Enumerating WordPress

#1 WordPress Core Version Enumeration

Three simple methods can be used to determine the core version of WordPress.

• Meta Generator

Check the HTML source of the page for a meta generator tag in the HEAD section of the HTML source.

<meta name="generator" content="WordPress 5.2.3" />

• Version in readme.html

If the meta tag has been disabled, check for the presence of /readme.html from root of the install. Early versions of WordPress had the version right there at the top of the ReadMe file, newer versions of WordPress have removed the version from the file.

Version in HTML source of site

In the HTML source, the version is often appended as a parameter on links to javascript and css resources that the page is loading.

Depending on the plugin, this will not always be the case, and sites that have minified js and css may not have these information leaks present.

#2 WordPress Plugin (and version) Enumeration

During WordPress Plugin Enumeration we attempt to find as many installed plugins as we can (even those that are disabled). Knowing the installed WordPress plugins may allow us to identify the version, and research whether it is vulnerable to known exploits.

curl <https://l1nuxkid.dev/wp-content/plugins/><plugin_name>/readme.txt
curl <https://l1nuxkid.dev/wp-content/plugins/badplugin/readme.txt>

In the readme.txt we can see the version of the plugin. Compare this against known exploits and we can get a good idea if the site is vulnerable without actually throwing the exploit.

#3 WordPress Theme Enumeration

Enumeration of the theme is conducted similarly to detecting the plugins. The theme path is often visible in the HTML of the page source. The CSS file getting loaded from the theme will often reveal the path.

With the path we have the theme name, and we can load the readme.txt to confirm the theme in use and the version.

curl <http://l1nuxkid.dev/wp-content/themes/Avada/readme.txt>