id: wordpress-wp-cron

info:
  name: Wordpress wp-cron.php DOS
  author: pathtaga
  severity: info
  description: When this file is accessed a heavy MySQL query is performed, so it could be used by attackers to cause a DoS.
  reference:
    - https://book.hacktricks.xyz/pentesting/pentesting-web/wordpress
    - https://medium.com/@thecpanelguy/the-nightmare-that-is-wpcron-php-ae31c1d3ae30
  tags: wordpress,cron,wp,dos

requests:
  - method: GET
    path:
      - "{{BaseURL}}"
      - "{{BaseURL}}/wp-cron.php"

    req-condition: true
    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - (regex("<link[^>]+s\d+\.wp\.com",body_1))
          - (regex("<!-- This site is optimized with the Yoast (?:WordPress )?SEO plugin v([\d.]+) -",body_1))
          - (regex("<!--[^>]+WP-Super-Cache",body_1))
          - contains(body_1, "/wp-content/themes/")
          - contains(body_1, "/wp-includes/")
          - contains(body_1, 'name=\"generator\" content=\"wordpress')
          - contains(body_1, '<!-- performance optimized by w3 total cache.')
        condition: or

      - type: dsl
        dsl:
          - "len(body_2) == 0"
          - "status_code_2 == 200"
          - "contains(content_type_2, 'text/html')"