id: wordpress-detect

info:
  name: WordPress Detect
  author: pdteam,daffainfo,ricardomaia
  severity: info
  metadata:
    verified: true
    shodan-query: http.component:"WordPress"
  tags: tech,wordpress,cms,wp

requests:
  - method: GET
    path:
      - "{{BaseURL}}"
      - "{{BaseURL}}/wp-admin/install.php"
      - "{{BaseURL}}/feed/"
      - "{{BaseURL}}/?feed=rss2" # alternative if /feed/ is blocked

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - '<generator>https?:\/\/wordpress\.org.*</generator>'
          - 'wp-login.php'
          - '\/wp-content/themes\/'
          - '\/wp-includes\/'
          - 'name="generator" content="wordpress'
          - '<link[^>]+s\d+\.wp\.com'
          - '<!-- This site is optimized with the Yoast (?:WordPress )?SEO plugin v([\d.]+) -'
          - '<!--[^>]+WP-Super-Cache'
        condition: or

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: version_by_generator
        group: 1
        regex:
          - '(?m)https:\/\/wordpress.org\/\?v=([0-9.]+)'

      - type: regex
        name: version_by_js
        group: 1
        regex:
          - 'wp-emoji-release\.min\.js\?ver=((\d+\.?)+)\b'

      - type: regex
        name: version_by_css
        group: 1
        regex:
          - 'install\.min\.css\?ver=((\d+\.?)+)\b'