Finds vulnerabilities in wordpress websites using WPSCAN

WPSCAN:-

WPScan finds vulnerabilities in wordpress websites. This tool is known for scanning vulnerabilities within the core version, plugins and themes of wordpress website. WPScan even finds weak passwords, users and security configuration issues that are present. As per research done by one of to ethical hacking researcher of international institute of cyber security most of the wordpress websites running on internet are vulnerable.

Note:- You should always update the database of wpscan before scanning website for vulnerabilities.

 

INSTALLING WPSCAN:-

For installing from the WPScan use the github : https://github.com/wpscanteam/wpscan.git

git clone https://github.com/wpscanteam/wpscan

cd wpscan/

bundle install && rake install

Or you can also install wpscan using apt-get

  • For installing wpscan in the linux terminal, type sudo apt-get update.

  • Then type sudo apt-get install wpscan for installing wpscan.

  • After installation run, to start WPScan simply go to linux terminal and type wpscan –help. As shown below:-

  • You can use the any option to scan the vulnerable wordpress site.

SCANNING THE URL:-

Type wpscan –url http://www.shroffeyecentre.com

 

root@kali:/home/iicybersecurity/wpscan# wpscan --url http://www.shroffeyecentre.com/




[+] URL: http://www.shroffeyecentre.com/

[+] Started: Sun Nov 11 11:05:49 2018

Interesting Finding(s):

[+] http://www.shroffeyecentre.com/

 | Interesting Entry: Server: nginx/1.14.1

 | Found By: Headers (Passive Detection)

 | Confidence: 100%

[+] http://www.shroffeyecentre.com/robots.txt

 | Found By: Robots Txt (Aggressive Detection)

 | Confidence: 100%




[+] http://www.shroffeyecentre.com/xmlrpc.php

 | Found By: Headers (Passive Detection)

 | Confidence: 60%

 | Confirmed By: Link Tag (Passive Detection), 30% confidence

 | References:

 | - http://codex.wordpress.org/XML-RPC_Pingback_API

 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner

 | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos

 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login

 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access




[+] http://www.shroffeyecentre.com/readme.html

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 100%




 | - http://www.shroffeyecentre.com/comments/feed/, https://wordpress.org/?v=4.9.8

 | - http://www.shroffeyecentre.com/home/feed/, https://wordpress.org/?v=4.9.8




[+] WordPress theme in use: shroff

 | Location: http://www.shroffeyecentre.com/wp-content/themes/shroff/

 | Style URL: http://www.shroffeyecentre.com/wp-content/themes/shroff/style.css?ver=2013-07-18

 | Style Name: Twenty Thirteen

 | Style URI: http://wordpress.org/themes/twentythirteen

 | Description: The 2013 theme for WordPress takes us back to the blog, featuring a full range of post formats, each...

 | Author: the WordPress team

 | Author URI: http://wordpress.org/

 |

 | Detected By: Css Style (Passive Detection)

 |

 | Version: 1.1 (80% confidence)

 | Detected By: Style (Passive Detection)

 | - http://www.shroffeyecentre.com/wp-content/themes/shroff/style.css?ver=2013-07-18, Match: 'Version: 1.1'




[+] Enumerating All Plugins

[+] Checking Plugin Versions




[i] Plugin(s) Identified:




[+] contact-form-7

 | Location: http://www.shroffeyecentre.com/wp-content/plugins/contact-form-7/

 | Last Updated: 2018-10-29T23:58:00.000Z

 | [!] The version is out of date, the latest version is 5.0.5

 |

 | Detected By: Urls In Homepage (Passive Detection)

 |

 | [!] 1 vulnerability identified:

 |

 | [!] Title: Contact Form 7 <= 5.0.3 - register_post_type() Privilege Escalation

 | Fixed in: 5.0.4

 | References:

 | - https://wpvulndb.com/vulnerabilities/9127

 | - https://contactform7.com/2018/09/04/contact-form-7-504/

 | - https://plugins.trac.wordpress.org/changeset/1935726/contact-form-7

 | - https://plugins.trac.wordpress.org/changeset/1934594/contact-form-7

 | - https://plugins.trac.wordpress.org/changeset/1934343/contact-form-7

 | - https://plugins.trac.wordpress.org/changeset/1934327/contact-form-7

 |

 | Version: 3.7.2 (20% confidence)

 | Detected By: Query Parameter (Passive Detection)

 | - http://www.shroffeyecentre.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=3.7.2

 | - http://www.shroffeyecentre.com/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=3.7.2




[+] revslider

 | Location: http://www.shroffeyecentre.com/wp-content/plugins/revslider/

 |

 | Detected By: Urls In Homepage (Passive Detection)

 | Confirmed By: Comment (Passive Detection)

 |

 | [!] 2 vulnerabilities identified:

 |

 | [!] Title: WordPress Slider Revolution Local File Disclosure

 | Fixed in: 4.1.5

 | References:

 | - https://wpvulndb.com/vulnerabilities/7540

 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1579

 | - https://www.exploit-db.com/exploits/34511/

 | - https://www.exploit-db.com/exploits/36039/

 | - http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html

 | - http://packetstormsecurity.com/files/129761/

 |

 | [!] Title: WordPress Slider Revolution Shell Upload

 | Fixed in: 3.0.96

 | References:

 | - https://wpvulndb.com/vulnerabilities/7954

 | - https://www.exploit-db.com/exploits/35385/

 | - https://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/

 | - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_revslider_upload_execute

 |

 | Version: 2.3.9 (60% confidence)

 | Detected By: Comment (Passive Detection)

 | - http://www.shroffeyecentre.com/, Match: 'START REVOLUTION SLIDER 2.3.9'

[+] Enumerating Config Backups

 Checking Config Backups - Time: 00:00:05 (21 / 21) 100.00% Time: 00:00:05
  • In the above output, after scanning the vulnerable site. It shows the server which is being used by vulnerable site. Wpscan showing the theme of the wordpress which the target is using.
  • It shows 2 vulnerabilities one can be used in privilege escalation attack in which hacker can gain access of the target. And the second one is local file disclosure which can shows the path of webroot file.
  • The above scan shows the version of the wordpress. It shows the description of the target website which can be used in initial phase of information gathering.

GETTING IN-DEPTH:-

Type wpscan –url http://www.shroffeyecentre.com –verbose

 

root@kali:/home/iicybersecurity/wpscan# wpscan --url http://www.shroffeyecentre.com/ --verbose

[+] URL: http://www.shroffeyecentre.com

[+] Started: Sun Nov 11 13:21:08 2018

Interesting Finding(s):

[+] http://www.shroffeyecentre.com/

 | Interesting Entry: Server: nginx/1.14.1

 | Found By: Headers (Passive Detection)

 | Confidence: 100%

[+] http://www.shroffeyecentre.com/robots.txt

 | Found By: Robots Txt (Aggressive Detection)

 | Confidence: 100%




[+] http://www.shroffeyecentre.com/xmlrpc.php

 | Found By: Headers (Passive Detection)

 | Confidence: 60%

 | Confirmed By: Link Tag (Passive Detection), 30% confidence

 | References:

 | - http://codex.wordpress.org/XML-RPC_Pingback_API

 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner

 | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos

 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login

 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access




[+] http://www.shroffeyecentre.com/readme.html

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 100%




[+] This site has 'Must Use Plugins': http://www.shroffeyecentre.com/wp-content/mu-plugins/

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 80%

 | Reference: http://codex.wordpress.org/Must_Use_Plugins




[+] Upload directory has listing enabled: http://www.shroffeyecentre.com/wp-content/uploads/

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 100%




[+] WordPress version 4.9.8 identified (Released on 2018-08-02).

 | Detected By: Rss Generator (Passive Detection)

 | - http://www.shroffeyecentre.com/feed/, https://wordpress.org/?v=4.9.8

 | - http://www.shroffeyecentre.com/comments/feed/, https://wordpress.org/?v=4.9.8

 | - http://www.shroffeyecentre.com/home/feed/, https://wordpress.org/?v=4.9.8




[+] WordPress theme in use: shroff

 | Location: http://www.shroffeyecentre.com/wp-content/themes/shroff/

 | Style URL: http://www.shroffeyecentre.com/wp-content/themes/shroff/style.css?ver=2013-07-18

 | Style Name: Twenty Thirteen

 | Style URI: http://wordpress.org/themes/twentythirteen

 | Description: The 2013 theme for WordPress takes us back to the blog, featuring a full range of post formats, each displayed beautifully in their own unique way. Design details abound, starting with a vibrant color scheme and matching header images, beautiful typography and icons, and a flexible layout that looks great on any device, big or small.

 | Author: the WordPress team

 | Author URI: http://wordpress.org/

 | License: GNU General Public License v2 or later

 | License URI: http://www.gnu.org/licenses/gpl-2.0.html

 | Tags: black, brown, orange, tan, white, yellow, light, one-column, two-columns, right-sidebar, fluid-layout, responsive-layout, custom-header, custom-menu, editor-style, featured-images, microformats, post-formats, rtl-language-support, sticky-post, translation-ready

 | Text Domain: twentythirteen

 |

 | Detected By: Css Style (Passive Detection)

 |

 | Version: 1.1 (80% confidence)

 | Detected By: Style (Passive Detection)

 | - http://www.shroffeyecentre.com/wp-content/themes/shroff/style.css?ver=2013-07-18, Match: 'Version: 1.1'




[+] Enumerating All Plugins

[+] Checking Plugin Versions




[i] Plugin(s) Identified:




[+] contact-form-7

 | Location: http://www.shroffeyecentre.com/wp-content/plugins/contact-form-7/

 | Last Updated: 2018-10-29T23:58:00.000Z

 | [!] The version is out of date, the latest version is 5.0.5

 |

 | Detected By: Urls In Homepage (Passive Detection)

 |

 | [!] 1 vulnerability identified:

 |

 | [!] Title: Contact Form 7 <= 5.0.3 - register_post_type() Privilege Escalation

 | Fixed in: 5.0.4

 | References:

 | - https://wpvulndb.com/vulnerabilities/9127

 | - https://contactform7.com/2018/09/04/contact-form-7-504/

 | - https://plugins.trac.wordpress.org/changeset/1935726/contact-form-7

 | - https://plugins.trac.wordpress.org/changeset/1934594/contact-form-7

 | - https://plugins.trac.wordpress.org/changeset/1934343/contact-form-7

 | - https://plugins.trac.wordpress.org/changeset/1934327/contact-form-7

 |

 | Version: 3.7.2 (20% confidence)

 | Detected By: Query Parameter (Passive Detection)

 | - http://www.shroffeyecentre.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=3.7.2

 | - http://www.shroffeyecentre.com/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=3.7.2




[+] revslider

 | Location: http://www.shroffeyecentre.com/wp-content/plugins/revslider/

 |

 | Detected By: Urls In Homepage (Passive Detection)

 | Confirmed By: Comment (Passive Detection)

 |

 | [!] 2 vulnerabilities identified:

 |

 | [!] Title: WordPress Slider Revolution Local File Disclosure

 | Fixed in: 4.1.5

 | References:

 | - https://wpvulndb.com/vulnerabilities/7540

 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1579

 | - https://www.exploit-db.com/exploits/34511/

 | - https://www.exploit-db.com/exploits/36039/

 | - http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html

 | - http://packetstormsecurity.com/files/129761/

 |

 | [!] Title: WordPress Slider Revolution Shell Upload

 | Fixed in: 3.0.96

 | References:

 | - https://wpvulndb.com/vulnerabilities/7954

 | - https://www.exploit-db.com/exploits/35385/

 | - https://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/

 | - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_revslider_upload_execute

 |

 | Version: 2.3.9 (60% confidence)

 | Detected By: Comment (Passive Detection)

 | - http://www.shroffeyecentre.com/, Match: 'START REVOLUTION SLIDER 2.3.9'




[+] taxonomy-images

 | Location: http://www.shroffeyecentre.com/wp-content/plugins/taxonomy-images/

 | Latest Version: 0.9.6

 | Last Updated: 2017-02-16T08:55:00.000Z

 |

 | Detected By: Urls In Homepage (Passive Detection)

 |

 | The version could not be determined.




[+] wordpress-seo

 | Location: http://www.shroffeyecentre.com/wp-content/plugins/wordpress-seo/

 | Last Updated: 2018-11-06T09:26:00.000Z

 | [!] The version is out of date, the latest version is 9.1

 |

 | Detected By: Comment (Passive Detection)

 |

 | Version: 7.2 (60% confidence)

 | Detected By: Comment (Passive Detection)

 | - http://www.shroffeyecentre.com/, Match: 'optimized with the Yoast SEO plugin v7.2 -'




[+] wp-pagenavi

 | Location: http://www.shroffeyecentre.com/wp-content/plugins/wp-pagenavi/

 | Latest Version: 2.93

 | Last Updated: 2018-09-20T03:11:00.000Z

 |

 | Detected By: Urls In Homepage (Passive Detection)

 |
  • After using the verbose method, wpscan shows in-depth details of the themes which is used in the target website. It shows the in-depth vulnerabilities of the target in verbose mode.