WordPress is the most use CMS for website, because there is a lot of features and easy to use. As a pentester you have to upgrade your ability to exploit WordPress CMS, but with WPrecon you can automatically perform vulnerabilities scanning on a wordpress site. As we know WordPress is still have some bugs that can be exploited.
WPrecon (WordPress Recon)
Hello! Welcome. Wprecon (WordPress Recon), is a vulnerability recognition tool in CMS WordPress, 100% developed in Go.
Notice: Why is the project out of updates these days ?! What happens is that I am doing the vulnerability scanner.
|✅||Fuzzing Backup Files|
Install and Compile
For you to compile wprecon you will need to have the golang compiler installed. And for that you will access the official website of golang and will download and install it. Here!
Once downloaded and installed you will download wprecon directly from github with the command:
After downloading wprecon you will compile with the command:
|-u, –url string||Target URL (Ex: http(s)://example.com/). (Required)|
|–users-enumerate||Use the supplied mode to enumerate Users.|
|–themes-enumerate||Use the supplied mode to enumerate Themes.|
|–plugins-enumerate||Use the supplied mode to enumerate Plugins.|
|–detection-waf||I will try to detect if the target is using any WAF.|
|–detection-honeypot||I will try to detect if the target is a honeypot, based on the shodan.|
|–no-check-wp||Will skip wordpress check on target.|
|–random-agent||Use randomly selected HTTP(S) User-Agent header value.|
|–tor||Use Tor anonymity network.|
|–disable-tls-checks||Disables SSL/TLS certificate verification.|
|-h, –help||help for wprecon.|
|-v, –verbose||Verbosity mode.|
wprecon --url "https://www.xxxxxxx.com/" --detection-waf