Effectively Pentest a Wordpress Site

Question

When it comes to blackbox pentesting of a Wordpress site, the first thing to come to mind is WPScan [http://wpscan.org/].

While pentesting some sites, I faced a common issue i.e it shows that Wordpress SEO 1.14.15 is vulnerable to Cross Site Scripting Attack. Output is given below:

 | * Title: WordPress SEO 1.14.15 - index.php s Parameter Reflected XSS

 | * Reference: [http://packetstormsecurity.com/files/123028/][2]

 | * Reference: http://osvdb.org/97885

But when following the link http://packetstormsecurity.com/files/123028/ , it shows that attack can be executed with

But the main problem is when I tried to inject several XSS vectors, the results were not positive. I was not able to find any XSS in above url. There is proper output encoding, a snapshot is shown below:

So my question is:

1. Do you have any method to bypass this and execute an XSS?
2. Do you have any other tool or resources through which I can do better blackbox testing of Wordpress?

Answer 1

Wordpress is attacked 3.5 times more often than non-CMSes. WPScan is a great tool that's been around since the BackTrack Linux days.

However, there are more tools and techniques available. Here is a list of some newer tools:

• https://github.com/RamadhanAmizudin/Wordpress-scanner
• https://github.com/enddo/wp-plugin-scanner
• https://github.com/0xBADCA7/wp-xmlrpc-bruteforcer
• https://github.com/droope/droopescan
• https://github.com/iniqua/plecost

Techniques for Wordpress security testing and remediation:

• https://www.owasp.org/index.php/OWASP_Wordpress_Security_Implementation_Guideline

• https://www.acunetix.com/blog/articles/wordpress-security-wpadmin-directory/ (a 10-part series on Wordpress Security from Acunetix)

• https://www.acunetix.com/vulnerabilities/web/wordpress-xml-rpc-authentication-brute-force
• https://www.acunetix.com/vulnerabilities/web/wordpress-username-enumeration

Answer 2

IIRC Wpscan just tests for the presence of the plugin not that it is a version which is specifically vulnerable, so what you're seeing would be consistent with the site having the plugin installed but a non-vulnerable version.

Beyond using tools like wpscan you could just use standard black-box web app testing tools, like arachni and then move on to manual testing with burp or ZAP

Answer 3

Wpscan wasn't able to reproduce this vulnerability so they removed it from the database. If you update the wpscan database with wpscan --update and then rerun wpscan against the url you're targeting you will notice the vulnerability does not appear.