WPProbe
Overview
WPProbe is a specialized WordPress enumeration and vulnerability assessment tool designed for authorized penetration testers. It performs deep reconnaissance on WordPress installations by identifying plugins, themes, users, and known vulnerabilities. WPProbe combines multiple detection techniques to maximize accuracy and provides actionable vulnerability information.
Key features include:
- Plugin and theme enumeration (active and inactive)
- Version detection and vulnerability correlation
- User account enumeration
- WordPress core version identification
- Known CVE matching
- Automated exploitation recommendations
Installation
From GitHub Source
git clone https://github.com/mazenhatem/wpprobe.git
cd wpprobe
pip install -r requirements.txt
python wpprobe.py --helpUsing pip
pip install wpprobe
wpprobe --helpManual Setup
# Clone repository
git clone https://github.com/mazenhatem/wpprobe.git
cd wpprobe
# Install Python 3.7+
python3 --version
# Install dependencies
pip3 install -r requirements.txt
# Run the tool
python3 wpprobe.pyDocker
docker pull wpprobe
docker run -it wpprobe --helpKali Linux
apt update && apt install wpprobe -yBasic Usage
| Command | Description |
|---|---|
wpprobe -u <url> | Scan WordPress site for plugins/themes |
wpprobe -u <url> -e plugins | Enumerate only plugins |
wpprobe -u <url> -e themes | Enumerate only themes |
wpprobe -u <url> -e users | Enumerate WordPress users |
wpprobe -u <url> -e all | Full enumeration (plugins, themes, users) |
wpprobe -u <url> --update-db | Update vulnerability database |
wpprobe -u <url> -o <file> | Save results to JSON file |
wpprobe -u <url> -v | Verbose output with details |
Common Examples
Basic WordPress Enumeration
wpprobe -u https://example.comPerforms complete enumeration including WordPress version, plugins, themes, and users. Automatically checks for known vulnerabilities in detected components.
Plugin Enumeration Only
wpprobe -u https://example.com -e plugins -vFocuses on identifying installed plugins and their versions. Useful when you’ve already identified WordPress and want detailed plugin information.
Theme Enumeration
wpprobe -u https://example.com -e themesIdentifies the active theme and any other installed themes, including version information and known vulnerabilities.
User Enumeration
wpprobe -u https://example.com -e users -vDiscovers WordPress user accounts and usernames. Useful for password spray attacks or targeted phishing campaigns in authorized assessments.
Save Results to JSON
wpprobe -u https://example.com -o results.json -vGenerates detailed enumeration results in JSON format for further analysis or integration with other tools.
Update Vulnerability Database
wpprobe --update-db
wpprobe -u https://example.com -o results.jsonUpdates the tool’s vulnerability database with latest CVEs before scanning to ensure detection of recent vulnerabilities.
Advanced Usage
Batch Scanning Multiple WordPress Sites
#!/bin/bash
# Create list of target WordPress sites
cat targets.txt
# https://wordpress1.example.com
# https://wordpress2.example.com
# https://internal-blog.local
# Scan all targets
while read target; do
echo "Scanning $target..."
wpprobe -u $target -o ${target//\//_}_results.json
sleep 2
done < targets.txt
# Generate summary report
find . -name "*_results.json" -exec jq '.target, .plugins' {} \;Detailed Plugin Vulnerability Analysis
# Scan and get detailed plugin information
wpprobe -u https://example.com -e plugins -v -o plugins.json
# Extract vulnerable plugins
cat plugins.json | jq '.plugins[] | select(.vulnerabilities | length > 0)'
# Count vulnerabilities by plugin
cat plugins.json | jq '.plugins[] | {name: .name, vuln_count: (.vulnerabilities | length)}' | sort_by(.vuln_count)Vulnerability Risk Assessment
# Comprehensive scan with detailed output
wpprobe -u https://example.com -e all -v -o full_scan.json
# Extract critical vulnerabilities
cat full_scan.json | jq '.plugins[] | select(.vulnerabilities[] | select(.severity == "critical"))'
# Count issues by severity
cat full_scan.json | jq '[.plugins[].vulnerabilities[].severity] | group_by(.) | map({severity: .[0], count: length})'Integration with WPScan
# Use WPProbe for initial enumeration
wpprobe -u https://example.com -o initial_enum.json
# Identify critical vulnerabilities
cat initial_enum.json | jq '.plugins[] | select(.vulnerabilities[].severity == "critical") | .name'
# Run WPScan for deep dive on critical plugins
wpscan --url https://example.com --api-token YOUR_TOKENEnumeration Techniques
Plugin Detection Methods
WPProbe uses multiple techniques to detect plugins:
| Technique | Reliability | Speed |
|---|---|---|
| wp-content/plugins directory listing | High | Fast |
| Known plugin file paths | High | Fast |
| JavaScript/CSS file URLs | High | Fast |
| README.txt in plugin directories | High | Fast |
| wp-admin assets | Medium | Fast |
| HTML comments | Low | Fast |
Example Detection Output
$ wpprobe -u https://example.com -e plugins -v
[+] WordPress detected: version 5.9.2
[+] Plugins enumerated: 12
Plugin: Contact Form 7
- Version: 5.5.2
- Status: Active
- Vulnerabilities: 2
- CVE-2020-12447 (Medium): Local File Inclusion
Plugin: WooCommerce
- Version: 6.1.0
- Status: Active
- Vulnerabilities: 3
- CVE-2021-12741 (High): SQL Injection
Plugin: Yoast SEO
- Version: 18.0
- Status: Active
- Vulnerabilities: 0Vulnerability Assessment
Vulnerability Database
# Update vulnerability database regularly
wpprobe --update-db
# Database contains:
# - WordPress core CVEs
# - Plugin CVEs
# - Theme CVEs
# - CVSS scores
# - Exploit availabilityCVE Severity Classifications
| Severity | CVSS Score | Impact |
|---|---|---|
| Critical | 9.0-10.0 | Immediate exploitation risk |
| High | 7.0-8.9 | Significant exploitation risk |
| Medium | 4.0-6.9 | Moderate exploitation risk |
| Low | 0.1-3.9 | Minor exploitation risk |
Extracting High-Risk Findings
# Get all critical and high severity issues
wpprobe -u https://example.com -o scan.json
cat scan.json | jq '.plugins[] | select(.vulnerabilities[].severity >= "high")'
# Generate remediation list
cat scan.json | jq '.plugins[] | select(.vulnerabilities | length > 0) | {name: .name, version: .version, vuln_count: (.vulnerabilities | length)}'User Enumeration
WordPress User Discovery
# Enumerate all WordPress users
wpprobe -u https://example.com -e users -v
# Output example:
# [+] Users enumerated: 8
# - admin (ID: 1)
# - blogger (ID: 2)
# - john (ID: 3)
# - jane (ID: 4)User ID Enumeration Methods
# WPProbe automatically tries multiple methods:
# 1. RSS feed (?feed=rss2)
# 2. Author archives (?author=1, ?author=2, etc.)
# 3. REST API (/wp-json/wp/v2/users)
# 4. Sitemap.xml parsing
# 5. Archives page HTMLCreating Wordlists from Enumerated Users
# Enumerate users
wpprobe -u https://example.com -e users -o users.json
# Extract usernames
cat users.json | jq -r '.users[].username' > usernames.txt
# Use with Hydra for password spray
hydra -L usernames.txt -P passwords.txt https://example.com http-post-form \
"/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=&test_cookie=1:S=dashboard"WordPress Core Version Detection
Version Identification Techniques
# Method 1: wp-includes/version.php parsing
# Method 2: wp-content/themes/twentyXXX/style.css
# Method 3: wp-admin/js/common.js
# Method 4: REST API /wp-json/
# WPProbe tries all methods automatically
wpprobe -u https://example.com -vIdentifying Outdated WordPress
# Scan and check WordPress version
wpprobe -u https://example.com -o results.json
# Extract version
cat results.json | jq '.wordpress_version'
# Check against latest version
# WordPress 6.4.x is current (as of 2024)
# Versions below 6.0 are significantly outdatedAdvanced Configuration
Custom Headers and Proxies
# Scan through proxy (Burp Suite)
# Modify the Python script or use wrapper
python wpprobe.py -u https://example.com -x http://127.0.0.1:8080
# Specify custom User-Agent
# Edit wpprobe config or use environment variable
USER_AGENT="Mozilla/5.0 (Custom)" wpprobe -u https://example.comTimeout and Performance Settings
# WPProbe has built-in timeouts
# For slow/distant targets, results may be incomplete
wpprobe -u https://slow-target.example.com -v
# Alternative: Increase request timeout in config
# Edit wpprobe.py or configuration fileReal-World Assessment Workflow
Complete WordPress Security Assessment
#!/bin/bash
TARGET="https://example.com"
OUTPUT="assessment_$(date +%Y%m%d_%H%M%S)"
mkdir -p $OUTPUT
# Step 1: Initial enumeration
echo "[*] Starting WordPress assessment..."
wpprobe -u $TARGET -e all -v -o $OUTPUT/enumeration.json
# Step 2: Extract critical findings
echo "[*] Identifying critical vulnerabilities..."
cat $OUTPUT/enumeration.json | jq '.plugins[] | select(.vulnerabilities[] | select(.severity == "critical"))' > $OUTPUT/critical_vulns.json
# Step 3: Enumerate users for password spray list
echo "[*] Enumerating users..."
cat $OUTPUT/enumeration.json | jq -r '.users[].username' > $OUTPUT/usernames.txt
# Step 4: Generate report
cat > $OUTPUT/assessment_summary.txt << EOF
WordPress Assessment Report
Target: $TARGET
Date: $(date)
Critical Vulnerabilities: $(cat $OUTPUT/critical_vulns.json | wc -l)
Users Enumerated: $(wc -l < $OUTPUT/usernames.txt)
Plugins Found: $(cat $OUTPUT/enumeration.json | jq '.plugins | length')
Themes Found: $(cat $OUTPUT/enumeration.json | jq '.themes | length')
EOF
echo "[+] Assessment complete. Results in $OUTPUT/"Vulnerability Prioritization
#!/bin/bash
# Scan and prioritize findings by exploitability
wpprobe -u https://target.com -o scan.json
# Extract exploitable vulnerabilities
echo "=== Critical, Exploitable Vulnerabilities ==="
cat scan.json | jq -r '.plugins[] |
select(.vulnerabilities[] |
select(.severity == "critical" and .exploit_available == true)
) |
"\(.name) v\(.version): \(.vulnerabilities[].cve)"'
echo ""
echo "=== High Severity Vulnerabilities ==="
cat scan.json | jq -r '.plugins[] |
select(.vulnerabilities[] | select(.severity == "high")) |
"\(.name) v\(.version): \(.vulnerabilities[].cve)"'Integration with Other Tools
WPScan Integration
# Use WPProbe for quick enumeration
wpprobe -u https://example.com -e plugins -o quick_enum.json
# Use WPScan for deep vulnerability scanning
wpscan --url https://example.com --enumerate vp,u \
--api-token YOUR_TOKEN \
--output results.json \
--format jsonExploit Framework Integration
# Identify vulnerable plugin
wpprobe -u https://example.com | grep -i "vulnerable"
# Search for exploit
# Example: Contact Form 7 v5.5.2 - Local File Inclusion
searchsploit "Contact Form 7 5.5.2"
# Use in Metasploit
msfconsole
> search contact form 7
> use exploit/...Custom Vulnerability Assessment
# Export enumeration data
wpprobe -u https://example.com -o data.json
# Parse and create custom assessment
python3 << 'EOF'
import json
with open('data.json') as f:
data = json.load(f)
print("=== Plugin Risk Analysis ===")
for plugin in data['plugins']:
vuln_count = len(plugin.get('vulnerabilities', []))
if vuln_count > 0:
print(f"{plugin['name']} v{plugin['version']}: {vuln_count} vulnerabilities")
EOFAvoiding Detection
Stealthy Scanning Practices
# Add delays between requests
# Modify enumeration speed in configuration
wpprobe -u https://example.com --slow # If supported
# Or use custom wrapper
for i in {1..12}; do
curl -s "https://example.com/?author=$i" > /dev/null
sleep 1
doneRotating User Agents
# WPProbe uses rotating user agents by default
# For additional stealth, use proxy with rotating agents
wpprobe -u https://example.com -x http://127.0.0.1:8080
# Then configure proxy to rotate user agentsBest Practices
- Authorization: Always obtain written permission before scanning
- Database Updates: Keep vulnerability database current before scanning
- Batch Operations: Document all scans with date/time stamps
- Escalation: Prioritize critical vulnerabilities for immediate patching
- Verification: Manually verify critical findings before reporting
- Responsible Disclosure: Follow coordinated disclosure practices
- Chain Analysis: Combine findings with WPScan and Metasploit for deeper assessment
- Documentation: Maintain detailed logs of enumeration and findings
Troubleshooting
Connection Issues
# Test WordPress detection
curl -I https://example.com
curl https://example.com | grep -i wordpress
# If not detected as WordPress
# May not be WordPress or heavily customized
wpprobe -u https://example.com -vPlugin Detection Failures
# If plugins not detected
# Disable wp-content listing or use stealth mode
# Check if /wp-content/plugins/ is accessible
curl https://example.com/wp-content/plugins/
# If forbidden, enumeration is more difficult
# Rely on other detection methods (JavaScript, CSS)User Enumeration Not Working
# REST API may be disabled
curl https://example.com/wp-json/wp/v2/users
# Try alternative methods
curl https://example.com/?feed=rss2 # Check author info
curl https://example.com/?author=1 # Check 404 patternsComparative Advantages
| Feature | WPProbe | WPScan | Wpseku |
|---|---|---|---|
| Plugin Detection | Good | Excellent | Good |
| User Enumeration | Good | Good | Good |
| Vulnerability DB | Good | Excellent | Good |
| Speed | Fast | Slow | Medium |
| API Token Required | No | Yes (better) | No |
| Setup Complexity | Low | Medium | Low |
Conclusion
WPProbe is an essential tool for WordPress security assessments, enabling authorized penetration testers to quickly identify plugins, themes, users, and vulnerabilities. Combined with tools like WPScan and Metasploit, it provides comprehensive WordPress security evaluation capabilities for authorized security testing scenarios.