2

When it comes to blackbox pentesting of a Wordpress site, the first thing to come to mind is WPScan [http://wpscan.org/].

While pentesting some sites, I faced a common issue i.e it shows that Wordpress SEO 1.14.15 is vulnerable to Cross Site Scripting Attack. Output is given below:

 | * Title: WordPress SEO 1.14.15 - index.php s Parameter Reflected XSS

 | * Reference: [http://packetstormsecurity.com/files/123028/][2]

 | * Reference: http://osvdb.org/97885

But when following the link http://packetstormsecurity.com/files/123028/ , it shows that attack can be executed with

Yoast Wordpress SEO XSS

But the main problem is when I tried to inject several XSS vectors, the results were not positive. I was not able to find any XSS in above url. There is proper output encoding, a snapshot is shown below:

wordpress search xss

So my question is:

  1. Do you have any method to bypass this and execute an XSS?
  2. Do you have any other tool or resources through which I can do better blackbox testing of Wordpress?
SilverlightFox
  • 33,698
  • 6
  • 69
  • 185
justtrying123
  • 181
  • 2
  • 13

3 Answers3

6

Wordpress is attacked 3.5 times more often than non-CMSes. WPScan is a great tool that's been around since the BackTrack Linux days.

However, there are more tools and techniques available. Here is a list of some newer tools:

Techniques for Wordpress security testing and remediation:

atdre
  • 18,945
  • 6
  • 59
  • 108
3

IIRC Wpscan just tests for the presence of the plugin not that it is a version which is specifically vulnerable, so what you're seeing would be consistent with the site having the plugin installed but a non-vulnerable version.

Beyond using tools like wpscan you could just use standard black-box web app testing tools, like arachni and then move on to manual testing with burp or ZAP

Rory McCune
  • 61,541
  • 14
  • 140
  • 221
2

Wpscan wasn't able to reproduce this vulnerability so they removed it from the database. If you update the wpscan database with wpscan --update and then rerun wpscan against the url you're targeting you will notice the vulnerability does not appear.