Recon

rustscan -a 206.189.27.250 -- -A

Manually walking the site, reveals a blog post with username: hh

Login page:

wp-login.php

Verbose error messaging reveals valid username hh. We now know user hh can login:

Check for Plugins by using browser Inspect feature (F12)

Look for plugin readme.txt file for versioning. The default file format is /wp-content/plugins/<PLUGIN_NAME>/readme.txt

mw-wp-form version 5.0.3 plugin is installed:

Google search on this plugin version results in CVE-2023-6559 MW WP Form plugin arbitrary file deletion

Source: https://www.wordfence.com/blog/2024/01/1275-bounty-awarded-for-arbitrary-file-deletion-vulnerability-patched-in-mw-wp-form-wordpress-plugin/

Manually check for backup dir. Sometimes archives of the Wordpress source code are stored here. We find a corrupted index.php file that won't load:

PreviousHacking WordpressNextWpscan

Last updated