Tuesday , May 7 2019
Home / Kali / Finding WordPress Vulnerabilities Using WpScan
WordPress Vulnerabilities

Finding WordPress Vulnerabilities Using WpScan

WordPress is the most popular online publishing platform, currently powering more than 26% of the web. There are approximately 76.5 million WordPress blogs. WordPress is an Open Source and anyone can start a blog or build a website in seconds without any technical knowledge. It is very easy to use. Secondly many WordPress Blogs are hacked everyday due to different vulnerabilities. WordPress websites are hacked due to known vulnerabilities in the Themes & Plugins being used by the website owners. WPScan is a tool specially made to check for the known WordPress vulnerabilities.

What Is WPScan

WPScan is a WordPress vulnerabilities scanner which is developed by WPScan Team. WPScan scans WordPress website for known vulnerabilities within the core version, plugins, and themes. You can also find out if any weak passwords, users, and security configuration issues are present. There is a database at WPVulnDB which is actually used to check for vulnerable software and the WPScan team maintains the ever-growing list of vulnerabilities there.

Opening WPScan

WPScan is very easy to use and the commands are also very easy. WPScan is built-in Kali Linux and we will be using it in Kali Linux. To launch WPScan Open Terminal & Write:


Scanning For Vulnerabilities

Now we will be pointing WPScan to out target website. By typing few commands WPScan will let us know whether there is any sort of Security Vulnerability and its risk too after that necessary countermeasures will be taken to secure our WordPress website. At first we will perform a quick scan on our target WordPress website and it will check for vulnerabilities and if found any will list it down. For Quick Scan type.

root@kali:~#wpscan -u https://example.com/

Where -u stands for the URL. Running the basic command above will perform a quick scan of the website to identify your active theme and basic security issues.

Scanning For Vulnerable Plugins

For scanning Plugins the command we used for quick scan will remain the same. The only addition will be ” –enumerate vp” where ‘v’ stand for ‘Vulnerable’ & ‘p’ for ‘Plugin’. So our final command will be.

root@kali:~#wpscan -u https://example.com/ --enumerate vp

This command will list down all the plugins being used on the target WordPress website and if any of the plugin will be vulnerable you will see red exclamation icons and references above it. Such plugins should be updated ASAP or removed if are not in use.

Scanning For Vulnerable Themes

For scanning the command will remain the same the only addition will be of ‘t’ and the final command will look like.

root@kali:~#wpscan -u https://example.com/ --enumerate vt

This command will list down all the themes being used and if any of it will be vulnerable red exclamation icon will be displayed and such theme should be changed or patched to prevent hack.

Scanning For Vulnerable Themes & Plugins Together

The previous both command are used to scan vulnerable plugins & themes separately. While we can scan for vulnerable plugins and themes together which will save out time. The command look like this for scanning plugins & themes together.

root@kali:~#wpscan -u https://example.com/ --enumerate vpt

This command will list down the vulnerable plugins and themes together.

Scanning For WordPress Username

Scanning for the accounts is known as username enumeration. When hackers know about the username it become very easy for them to perform a successful brute-force attack. After accessing the account they can takeover the control of the whole website.

To find out the login names of users on your WordPress website, we will use the ‘–enumerate u’ at the end of the command. So our final command will look like.

root@kali:~#wpscan -u https://example.com/ --enumerate u

It will not work in the case if FireWall is enabled or the WordPress Admin has installed any plugin which will stop the WPScan scanning.

Brute-Forcing User Account

WPScan performs Brute-Forcing attack on accounts. For this attack you will need to gather a WordList or PasswordList and will have to put in WPScan directory so that WPScan can easily use it. When you will have the WordList, simply add the ‘–wordlist’ argument along with the name of the wordlist file. You can also specify the number of threads to use at the same time to process the list. Depending on the length of the wordlist, it could take a lot of time or computer resources to complete. So our final command will look like.

root@kali:~#wpscan -u https://example.com/ --wordlist password.txt threads 50


About Kamran Saifullah

Kamran Saifullah
Kamran Saifullah is an Ethical Hacker, Security Researcher, Penetration Tester, Techie, Public Speaker having 7 years of intense "Web Application Penetration Testing" experience. He have been able to find Security Vulnerabilities in many giant organizations like Microsoft, Sony, BlackBerry and has been acknowledged by more than 700+ vendors all around the globe for his findings.

Check Also

linux essential root subdirectories

Linux Essential Root Subdirectories

In this article, let us review the Linux filesystem structures (linux essential root subdirectories) and …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: