Categories: discovery, intrusive
Tries to obtain a list of installed WordPress plugins by brute force testing for known plugins.
The script will brute force the /wp-content/plugins/ folder with a dictionary of 14K (and counting) known WP plugins. Anything but a 404 means that a given plugin directory probably exists, so the plugin probably also does.
The available plugins for Wordpress is huge and despite the efforts of Nmap to parallelize the queries, a whole search could take an hour or so. That's why the plugin list is sorted by popularity and by default the script will only check the first 100 ones. Users can tweak this with an option (see below).
If set, points to the blog root directory on the website. If not, the script will try to find a WP directory installation or fall back to root.
As the plugins list contains tens of thousand of plugins, this script will only search the 100 most popular ones by default. Use this option with a number or "all" as an argument for a more comprehensive brute force.
http.max-cache-size, http.max-pipeline, http.pipeline, http.useragentSee the documentation for the http library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusernameSee the documentation for the smbauth library.
nmap --script=http-wordpress-plugins --script-args http-wordpress-plugins.root="/blog/",http-wordpress-plugins.search=500 <targets>
Interesting ports on my.woot.blog (18.104.22.168): PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-wordpress-plugins: | search amongst the 500 most popular plugins | akismet | wp-db-backup | all-in-one-seo-pack | stats |_ wp-to-twitter
Author: Ange Gutek
License: Same as Nmap--See http://nmap.org/book/man-legal.html