WPrecon – Tool to Find Vulnerability in CMS WordPress

WPrecon - Tool to Find Vulnerability in CMS WordPress

WordPress is the most use CMS for website, because there is a lot of features and easy to use. As a pentester you have to upgrade your ability to exploit WordPress CMS, but with WPrecon you can automatically perform vulnerabilities scanning on a wordpress site. As we know WordPress is still have some bugs that can be exploited.

WPrecon (WordPress Recon)

Hello! Welcome. Wprecon (WordPress Recon), is a vulnerability recognition tool in CMS WordPress, 100% developed in Go.

Notice: Why is the project out of updates these days ?! What happens is that I am doing the vulnerability scanner.


Random Agent
Detection WAF
User Enumerator
Plugin Scanner
Theme Scanner
Tor Proxy’s
Detection Honeypot
Fuzzing Backup Files
Fuzzing Passwords
Vulnerability Scanner

Install and Compile

For you to compile wprecon you will need to have the golang compiler installed. And for that you will access the official website of golang and will download and install it. Here!

Once downloaded and installed you will download wprecon directly from github with the command:

Primary way:
go get github.com/blackcrw/wprecon

Second way:
mkdir ~/Go/src/github.com/blackcrw/wprecon;
cd ~/Go/src/github.com/blackcrw;
git clone https://github.com/blackcrw/wprecon;
go get wprecon. 

After downloading wprecon you will compile with the command:

go build ~/Go/src/blackcrw/github.com/blackcrw/wprecon


-u, –url stringTarget URL (Ex: http(s)://example.com/). (Required)
–users-enumerateUse the supplied mode to enumerate Users.
–themes-enumerateUse the supplied mode to enumerate Themes.
–plugins-enumerateUse the supplied mode to enumerate Plugins.
–detection-wafI will try to detect if the target is using any WAF.
–detection-honeypotI will try to detect if the target is a honeypot, based on the shodan.
–no-check-wpWill skip wordpress check on target.
–random-agentUse randomly selected HTTP(S) User-Agent header value.
–torUse Tor anonymity network.
–disable-tls-checksDisables SSL/TLS certificate verification.
-h, –helphelp for wprecon.
-v, –verboseVerbosity mode.

WPrecon running

Command: wprecon --url "https://www.xxxxxxx.com/" --detection-waf


 ___       ______________________________________________   __
 __ |     / /__  __ \__  __ \__  ____/_  ____/_  __ \__  | / /
 __ | /| / /__  /_/ /_  /_/ /_  __/  _  /    _  / / /_   |/ /
 __ |/ |/ / _  ____/_  _, _/_  /___  / /___  / /_/ /_  /|  /
 ____/|__/  /_/     /_/ |_| /_____/  \____/  \____/ /_/ |_/
 Github: https://github.com/blackcrw/wprecon
 Version: 0.0.1a
 [•] Target: https://www.xxxxxxx.com/
 [•] Starting: 09/jan/2020 12:11:17
 [•] Listing enable: https://www.xxxxxxx.com/wp-content/plugins/
 [•] Listing enable: https://www.xxxxxxx.com/wp-content/themes/
 [•••] Status Code: 200 — URL: https://www.xxxxxxx.com/wp-admin/
 [•••] I'm not absolutely sure that this target is using wordpress! 37.50% chance. do you wish to continue ? [Y/n]: Y
 [•••] Status Code: 200 — WAF: Wordfence Security Detected
 [•••] Do you wish to continue ?! [Y/n] : Y 

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

1 × one =