Vulnerable WordPress plugin and Machine

Posted by Hassan Khan Yusufzai on February 5, 2024

WordPress Vulnerable Plugin for Security Researchers / Hunters

In the ever-evolving landscape of cybersecurity, the role of security researchers is paramount. Their task involves uncovering vulnerabilities in various software systems to ensure robustness and resilience against potential threats. WordPress, being one of the most popular content management systems globally, often becomes a target for malicious actors. To aid security researchers in their endeavors, a custom WordPress plugin has been developed specifically for testing purposes.

The custom WordPress plugin, available on GitHub, serves as a tool for security researchers to simulate and identify potential vulnerabilities within WordPress installations.

Created with the intention of being vulnerable, the plugin mimics common security flaw found in real-world scenarios.

Utilization and Installation

  1. Installation: Security researchers can install the vulnerable WordPress plugin on their local or test using localWP WordPress instances to begin the assessment process.
  2. Exploration: By interacting with the plugin's functionalities, researchers can identify potential remote code execution vulnerability, such as input fields susceptible to injection attacks or file upload mechanisms lacking proper validation.

Vulnerable Machine dr34d:

I got you covered if you wanna play with the code but looking for a pre build machine. I created a vulnerable machine based on real world exploitation that utilities the the vulnerable WordPress plugin code with other vulnerabilities too. The goal of the vulnerable machine is to perform enumeration identify vulnerable applications/services, perform enumeration and of course get user and root level access on the box.


Machine link:

Official Write-Up: Dr34d WriteUp-3.pdf