command loads the exploit module that targets the file upload vulnerability in the Slider Revolution
plugin. By loading this module, Metasploit is prepared to exploit the vulnerability by uploading a malicious PHP file
to the target server.
Load the WordPress Slider Revolution File Upload Exploit Module
This command sets the target's IP address
, indicating the WordPress site that is vulnerable to the Slider Revolution
file upload flaw. Defining the correct target is critical to ensure that the attack is directed toward the intended server.
Specify the WordPress Installation Path
This command specifies the path where WordPress is installed on the target server. Defining the correct URI
ensures that Metasploit can locate the vulnerable Slider Revolution plugin within the WordPress directory
structure.
Set the PHP Meterpreter Reverse TCP Payload
This command selects the PHP Meterpreter reverse TCP payload
. The payload will establish a reverse shell connection, allowing the attacker to gain control over the target once the malicious file is executed.
Set the Attacker’s IP Address (LHOST)
This command sets the attacker's IP address, specifying where the reverse connection
should be established after the exploit succeeds. It ensures that the target system will connect back to the attacker's machine.
Set the Listening Port (LPORT)
This command specifies the port
on the attacker's machine that will listen for the reverse connection
. It is crucial to establish communication between the target and the attacker once the exploit is executed.
Run the Exploit
The run
command initiates the exploit, uploading the malicious payload to the target server. Once the payload is executed, it creates a reverse shell connection
, granting the attacker remote access to the system and control over the WordPress site and its underlying server.
Metasploit WordPress Scanner and Reconnaissance
Effective scanning and reconnaissance techniques form the foundation of a thorough WordPress security assessment, enabling security teams to gather crucial information about the target site.
Launch the Metasploit Console
This command launches the Metasploit console
, the main interface for accessing Metasploit’s tools, modules
, and exploits. The console provides an interactive platform where users can run commands, load modules, and execute attacks or reconnaissance operations.
Load the WordPress Version Scanner Module
This command loads the WordPress version scanner module, which is designed to detect if the target site is running WordPress and identify the version in use. Knowing the version
is critical, as it helps determine if the site is vulnerable to known exploits associated with specific WordPress versions.
Set the Target’s IP Address or Domain
This command specifies the IP address or domain name
of the target WordPress site. By setting the correct target, the scanner knows where to direct its requests in order to determine if WordPress is running and which version is installed.
Set the WordPress Installation Path
This command sets the URI path
where WordPress is installed on the target server. For most sites, this would be either the root directory (/
) or /wp-admin
. Defining the path helps the scanner correctly locate WordPress files, ensuring the scan is accurate.
Run the Version Scan
This command initiates the scanning process. The module scans the target site for version indicators in HTTP headers
, metadata
, and page content. The result reveals whether the site is running WordPress and which version is installed, helping assess whether the site is vulnerable to specific exploits associated with that version.
Enumerate WordPress Themes
WordPress themes are templates that define the design, layout, and visual appearance of a WordPress website. They control the look and feel of the site, including elements
like fonts, colors, and page structures. Themes allow users to customize their site's design without needing to modify the core code.
Load the Module
Loads the module for theme enumeration on the WordPress site.
Set the Target
Defines the target IP or domain to scan for themes.
Set the Target URI
Sets the path to the WordPress installation.
Run the Module
Executes the scan, providing information on the installed themes.
Identifying Users and Roles
Metasploit offers modules to enumerate users and roles
on a WordPress site, helping to identify potential targets for further exploitation.
Enumerate WordPress Users
This command loads the WordPress user's enumeration module
, which identifies usernames
on the target WordPress site.
Set the Target
Defines the IP address
of the target WordPress site.
Set the Target URI
Specifies the WordPress installation path, commonly /wp-admin
.
Run the Module
Executes the module, retrieving usernames and roles that could be further targeted in attacks.
Mitigating WordPress Vulnerabilities
Mitigating WordPress vulnerabilities is crucial for maintaining a secure website and protecting against potential cyber threats.
Regularly Update WordPress and Plugins
Ensure that WordPress core
, themes, and plugins are always up to date
to mitigate vulnerabilities. Updates often include critical security patches that address known exploits. Automating updates
or checking for them frequently is a key step in protecting the site from emerging threats.
Implement Strong Authentication
Enhance WordPress security by enforcing strong passwords
and enabling two-factor authentication
(2FA
). Limiting login attempts and monitoring login behavior can prevent brute-force attacks and unauthorized access, making it harder for attackers to breach the site.
Use Security Plugins
Install security plugins like Wordfence
or Sucuri
to monitor, detect, and block vulnerabilities in real-time. These tools help prevent malicious activity, provide firewall protection
, and scan for malware, adding a vital layer of defense to your WordPress site.
Restrict File Permissions
Set appropriate file permissions (e.g., 755
for directories and 644
for files) to prevent unauthorized changes to critical files. Disabling file editing through the WordPress dashboard also helps ensure attackers cannot modify sensitive files in the event of a breach.
Limit API Access
Restrict access to APIs that WordPress uses, particularly those linked to third-party plugins or themes. Continuously monitor and secure these APIs to prevent exploitation of vulnerabilities and ensure safe communication between the site and external services.
Backup Regularly
Regularly back up the WordPress site to ensure quick recovery after a breach or attack. Securely store and automate backups to minimize downtime and reduce the impact of potential data loss or corruption.
Final Thoughts
Metasploit empowers security teams to efficiently identify and exploit vulnerabilities in WordPress sites, making it an invaluable tool for penetration testing. By leveraging its comprehensive suite of scanning and exploitation modules, you can detect weak configurations, outdated software, and vulnerable plugins that could compromise the security of your WordPress installation.
Akto provides automated vulnerability detection for APIs, including those used by WordPress plugins. Akto can help identify vulnerabilities like the MStore API plugin vulnerability (CVE-2023-3197) by securing the APIs these plugins use.
By leveraging tools like Metasploit for broader web application penetration testing, alongside Akto for API security, organizations can proactively detect and mitigate security risks across web applications and APIs, ensuring comprehensive protection.
Explore more from Akto
Blog
Be updated about everything related to API Security, new API vulnerabilities, industry news and product updates.
Events
Browse and register for upcoming sessions or catch up on what you missed with exclusive recordings
CVE Database
Find out everything about latest API CVE in popular products
Test Library
Discover and find tests from Akto's 100+ API Security test library. Choose your template or add a new template to start your API Security testing.
Documentation
Check out Akto's product documentation for all information related to features and how to use them.