Script http-wordpress-enum

Script types: portrule
Categories: discovery, intrusive
Download: https://svn.nmap.org/nmap/scripts/http-wordpress-enum.nse

Script Summary

Enumerates themes and plugins of Wordpress installations. The script can also detect outdated plugins by comparing version numbers with information pulled from api.wordpress.org.

The script works with two separate databases for themes (wp-themes.lst) and plugins (wp-plugins.lst). The databases are sorted by popularity and the script will search only the top 100 entries by default. The theme database has around 32,000 entries while the plugin database has around 14,000 entries.

The script determines the version number of a plugin by looking at the readme.txt file inside the plugin directory and it uses the file style.css inside a theme directory to determine the theme version. If the script argument check-latest is set to true, the script will query api.wordpress.org to obtain the latest version number available. This check is disabled by default since it queries an external service.

This script is a combination of http-wordpress-plugins.nse and http-wordpress-themes.nse originally submited by Ange Gutek and Peter Hill.

TODO: -Implement version checking for themes.

See also:

• http-vuln-cve2014-8877.nse

Script Arguments

http-wordpress-enum.type

Search type. Available options:plugins, themes or all. Default:all.

http-wordpress-enum.search-limit

Number of entries or the string "all". Default:100.

http-wordpress-enum.root

Base path. By default the script will try to find a WP directory installation or fall back to '/'.

http-wordpress-enum.check-latest

Retrieves latest plugin version information from wordpress.org. Default:false.

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

• nmap -sV --script http-wordpress-enum <target>

• nmap --script http-wordpress-enum --script-args check-latest=true,search-limit=10 <target>

• nmap --script http-wordpress-enum --script-args type="themes" <target>
  

Script Output

PORT   STATE SERVICE
80/tcp open  http
| http-wordpress-enum:
| Search limited to top 100 themes/plugins
|   plugins
|     akismet
|     contact-form-7 4.1 (latest version:4.1)
|     all-in-one-seo-pack  (latest version:2.2.5.1)
|     google-sitemap-generator 4.0.7.1 (latest version:4.0.8)
|     jetpack 3.3 (latest version:3.3)
|     wordfence 5.3.6 (latest version:5.3.6)
|     better-wp-security 4.6.4 (latest version:4.6.6)
|     google-analytics-for-wordpress 5.3 (latest version:5.3)
|   themes
|     twentytwelve
|_    twentyfourteen

Requires

• coroutine
• http
• io
• nmap
• shortport
• stdnse
• string
• table

---

Authors:

• Ange Gutek
• Peter Hill
• Gyanendra Mishra
• Paulino Calderon

License: Same as Nmap--See https://nmap.org/book/man-legal.html