Hackers can compromise WordPress sites without knowing admin credentials by exploiting vulnerable plugins. WordPress heavily relies on plugins, making them a major attack vector.

Initial Reconnaissance with WPScan

When an attacker uses WPScan, they aim to gather as much information as possible about a WordPress site. They often run commands like -e ap to list all the plugins installed and -e u to dig up user accounts. Once the scan runs its course, they look at what it found.

In this case, WPScan flagged a plugin called JSMol2WP, version 1.07. A little digging shows that any version at or below 1.07 has serious problems. Real trouble like:

  • Letting someone wander through directories they should not see (Directory Traversal).
  • Opening doors to sensitive local files (Local File Inclusion, or LFI).
  • Tricking the server into sending requests it should not (Server-Side Request Forgery, or SSRF).

Proof-of-Concept Dissection

The attacker then picks apart a Proof-of-Concept (PoC) URL that shows how to mess with the plugin. A few key tricks stand out:

  • Setting isform=true fakes a form submission.
  • Using call=get_row_data_from_database sneaks in a call to a vulnerable PHP function.
  • PHP stream wrappers like php://filter twist the way files are read, letting the attacker bypass usual protections.
  • A classic ../../.. path is slipped in to climb up the server’s directory tree and snoop into critical files like wp-config.php.

Sensitive File Access

By exploiting LFI, the attacker accesses wp-config.php, extracting database credentials stored there—specifically, the WordPress database username and password.

Logging to WordPress Dashboard

Using the stolen credentials, the attacker logs into WordPress, but plugin editing is restricted through the user interface.

Source Code Inspection via SSRF

During a deep dive into the Hello Dolly plugin’s source code—using SSRF methods—an attacker stumbled across a hidden chunk of code. Buried inside, they found a eval(base64_decode(...)) function. It didn’t jump out at first, but once they decoded the base64 content, something serious surfaced: a new parameter called cmd.

Building Remote Code Execution (RCE)

This cmd parameter opened a dangerous door. It let anyone send system commands straight through a URL and have them executed by the server. Knowing this, the attacker crafted a special link aiming at the vulnerable PHP script. The structure of this malicious URL would look a bit like this:

http://targetsite/wp-admin/index.php?cmd=[payload]

When it came to picking a payload, they didn’t get fancy. They stuck with a Netcat reverse shell—one simple line that, if triggered, would make the server call back to their machine. Inside this command, they inserted their own IP address and a listening port number.

But before launching it, they had to make sure the command would travel safely across the internet. To do that, they URL-encoded the payload, turning tricky characters like spaces and slashes into browser-friendly codes (like %20 for a space).

On their end, the attacker fired up a Netcat listener, using a simple command:

nc -lvnp [port]

The moment the server hit that URL, the PHP script ran the command embedded inside cmd, and boom—the server reached out, starting a connection back to the attacker’s listener.

With the connection live, the attacker landed an interactive shell. They could now type commands straight into the server, moving one step closer to taking full control by trying more advanced privilege escalation techniques.

Database User Hash Dump

The attacker accesses the MySQL database using WordPress credentials, dumps the wp_users table, and cracks password hashes using John the Ripper, further extending control over user accounts.

SSH Key Discovery and Escalation

SSH private keys are located within user directories, allowing SSH access to different users. Through pivoting from one user to another, greater system control is achieved.

Exploration of Backup Files

A backup zip file is found and cracked, revealing a second wp-config.php with elevated database credentials, enabling access to a more privileged user.

Achieving Root Privileges

Logging in as the privileged user allows sudo rights without a password, culminating in root access to the machine.

Video Walkthrough

, ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles