Do I need WPScan installed to use this skill?

Yes, this skill provides the specific methodology and commands for WPScan, which is required to be installed in your environment (standard in Kali Linux).

Does it support XML-RPC attacks?

Yes, the skill includes specialized techniques for checking XML-RPC status and performing multicall brute-forcing to bypass traditional login protections.

Is a WPScan API token required?

While basic enumeration works without it, an API token is highly recommended to cross-reference identified versions against the latest vulnerability databases.

Can this skill exploit vulnerabilities automatically?

It provides the specific workflows and command structures for exploitation via Metasploit or web shells, but the user must initiate the execution within their authorized environment.

What kind of reports does this skill generate?

It guides you through creating enumeration reports, vulnerability assessments, credential findings, and documented proof of exploitation.

WordPress Penetration Testing

Name: WordPress Penetration Testing
Author: zebbern

byzebbern

•

2,883

Security & Testing

Performs comprehensive security assessments and vulnerability scanning on WordPress installations to identify and mitigate risks.

About

This skill provides an exhaustive framework for auditing WordPress security, covering everything from initial discovery and enumeration of plugins, themes, and users to advanced exploitation techniques. It integrates workflows for industry-standard tools like WPScan and Metasploit, allowing security professionals to efficiently detect CVEs, misconfigurations, and weak credentials while following a structured 10-phase methodology. It is ideal for security researchers looking to automate reconnaissance and document findings for WordPress-specific environments.

Key Features

Advanced password attack strategies including XML-RPC multicall
Vulnerability detection for core files and third-party extensions
Manual discovery techniques for hidden WordPress paths and configuration files
Guided exploitation procedures using Metasploit and custom web shells
Automated WPScan enumeration for plugins, themes, and users
2,883 GitHub stars

Use Cases

Identifying vulnerable themes or plugins before a production deployment
Simulating real-world attacks to test WAF efficacy and incident response
Conducting professional security audits for WordPress-based clients

About

Key Features

Advanced password attack strategies including XML-RPC multicall
Vulnerability detection for core files and third-party extensions
Manual discovery techniques for hidden WordPress paths and configuration files
Guided exploitation procedures using Metasploit and custom web shells
Automated WPScan enumeration for plugins, themes, and users
2,883 GitHub stars

Use Cases

Identifying vulnerable themes or plugins before a production deployment
Simulating real-world attacks to test WAF efficacy and incident response
Conducting professional security audits for WordPress-based clients