|« SQLol||Bcfg2 1.3.0rc1 »|
WordPress is very a very common blogging platform and CMS nowadays. Bigger popularity attracts more bad guys and script kiddies to do evil stuff against your Wordpress instance. To get yourself a clearer picture about your own site,
wpscan can help you.
For the ease of the installation process I just did a git checkout. I assume that with the previous installation of metasploit the needed requirements for Fedora are already covered.
git clone https://github.com/wpscanteam/wpscan.git
Then I changed to new created directory and used
gem to do the rest.
cd wpscan sudo gem install bundler && bundle install --without test development
wpscan is ready.
$ ruby wpscan.rb --url 10.0.0.53/wordpress [Sorry, Logo removed] v2.0r2593a2e WordPress Security Scanner by the WPScan Team Sponsored by the RandomStorm Open Source Initiative | URL: http://10.0.0.53/wordpress/ | Started on Sun Jan 13 09:12:15 2013 [+] The WordPress theme in use is responsive v1.8.7 [!] The WordPress 'http://10.0.0.53/wordpress/readme.html' file exists [+] XML-RPC Interface available under http://10.0.0.53/wordpress/xmlrpc.php [+] WordPress version 3.5 identified from meta generator [!] We have identified 2 vulnerabilities from the version number : | * Title: XMLRPC Pingback API Internal/External Port Scanning | * Reference: https://github.com/FireFart/WordpressPingbackPortScanner | * Title: WordPress XMLRPC pingback additional issues | * Reference: http://lab.on sec.r/2013/01/wordpress-xmlr pc-ping back-ad ditional.html [+] Enumerating plugins from passive detection ... No plugins found :( [+] Finished at Sun Jan 13 09:12:15 2013 [+] Elapsed time: 00:00:00
This scan was executed against the latest release of WordPress. No plugins? Let's test the plugin detection capability.
[+] Enumerating plugins from passive detection ... 1 found : | Name: photospace | Location: http://10.0.0.53/wordpress/wp-content/plugins/photospace/ | WordPress: http://wordpress.org/extend/plugins/photospace/