WPScan Tutorial: How to use WPScan with Kali Linux to check for vulnerabilities in WordPress websites?

Cybersecurity
, , , ,
1

WPScan is a WordPress security scanner that can identify vulnerabilities in WordPress installations, themes, and plugins. This tutorial will guide you through the process of using WPScan on Kali Linux [1] to scan a WordPress website for vulnerabilities. Additionally, a real case example of WordPress penetration testing using WPScan will be provided.

A command line interface of Kali Linux for the WPScan WordPress Security Scanner.
A command line interface of Kali Linux for the WPScan WordPress Security Scanner.1336×720 111 KB

Prerequisites

  • A system running Kali Linux.
  • Basic knowledge of command-line interface (CLI) usage.
  • Permission to test the target WordPress website (only perform penetration testing on websites you own or have explicit permission to test).

Step-by-Step Guide

Step 1: Install and Update WPScan

  1. Install WPScan:
    WPScan is pre-installed in Kali Linux, but you can update it to the latest version by running the following commands:

    sudo apt-get update
sudo apt-get install wpscan

  2. Verify Installation:
    Ensure WPScan is installed correctly by checking its version:

    wpscan --version

Step 2: Gather Initial Information

Before running WPScan, gather basic information about the target website using tools like whois, dig, and nslookup.

  1. Whois Lookup:

    whois example.com

  2. DNS Lookup:

    dig example.com
nslookup example.com

Step 3: Basic WPScan Usage

  1. Perform a Basic Scan:
    To perform a basic scan of a WordPress website, use the following command:

    wpscan --url http://example.com

  2. Enumerate Plugins:
    To enumerate all plugins and check for vulnerabilities:

    wpscan --url http://example.com --enumerate p

  3. Enumerate Themes:
    To enumerate all themes:

    wpscan --url http://example.com --enumerate t

  4. Enumerate Users:
    To enumerate WordPress users:

    wpscan --url http://example.com --enumerate u

Step 4: Advanced WPScan Usage

  1. Use API Token for Detailed Scans:
    WPScan can provide more detailed information if you use an API token. Register for a free API token at WPScan.

    Configure WPScan with your API token:

    wpscan --url http://example.com --api-token YOUR_API_TOKEN

  2. Perform a Full Scan:
    To perform a comprehensive scan using the API token:

    wpscan --url http://example.com --api-token YOUR_API_TOKEN --enumerate ap,at,tt,cb,dbe,u
    • ap: All plugins
    • at: All themes
    • tt: Timthumbs
    • cb: Config backups
    • dbe: DB exports
    • u: Users

Step 5: Analyzing Scan Results

Review the output generated by WPScan to identify any vulnerabilities in the WordPress core, plugins, themes, and user configurations. Prioritize vulnerabilities based on their severity and potential impact.

Real Case Example: WordPress Penetration Testing Using WPScan

Let’s consider a hypothetical example of a penetration test on a WordPress website hosted at http://vulnerablewp.com.

  1. Basic Scan:

    wpscan --url http://vulnerablewp.com

    Output:

    [+] URL: http://vulnerablewp.com/
[+] Started: Mon Jun 28 14:23:45 2024

[!] Title: WordPress < 5.5.2 - Authenticated Stored Cross-Site Scripting via Comment
[!] Fixed in: 5.5.2

  2. Enumerate Plugins:

    wpscan --url http://vulnerablewp.com --enumerate p

    Output:

    [+] Enumerating plugins from passive detection ...
[+] Identified the following 2 plugins:

[!] Name: contact-form-7 - v5.1.6
[!] Latest version: 5.4.2
[!] Last updated: 2021-07-20
[!] Vulnerability: Contact Form 7 < 5.3.2 - Unrestricted File Upload

  3. Enumerate Users:

    wpscan --url http://vulnerablewp.com --enumerate u

    Output:

    [+] Enumerating usernames ...
[i] User(s) identified:
[+] admin
[+] editor

  4. Detailed Scan with API Token:

    wpscan --url http://vulnerablewp.com --api-token YOUR_API_TOKEN --enumerate ap,at,tt,cb,dbe,u

    Output:

    [+] URL: http://vulnerablewp.com/
[+] Started: Mon Jun 28 14:45:12 2024

[!] Title: WordPress < 5.5.2 - Authenticated Stored Cross-Site Scripting via Comment
[!] Fixed in: 5.5.2
[!] Name: contact-form-7 - v5.1.6
[!] Vulnerability: Contact Form 7 < 5.3.2 - Unrestricted File Upload
[!] Name: theme-xyz - v1.2.0
[!] Vulnerability: Theme XYZ < 1.4.0 - Cross-Site Scripting (XSS)
[+] User(s) identified:
[+] admin
[+] editor

You can use WPScan on Kali Linux to identify vulnerabilities in any WordPress website. The example provided demonstrates how to perform basic and advanced scans, enumerate plugins, themes, and users, and analyze the results to identify and prioritize vulnerabilities.

Always remember to perform penetration testing ethically and legally, only on websites you own or have explicit permission to test.

  1. Kali Linux is a Debian-based Linux distribution designed for penetration testing and security auditing. It comes pre-installed with a wide range of security tools, including WPScan, which is a popular WordPress security scanner. This tutorial uses Kali Linux as the operating system for running WPScan to scan WordPress websites for vulnerabilities. (Explanation by AI) ↩︎

3 Likes