Home How to get started Hacking Wordpress Plugins
Post
Cancel

How to get started Hacking Wordpress Plugins

Hi. In this writeup, i will teach you everything that i learnt and a methodology on how to get started hacking wordpress plugins. Keep in mind, i wont be teaching different vulnerability types, i will just be teaching how to look for vulnerabilities. I learnt it myself and its fun. Its a good way to get a cve and get started on code review too. Lets get started

Following User Inputs

A good way to start hacking a wordpress plugin is by tracing user inputs. There are multiple way to get user inputs in PHP

$_POST is used for getting post parameters

$_GET is used for getting get parameters

$_REQUEST is used for getting either post or get parameters

$_SERVER is used to obtain the value of various http request headers

$_COOKIE is used for getting the value of cookies and

$_FILES is for files

These are the following ways the developers can obtain user inputs. So when hacking wordpress plugin, or just hacking any php code in general, its good to start looking at these, and follow the user inputs from there. We can do it by grepping.

EXAMPLE

As an example, we will be hacking and reproducing a local file inclusion in Mail Masta 1.0. This is the original report https://www.exploit-db.com/exploits/50226

So we start up by grepping for $_GET to find out all the php code that accepts user input. While doing it, one php file seems interesting. inc/campaign/count_of_send.php

So i opened it up using my code editor

The code is fairly simple, in the line 4, it get the value of the get parameter ‘pl’, then pass it to the function include. Include may lead to lfi so we have an lfi here. Now, lets try to reproduce it.

You can see that it works. We have an lfi. Thats how you find vulnerabilities by following user inputs.

HOOKS

In wordpress, we have something called hooks. Hooks are ways for developers to hook functions to pre-defined spots in wordpress. It can be done with add_action() function. For further reading, i recommend this https://developer.wordpress.org/plugins/hooks/ and https://developer.wordpress.org/reference/functions/add_action/

Now while testing, there are certain hooks that i lookout for.

wp_ajax_$action_name used to hook to the ajax (admin-ajax.php)

admin_post_$action_name used to hook to the admin-post.php

wp_ajax_nopriv_$action_name, admin_post_nopriv_$action_name same as the above but doesnt require authentication

admin_init used to hook on every admin page load

wp_loaded used to hook when the plugin is installed

admin_action_ im not sure about this yet, but still, keep a look out for this

profile_update & personal_options_update called when a user edit his/her account.

Plugins loaded, template_redirect, init. These hooks are called on every page load.

There are alot more hooks there but these are what i usually find. Always refer to the documentation when you want to learn the use of a hook.

Now just like above, we have to find if there are functions hooked to these hooks. This can be done with grepping

EXAMPLE

For this example, we will be reproducing the sqli in Double Opt-In for Download 2.0.9. The original report can be found here. https://www.exploit-db.com/exploits/39896

So we start out by finding any actions hooked to wp_ajax using grep

We found wp_ajax_populate_download_edit_form in public/class-doifd.php. Lets open the file and analyze the code.

Here, we can see that it is hooked to the function populate_download_edit_form. Lets analyze the function

Here, we can see that it gets the value of the post parameter id and store it to the variable $value, then the $value variable is used in an sql query without filtering or preparing the statement making it vulnerable to sqli. Now lets reproduce it. The ajax hook is wp_ajax_populate_download_edit_form so the ajax action parameter is populate_download_edit_form and we will also provide the id parameter

We will be using the and 1=1 payload for a boolean based poc. Using the and 1=1 throws a normal response

But using and 1=2 respond with a null meaning our sqli actually exist

So thats how you check for hooks when hacking wordpress plugins. Remember to also check other hooks other than wp_ajax when testing.

This is the end of the writeup. To learn the different vulnerability types, you have to learn it yourself. https://www.wordfence.com/wp-content/uploads/2021/07/Common-WordPress-Vulnerabilities-and-Prevention-Through-Secure-Coding-Best-Practices.pdf here’s a good article that will teach you some of the bug types in php and in wordpress. I have 3 possible upcoming cve soon with wordpress hacking alone and it taught me php code review thats why i really like wordpress hacking

Thanks for reading

Join the Bounty Hunter Discord server: https://discord.gg/bugbounty

This post is licensed under CC BY 4.0 by the author.