Added WordPress Weak Credentials Detection

fuzzing/wordpress-weak-credentials.yaml

@@ -0,0 +1,37 @@
+id: wordpress-weak-credentials
+
+info:
+  name: WordPress Weak Credentials
+  author: evolutionsec
+  severity: critical
+  tags: wordpress,default-login,fuzz
+
+requests:
+  - raw:
+    - |
+      POST /wp-login.php HTTP/1.1
+      Host: {{Hostname}}
+      Origin: {{BaseURL}}
+      Content-Type: application/x-www-form-urlencoded
+      Referer: {{BaseURL}}
+
+      log={{users}}&pwd={{passwords}}
+
+    payloads:
+      users: helpers/wordlists/wp-users.txt
+      passwords: helpers/wordlists/wp-passwords.txt
+    threads: 50
+    attack: clusterbomb
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 302
+
+      - type: word
+        words:
+          - '/wp-admin'
+          - 'wordpress_logged_in'
+        condition: and
+        part: header

helpers/wordlists/wp-passwords.txt

@@ -0,0 +1,23 @@
+admin
+123456
+password
+12345678
+666666
+111111
+1234567
+qwerty
+siteadmin
+administrator
+root
+123123
+123321
+1234567890
+letmein123
+test123
+demo123
+pass123
+123qwe
+qwe123
+654321
+loveyou
+adminadmin123

helpers/wordlists/wp-users.txt

@@ -0,0 +1,11 @@
+adm
+admin
+user
+admin1
+hostname
+manager
+qwerty
+root
+support
+sysadmin
+test