{"id":13539046,"url":"https://github.com/rastating/wordpress-exploit-framework","last_synced_at":"2025-09-29T19:31:07.786Z","repository":{"id":39618267,"uuid":"47001236","full_name":"rastating/wordpress-exploit-framework","owner":"rastating","description":"A Ruby framework designed to aid in the penetration testing of WordPress systems. ","archived":true,"fork":false,"pushed_at":"2019-11-24T19:04:44.000Z","size":1960,"stargazers_count":1022,"open_issues_count":1,"forks_count":264,"subscribers_count":61,"default_branch":"master","last_synced_at":"2024-12-16T07:12:06.586Z","etag":null,"topics":["exploits","security","security-audit","wordpress","wordpress-exploit-framework"],"latest_commit_sha":null,"homepage":"https://rastating.github.io/wordpress-exploit-framework","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rastating.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null},"funding":{"github":"rastating","patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"custom":null}},"created_at":"2015-11-27T22:13:52.000Z","updated_at":"2024-12-11T22:11:58.000Z","dependencies_parsed_at":"2022-07-17T08:46:23.558Z","dependency_job_id":null,"html_url":"https://github.com/rastating/wordpress-exploit-framework","commit_stats":null,"previous_names":[],"tags_count":23,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rastating%2Fwordpress-exploit-framework","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rastating%2Fwordpress-exploit-framework/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rastating%2Fwordpress-exploit-framework/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rastating%2Fwordpress-exploit-framework/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rastating","download_url":"https://codeload.github.com/rastating/wordpress-exploit-framework/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":234650362,"owners_count":18866193,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["exploits","security","security-audit","wordpress","wordpress-exploit-framework"],"created_at":"2024-08-01T09:01:19.526Z","updated_at":"2025-09-29T19:31:02.418Z","avatar_url":"https://github.com/rastating.png","language":"Ruby","readme":"\u003cp align=\"center\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/rastating/wordpress-exploit-framework/gh-pages/static/wordpress-exploit-framework-200px.png\" /\u003e\u003c/p\u003e\n\n\u003ch1 align=\"center\"\u003eWordPress Exploit Framework\u003c/h1\u003e\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://travis-ci.org/rastating/wordpress-exploit-framework\"\u003e\u003cimg src=\"https://travis-ci.org/rastating/wordpress-exploit-framework.svg?branch=development\" alt=\"Build Status\" height=\"20\" /\u003e\u003c/a\u003e \u003ca href=\"https://codeclimate.com/github/rastating/wordpress-exploit-framework/maintainability\"\u003e\u003cimg src=\"https://api.codeclimate.com/v1/badges/5414ccc4e7a1f5e38c79/maintainability\" alt=\"Maintainability\" height=\"20\" /\u003e\u003c/a\u003e \u003ca href=\"https://coveralls.io/github/rastating/wordpress-exploit-framework?branch=development\"\u003e\u003cimg src=\"https://coveralls.io/repos/github/rastating/wordpress-exploit-framework/badge.svg?branch=development\" alt=\"Coverage Status\" height=\"20\" /\u003e\u003c/a\u003e \u003ca href=\"https://badge.fury.io/rb/wpxf\"\u003e\u003cimg src=\"https://badge.fury.io/rb/wpxf@2x.png\" alt=\"Gem Version\" height=\"20\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  A Ruby framework designed to aid in the penetration testing of WordPress systems.\n\u003c/p\u003e\n\n\u003chr\u003e\n\n### Installation\nTo install the latest stable build, run `gem install wpxf`.\n\nAfter installation, you can launch the WordPress Exploit Framework console by running `wpxf`.\n\n### What do I need to run it?\nRuby \u003e= 2.4.4 is required to run WordPress Exploit Framework.\n\n### Troubleshooting Installation\n#### Debian Systems\nIf you have issues installing WPXF's dependencies (in particular, Nokogiri), first make sure you have all the tooling necessary to compile C extensions:\n\n```\nsudo apt-get install build-essential patch\n```\n\nIt’s possible that you don’t have important development header files installed on your system. Here’s what you should do if you should find yourself in this situation:\n\n```\nsudo apt-get install ruby-dev zlib1g-dev liblzma-dev libsqlite3-dev\n```\n\n#### Windows Systems\nIf you are experiencing errors that indicate that `libcurl.dll` could not be loaded, you will need to ensure the latest libcurl binary is included in your Ruby bin folder, or any other folder that is in your environment's PATH variable.\n\nThe latest version can be downloaded from http://curl.haxx.se/download.html. As of 16/05/2016, the latest release is marked as `Win32 2000/XP zip\t7.40.0 libcurl SSL`. After downloading the archive, extract the contents of the bin directory into your Ruby bin directory (if prompted, don't overwrite any existing DLLs).\n\n### How do I use it?\nStart the WordPress Exploit Framework console by running `wpxf`.\n\nOnce loaded, you'll be presented with the wpxf prompt, from here you can search for modules using the `search` command or load a module using the `use` command.\n\nLoading a module into your environment will allow you to set options with the `set` command and view information about the module using `info`.\n\nBelow is an example of how one would load the symposium_shell_upload exploit module, set the module and payload options and run the exploit against the target.\n\n```\nwpxf \u003e use exploit/shell/symposium_shell_upload\n\n[+] Loaded module: #\u003cWpxf::Exploit::SymposiumShellUpload:0x3916f20\u003e\n\nwpxf [exploit/shell/symposium_shell_upload] \u003e set host wp-sandbox\n\n[+] Set host =\u003e wp-sandbox\n\nwpxf [exploit/shell/symposium_shell_upload] \u003e set target_uri /wordpress/\n\n[+] Set target_uri =\u003e /wordpress/\n\nwpxf [exploit/shell/symposium_shell_upload] \u003e set payload exec\n\n[+] Loaded payload: #\u003cWpxf::Payloads::Exec:0x434d078\u003e\n\nwpxf [exploit/shell/symposium_shell_upload] \u003e set cmd echo \"Hello, world!\"\n\n[+] Set cmd =\u003e echo \"Hello, world!\"\n\nwpxf [exploit/shell/symposium_shell_upload] \u003e run\n\n[-] Preparing payload...\n[-] Uploading the payload...\n[-] Executing the payload...\n[+] Result: Hello, world!\n[+] Execution finished successfully\n```\nFor a full list of supported commands, take a look at [This Wiki Page](https://github.com/rastating/wordpress-exploit-framework/wiki/Supported-Commands).\n\n### What is the difference between auxiliary and exploit modules?\nAuxiliary modules do not allow you to run payloads on the target machine, but instead allow you to extract information from the target, escalate privileges or provide denial of service functionality.\n\nExploit modules require you to specify a payload which subsequently gets executed on the target machine, allowing you to run arbitrary code to extract information from the machine, establish a remote shell or anything else that you want to do within the context of the web server.\n\n### What payloads are available?\n* **bind_php:** uploads a script that will bind to a specific port and allow WPXF to establish a remote shell.\n* **custom:** uploads and executes a custom PHP script.\n* **download_exec:** downloads and runs a remote executable file.\n* **meterpreter_bind_tcp:** a Meterpreter bind TCP payload generated using msfvenom.\n* **meterpreter_reverse_tcp:** a Meterpreter reverse  TCP payload generated using msfvenom.\n* **exec:** runs a shell command on the remote server and returns the output to the WPXF session.\n* **reverse_tcp:** uploads a script that will establish a reverse TCP shell.\n\nAll these payloads, with the exception of `custom` and the Meterpreter payloads, will delete themselves after they have been executed, to avoid leaving them lying around on the target machine after use or in the event that they are being used to establish a shell which fails.\n\n### How can I write my own modules and payloads?\nGuides on writing modules and payloads can be found on [The Wiki](https://github.com/rastating/wordpress-exploit-framework/wiki) and full documentation of the API can be found at https://rastating.github.io/wordpress-exploit-framework\n\n## License\nCopyright (C) 2015-2018 rastating\n\nRunning WordPress Exploit Framework against websites without prior mutual consent may be illegal in your country. The author and parties involved in its development accept no liability and are not responsible for any misuse or damage caused by WordPress Exploit Framework.\n\nThis program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.\n\nThis program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.\n\nYou should have received a copy of the GNU General Public License along with this program.  If not, see \u003chttp://www.gnu.org/licenses/\u003e.\n","funding_links":["https://github.com/sponsors/rastating"],"categories":["\u003ca id=\"683b645c2162a1fce5f24ac2abfa1973\"\u003e\u003c/a\u003e漏洞\u0026\u0026漏洞管理\u0026\u0026漏洞发现/挖掘\u0026\u0026漏洞开发\u0026\u0026漏洞利用\u0026\u0026Fuzzing","Ruby","Web Exploitation","📦 Legacy \u0026 Inactive Projects","Ruby (88)","Exploit Development Tools","Tools"],"sub_categories":["\u003ca id=\"41ae40ed61ab2b61f2971fea3ec26e7c\"\u003e\u003c/a\u003e漏洞利用","Penetration Testing Report Templates","Zealandia","Forensics","Web Exploitation"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frastating%2Fwordpress-exploit-framework","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frastating%2Fwordpress-exploit-framework","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frastating%2Fwordpress-exploit-framework/lists"}