Thursday, June 21, 2012

Auditing Wordpress Blogs

Wordpress appears to be one of the most prevalent blogging platforms out in the wild today as it can be downloaded and installed to any domain as well as being offered as a blogging platform by hosting companies.  I come across it quite a bit during my website audits.  If you are not familiar with this application, this probably isn't the post for you, and you can research it further at

As I'm pen testing a site with Wordpress installed, I have the tendency to do a quick check of the Wordpress vers. and any installed plugins looking for any published exploits or information, but this really presents a challenge.  Wordpress can be tight lipped on what they fix in each new version.  Sites like can be useful but time consuming when iterating your search through each plugin and version to see if there is an exploit.  Finding information in Twitter is great but can be time consuming in trying to build an internal knowledge base of exploits.

Lately I've been playing around with a new tool that is designed specifically for Wordpress blogs.  The tool is called wpscan and is written by ethicalhack3r (  -SEE UPDATE BELOW-

Wpscan is essentially a scanner with a database of exploits against both the standalone Wordpress install as well as Wordpress plugins.  It's available here: and comes pre-installed in Backtrack 5 R1.  I've used it several times and found it to be very easy to use and something I will add to my toolbox.  It's updated often and the tool will pull updates when launched.  I did run into a problem where an update broke my install, and I had to reinstall a package.  All things aside, it is free and useful.

Here is an example of a local path disclosure I found from a Wordpress 3.2.1 Blog:

Scanning took less then a minute.

If you'd like to see a usage video, here is one posted by the creator on YouTube that covers basic functionality.  The command line arguments may slightly differ between versions, but you get the idea (type -h if you need help).

Examples of Features:
- Detection of Vulnerabilities in Wordpress
- Enumeration of installed Plugins
- Detection of Vulnerabilites in Plugins
- Detection and Brute Force Capabilities against Wordpress Accounts

UPDATED INFORMATION: After chatting with one of the Creators the other day, I realized I needed to make a correction and give credit to those who contribute to the ongoing development of WPscan.  Thanks Ryan!  In addition to Ryan Dewhurst (@ethicalhack3r), the following are also on the WPScan Team: Erwan.LR and Gianluca Brindisi  (@gbrindisi).  For a full list of credits and contributors please see