WPProbe

Overview

WPProbe is a specialized WordPress enumeration and vulnerability assessment tool designed for authorized penetration testers. It performs deep reconnaissance on WordPress installations by identifying plugins, themes, users, and known vulnerabilities. WPProbe combines multiple detection techniques to maximize accuracy and provides actionable vulnerability information.

Key features include:

• Plugin and theme enumeration (active and inactive)
• Version detection and vulnerability correlation
• User account enumeration
• WordPress core version identification
• Known CVE matching
• Automated exploitation recommendations

Installation

From GitHub Source

git clone https://github.com/mazenhatem/wpprobe.git
cd wpprobe
pip install -r requirements.txt
python wpprobe.py --help

Using pip

pip install wpprobe
wpprobe --help

Manual Setup

# Clone repository
git clone https://github.com/mazenhatem/wpprobe.git
cd wpprobe

# Install Python 3.7+
python3 --version

# Install dependencies
pip3 install -r requirements.txt

# Run the tool
python3 wpprobe.py

Docker

docker pull wpprobe
docker run -it wpprobe --help

Kali Linux

apt update && apt install wpprobe -y

Basic Usage

Command	Description
wpprobe -u <url>	Scan WordPress site for plugins/themes
wpprobe -u <url> -e plugins	Enumerate only plugins
wpprobe -u <url> -e themes	Enumerate only themes
wpprobe -u <url> -e users	Enumerate WordPress users
wpprobe -u <url> -e all	Full enumeration (plugins, themes, users)
wpprobe -u <url> --update-db	Update vulnerability database
wpprobe -u <url> -o <file>	Save results to JSON file
wpprobe -u <url> -v	Verbose output with details

Common Examples

Basic WordPress Enumeration

wpprobe -u https://example.com

Performs complete enumeration including WordPress version, plugins, themes, and users. Automatically checks for known vulnerabilities in detected components.

Plugin Enumeration Only

wpprobe -u https://example.com -e plugins -v

Focuses on identifying installed plugins and their versions. Useful when you’ve already identified WordPress and want detailed plugin information.

Theme Enumeration

wpprobe -u https://example.com -e themes

Identifies the active theme and any other installed themes, including version information and known vulnerabilities.

User Enumeration

wpprobe -u https://example.com -e users -v

Discovers WordPress user accounts and usernames. Useful for password spray attacks or targeted phishing campaigns in authorized assessments.

Save Results to JSON

wpprobe -u https://example.com -o results.json -v

Generates detailed enumeration results in JSON format for further analysis or integration with other tools.

Update Vulnerability Database

wpprobe --update-db
wpprobe -u https://example.com -o results.json

Updates the tool’s vulnerability database with latest CVEs before scanning to ensure detection of recent vulnerabilities.

Advanced Usage

Batch Scanning Multiple WordPress Sites

#!/bin/bash
# Create list of target WordPress sites
cat targets.txt
# https://wordpress1.example.com
# https://wordpress2.example.com
# https://internal-blog.local

# Scan all targets
while read target; do
  echo "Scanning $target..."
  wpprobe -u $target -o ${target//\//_}_results.json
  sleep 2
done < targets.txt

# Generate summary report
find . -name "*_results.json" -exec jq '.target, .plugins' {} \;

Detailed Plugin Vulnerability Analysis

# Scan and get detailed plugin information
wpprobe -u https://example.com -e plugins -v -o plugins.json

# Extract vulnerable plugins
cat plugins.json | jq '.plugins[] | select(.vulnerabilities | length > 0)'

# Count vulnerabilities by plugin
cat plugins.json | jq '.plugins[] | {name: .name, vuln_count: (.vulnerabilities | length)}' | sort_by(.vuln_count)

Vulnerability Risk Assessment

# Comprehensive scan with detailed output
wpprobe -u https://example.com -e all -v -o full_scan.json

# Extract critical vulnerabilities
cat full_scan.json | jq '.plugins[] | select(.vulnerabilities[] | select(.severity == "critical"))'

# Count issues by severity
cat full_scan.json | jq '[.plugins[].vulnerabilities[].severity] | group_by(.) | map({severity: .[0], count: length})'

Integration with WPScan

# Use WPProbe for initial enumeration
wpprobe -u https://example.com -o initial_enum.json

# Identify critical vulnerabilities
cat initial_enum.json | jq '.plugins[] | select(.vulnerabilities[].severity == "critical") | .name'

# Run WPScan for deep dive on critical plugins
wpscan --url https://example.com --api-token YOUR_TOKEN

Enumeration Techniques

Plugin Detection Methods

WPProbe uses multiple techniques to detect plugins:

Technique	Reliability	Speed
wp-content/plugins directory listing	High	Fast
Known plugin file paths	High	Fast
JavaScript/CSS file URLs	High	Fast
README.txt in plugin directories	High	Fast
wp-admin assets	Medium	Fast
HTML comments	Low	Fast

Example Detection Output

$ wpprobe -u https://example.com -e plugins -v

[+] WordPress detected: version 5.9.2
[+] Plugins enumerated: 12

Plugin: Contact Form 7
  - Version: 5.5.2
  - Status: Active
  - Vulnerabilities: 2
    - CVE-2020-12447 (Medium): Local File Inclusion

Plugin: WooCommerce
  - Version: 6.1.0
  - Status: Active
  - Vulnerabilities: 3
    - CVE-2021-12741 (High): SQL Injection

Plugin: Yoast SEO
  - Version: 18.0
  - Status: Active
  - Vulnerabilities: 0

Vulnerability Assessment

Vulnerability Database

# Update vulnerability database regularly
wpprobe --update-db

# Database contains:
# - WordPress core CVEs
# - Plugin CVEs
# - Theme CVEs
# - CVSS scores
# - Exploit availability

CVE Severity Classifications

Severity	CVSS Score	Impact
Critical	9.0-10.0	Immediate exploitation risk
High	7.0-8.9	Significant exploitation risk
Medium	4.0-6.9	Moderate exploitation risk
Low	0.1-3.9	Minor exploitation risk

Extracting High-Risk Findings

# Get all critical and high severity issues
wpprobe -u https://example.com -o scan.json
cat scan.json | jq '.plugins[] | select(.vulnerabilities[].severity >= "high")'

# Generate remediation list
cat scan.json | jq '.plugins[] | select(.vulnerabilities | length > 0) | {name: .name, version: .version, vuln_count: (.vulnerabilities | length)}'

User Enumeration

WordPress User Discovery

# Enumerate all WordPress users
wpprobe -u https://example.com -e users -v

# Output example:
# [+] Users enumerated: 8
# - admin (ID: 1)
# - blogger (ID: 2)
# - john (ID: 3)
# - jane (ID: 4)

User ID Enumeration Methods

# WPProbe automatically tries multiple methods:
# 1. RSS feed (?feed=rss2)
# 2. Author archives (?author=1, ?author=2, etc.)
# 3. REST API (/wp-json/wp/v2/users)
# 4. Sitemap.xml parsing
# 5. Archives page HTML

Creating Wordlists from Enumerated Users

# Enumerate users
wpprobe -u https://example.com -e users -o users.json

# Extract usernames
cat users.json | jq -r '.users[].username' > usernames.txt

# Use with Hydra for password spray
hydra -L usernames.txt -P passwords.txt https://example.com http-post-form \
  "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=&test_cookie=1:S=dashboard"

WordPress Core Version Detection

Version Identification Techniques

# Method 1: wp-includes/version.php parsing
# Method 2: wp-content/themes/twentyXXX/style.css
# Method 3: wp-admin/js/common.js
# Method 4: REST API /wp-json/

# WPProbe tries all methods automatically
wpprobe -u https://example.com -v

Identifying Outdated WordPress

# Scan and check WordPress version
wpprobe -u https://example.com -o results.json

# Extract version
cat results.json | jq '.wordpress_version'

# Check against latest version
# WordPress 6.4.x is current (as of 2024)
# Versions below 6.0 are significantly outdated

Advanced Configuration

Custom Headers and Proxies

# Scan through proxy (Burp Suite)
# Modify the Python script or use wrapper
python wpprobe.py -u https://example.com -x http://127.0.0.1:8080

# Specify custom User-Agent
# Edit wpprobe config or use environment variable
USER_AGENT="Mozilla/5.0 (Custom)" wpprobe -u https://example.com

Timeout and Performance Settings

# WPProbe has built-in timeouts
# For slow/distant targets, results may be incomplete
wpprobe -u https://slow-target.example.com -v

# Alternative: Increase request timeout in config
# Edit wpprobe.py or configuration file

Real-World Assessment Workflow

Complete WordPress Security Assessment

#!/bin/bash
TARGET="https://example.com"
OUTPUT="assessment_$(date +%Y%m%d_%H%M%S)"
mkdir -p $OUTPUT

# Step 1: Initial enumeration
echo "[*] Starting WordPress assessment..."
wpprobe -u $TARGET -e all -v -o $OUTPUT/enumeration.json

# Step 2: Extract critical findings
echo "[*] Identifying critical vulnerabilities..."
cat $OUTPUT/enumeration.json | jq '.plugins[] | select(.vulnerabilities[] | select(.severity == "critical"))' > $OUTPUT/critical_vulns.json

# Step 3: Enumerate users for password spray list
echo "[*] Enumerating users..."
cat $OUTPUT/enumeration.json | jq -r '.users[].username' > $OUTPUT/usernames.txt

# Step 4: Generate report
cat > $OUTPUT/assessment_summary.txt << EOF
WordPress Assessment Report
Target: $TARGET
Date: $(date)

Critical Vulnerabilities: $(cat $OUTPUT/critical_vulns.json | wc -l)
Users Enumerated: $(wc -l < $OUTPUT/usernames.txt)
Plugins Found: $(cat $OUTPUT/enumeration.json | jq '.plugins | length')
Themes Found: $(cat $OUTPUT/enumeration.json | jq '.themes | length')
EOF

echo "[+] Assessment complete. Results in $OUTPUT/"

Vulnerability Prioritization

#!/bin/bash
# Scan and prioritize findings by exploitability

wpprobe -u https://target.com -o scan.json

# Extract exploitable vulnerabilities
echo "=== Critical, Exploitable Vulnerabilities ==="
cat scan.json | jq -r '.plugins[] | 
  select(.vulnerabilities[] | 
    select(.severity == "critical" and .exploit_available == true)
  ) | 
  "\(.name) v\(.version): \(.vulnerabilities[].cve)"'

echo ""
echo "=== High Severity Vulnerabilities ==="
cat scan.json | jq -r '.plugins[] | 
  select(.vulnerabilities[] | select(.severity == "high")) | 
  "\(.name) v\(.version): \(.vulnerabilities[].cve)"'

Integration with Other Tools

WPScan Integration

# Use WPProbe for quick enumeration
wpprobe -u https://example.com -e plugins -o quick_enum.json

# Use WPScan for deep vulnerability scanning
wpscan --url https://example.com --enumerate vp,u \
  --api-token YOUR_TOKEN \
  --output results.json \
  --format json

Exploit Framework Integration

# Identify vulnerable plugin
wpprobe -u https://example.com | grep -i "vulnerable"

# Search for exploit
# Example: Contact Form 7 v5.5.2 - Local File Inclusion
searchsploit "Contact Form 7 5.5.2"

# Use in Metasploit
msfconsole
> search contact form 7
> use exploit/...

Custom Vulnerability Assessment

# Export enumeration data
wpprobe -u https://example.com -o data.json

# Parse and create custom assessment
python3 << 'EOF'
import json

with open('data.json') as f:
    data = json.load(f)

print("=== Plugin Risk Analysis ===")
for plugin in data['plugins']:
    vuln_count = len(plugin.get('vulnerabilities', []))
    if vuln_count > 0:
        print(f"{plugin['name']} v{plugin['version']}: {vuln_count} vulnerabilities")
EOF

Avoiding Detection

Stealthy Scanning Practices

# Add delays between requests
# Modify enumeration speed in configuration
wpprobe -u https://example.com --slow  # If supported

# Or use custom wrapper
for i in {1..12}; do
  curl -s "https://example.com/?author=$i" > /dev/null
  sleep 1
done

Rotating User Agents

# WPProbe uses rotating user agents by default
# For additional stealth, use proxy with rotating agents
wpprobe -u https://example.com -x http://127.0.0.1:8080
# Then configure proxy to rotate user agents

Best Practices

1. Authorization: Always obtain written permission before scanning
2. Database Updates: Keep vulnerability database current before scanning
3. Batch Operations: Document all scans with date/time stamps
4. Escalation: Prioritize critical vulnerabilities for immediate patching
5. Verification: Manually verify critical findings before reporting
6. Responsible Disclosure: Follow coordinated disclosure practices
7. Chain Analysis: Combine findings with WPScan and Metasploit for deeper assessment
8. Documentation: Maintain detailed logs of enumeration and findings

Troubleshooting

Connection Issues

# Test WordPress detection
curl -I https://example.com
curl https://example.com | grep -i wordpress

# If not detected as WordPress
# May not be WordPress or heavily customized
wpprobe -u https://example.com -v

Plugin Detection Failures

# If plugins not detected
# Disable wp-content listing or use stealth mode
# Check if /wp-content/plugins/ is accessible
curl https://example.com/wp-content/plugins/

# If forbidden, enumeration is more difficult
# Rely on other detection methods (JavaScript, CSS)

User Enumeration Not Working

# REST API may be disabled
curl https://example.com/wp-json/wp/v2/users

# Try alternative methods
curl https://example.com/?feed=rss2  # Check author info
curl https://example.com/?author=1   # Check 404 patterns

Comparative Advantages

Feature	WPProbe	WPScan	Wpseku
Plugin Detection	Good	Excellent	Good
User Enumeration	Good	Good	Good
Vulnerability DB	Good	Excellent	Good
Speed	Fast	Slow	Medium
API Token Required	No	Yes (better)	No
Setup Complexity	Low	Medium	Low

Conclusion

WPProbe is an essential tool for WordPress security assessments, enabling authorized penetration testers to quickly identify plugins, themes, users, and vulnerabilities. Combined with tools like WPScan and Metasploit, it provides comprehensive WordPress security evaluation capabilities for authorized security testing scenarios.