As I'm pen testing a site with Wordpress installed, I have the tendency to do a quick check of the Wordpress vers. and any installed plugins looking for any published exploits or information, but this really presents a challenge. Wordpress can be tight lipped on what they fix in each new version. Sites like securityfocus.com can be useful but time consuming when iterating your search through each plugin and version to see if there is an exploit. Finding information in Twitter is great but can be time consuming in trying to build an internal knowledge base of exploits.
Lately I've been playing around with a new tool that is designed specifically for Wordpress blogs. The tool is called wpscan and is written by ethicalhack3r (www.ethicalhack3r.co.uk). -SEE UPDATE BELOW-
Wpscan is essentially a scanner with a database of exploits against both the standalone Wordpress install as well as Wordpress plugins. It's available here: http://wpscan.org/ and comes pre-installed in Backtrack 5 R1. I've used it several times and found it to be very easy to use and something I will add to my toolbox. It's updated often and the tool will pull updates when launched. I did run into a problem where an update broke my install, and I had to reinstall a package. All things aside, it is free and useful.
Here is an example of a local path disclosure I found from a Wordpress 3.2.1 Blog:
Scanning took less then a minute.
If you'd like to see a usage video, here is one posted by the creator on YouTube that covers basic functionality. The command line arguments may slightly differ between versions, but you get the idea (type -h if you need help).
Examples of Features:
- Detection of Vulnerabilities in Wordpress
- Enumeration of installed Plugins
- Detection of Vulnerabilites in Plugins
- Detection and Brute Force Capabilities against Wordpress Accounts
UPDATED INFORMATION: After chatting with one of the Creators the other day, I realized I needed to make a correction and give credit to those who contribute to the ongoing development of WPscan. Thanks Ryan! In addition to Ryan Dewhurst (@ethicalhack3r), the following are also on the WPScan Team: Erwan.LR and Gianluca Brindisi (@gbrindisi). For a full list of credits and contributors please see http://code.google.com/p/wpscan/source/browse/trunk/CREDITS