Web
Nmap [[Stapler_Recon#|discovered]] a Web server on the target port 12380
The running service is Apache httpd 2.4.18 ((Ubuntu))
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/stapler]
└─$ curl -I -X OPTIONS http://$IP:12380/
curl: (52) Empty reply from server
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/stapler]
└─$ curl -I http://$IP:12380/
HTTP/1.1 400 Bad Request
Date: Mon, 28 Apr 2025 19:32:11 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Fri, 03 Jun 2016 16:55:33 GMT
ETag: "6a16a-53462974b46e8"
Accept-Ranges: bytes
Content-Length: 434538
Dave: Soemthing doesn't look right here
Connection: close
Content-Type: text/html/Play/Stapler/2-Enumeration/attachments/{2B08D169-4DB9-4336-A7AB-4C0956A6A1BB}.png)
Webroot
/Play/Stapler/2-Enumeration/attachments/{0FBB017D-DAC7-4B39-B950-BCB5B40A5047}.png)
/Play/Stapler/2-Enumeration/attachments/{09510CDA-A13F-4178-9121-A0AECA7C6770}.png)
The comment in the source code reveals another usernames; Dave, Tim and Zoe
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/stapler]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP:12380/FUZZ -ic -e .html,.txt,.php -fc 403
________________________________________________
:: Method : GET
:: URL : http://192.168.239.148:12380/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
:: Progress: [81912/81912] :: Job [1/1] :: 16 req/sec :: Duration: [1:41:46] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/stapler]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP:12380/FUZZ/ -ic -fc 403
________________________________________________
:: Method : GET
:: URL : http://192.168.239.148:12380/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
:: Progress: [207630/207630] :: Job [1/1] :: 29 req/sec :: Duration: [1:59:12] :: Errors: 0 ::N/A
HTTPS
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/stapler]
└─$ curl -k -I -X OPTIONS https://$IP:12380/
HTTP/1.1 200 OK
Date: Mon, 28 Apr 2025 22:15:28 GMT
Server: Apache/2.4.18 (Ubuntu)
Allow: GET,HEAD,POST,OPTIONS
Dave: Soemthing doesn't look right here
Content-Length: 0
Content-Type: text/html
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/stapler]
└─$ curl -k -I https://$IP:12380/
HTTP/1.1 200 OK
Date: Mon, 28 Apr 2025 22:15:32 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Sat, 04 Jun 2016 23:37:47 GMT
ETag: "15-5347c53a972d1"
Accept-Ranges: bytes
Content-Length: 21
Dave: Soemthing doesn't look right here
Content-Type: text/html/Play/Stapler/2-Enumeration/attachments/{3943AE9F-5964-4CB7-A1A0-4EB6D2C1DCD9}.png)
Webroot
Fuzzing (HTTPS)
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/stapler]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u https://$IP:12380/FUZZ -ic -e .html,.txt,.php -fc 403
________________________________________________
:: Method : GET
:: URL : https://192.168.239.148:12380/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
announcements [Status: 301, Size: 336, Words: 20, Lines: 10, Duration: 20ms]
index.html [Status: 200, Size: 21, Words: 3, Lines: 2, Duration: 28ms]
javascript [Status: 301, Size: 333, Words: 20, Lines: 10, Duration: 19ms]
phpmyadmin [Status: 301, Size: 333, Words: 20, Lines: 10, Duration: 19ms]
robots.txt [Status: 200, Size: 59, Words: 4, Lines: 4, Duration: 20ms]
:: Progress: [81912/81912] :: Job [1/1] :: 2298 req/sec :: Duration: [0:00:48] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/stapler]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u https://$IP:12380/FUZZ/ -ic -fc 403
________________________________________________
:: Method : GET
:: URL : https://192.168.239.148:12380/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
[Status: 200, Size: 21, Words: 3, Lines: 2, Duration: 18ms]
announcements [Status: 200, Size: 961, Words: 63, Lines: 17, Duration: 18ms]
phpmyadmin [Status: 200, Size: 10339, Words: 492, Lines: 26, Duration: 219ms]
:: Progress: [207630/207630] :: Job [1/1] :: 2173 req/sec :: Duration: [0:01:56] :: Errors: 0 ::/announcements//phpmyaadmin//robots.txt
/announcements/
/Play/Stapler/2-Enumeration/attachments/{F411D758-50FE-4E7A-ABB3-FCDCFA862DEB}.png)
message.txt
/Play/Stapler/2-Enumeration/attachments/{102BD753-1AA7-4639-86FD-62DCF37035E3}.png)
Abby- Linking the folder
- mo
/phpmyadmin/
/Play/Stapler/2-Enumeration/attachments/{6D069C5B-5A74-4EF4-8CAE-DD852C7B5D11}.png)
No credential is known at this time
/robots.txt
/Play/Stapler/2-Enumeration/attachments/{B53F5027-C679-47DB-84BF-E47951585EE0}.png)
/admin112233//blogblog
/admin112233/
/Play/Stapler/2-Enumeration/attachments/{553F34C4-9BF4-4509-9EF9-C6D5B60CE256}.png)
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/stapler]
└─$ curl -k -i https://192.168.239.148:12380/admin112233/
HTTP/1.1 200 OK
Date: Mon, 28 Apr 2025 22:24:37 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Fri, 03 Jun 2016 22:35:16 GMT
ETag: "113-534675636e8a6"
Accept-Ranges: bytes
Content-Length: 275
Vary: Accept-Encoding
Dave: Soemthing doesn't look right here
Content-Type: text/html
<html>
<head>
<title>mwwhahahah</title>
<body>
<noscript>Give yourself a cookie! Javascript didn't run =)</noscript>
<script type="text/javascript">window.alert("This could of been a BeEF-XSS hook ;)");window.location="http://www.xss-payloads.com/";</script>
</body>
</html>Cookie?
/blogblog/
/Play/Stapler/2-Enumeration/attachments/{AF4FBC61-9D7B-4B32-891E-EEB5CA992B70}.png)
/Play/Stapler/2-Enumeration/attachments/{5871B665-199C-45FC-AB43-83D98220737C}.png)
A WordPress instance at the /blogblog/ endpoint
wpscan
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/stapler]
└─$ wpscan --url https://$IP:12380/blogblog/ --disable-tls-checks --random-user-agent -e u,ap,at --plugins-detection aggressive -t 128
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.28
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: https://192.168.239.148:12380/blogblog/ [192.168.239.148]
[+] Started: Tue Apr 29 00:32:13 2025
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.18 (Ubuntu)
| - Dave: Soemthing doesn't look right here
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: https://192.168.239.148:12380/blogblog/xmlrpc.php
| Found By: Headers (Passive Detection)
| Confidence: 100%
| Confirmed By:
| - Link Tag (Passive Detection), 30% confidence
| - Direct Access (Aggressive Detection), 100% confidence
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: https://192.168.239.148:12380/blogblog/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Registration is enabled: https://192.168.239.148:12380/blogblog/wp-login.php?action=register
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: https://192.168.239.148:12380/blogblog/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: https://192.168.239.148:12380/blogblog/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.2.1 identified (Insecure, released on 2015-04-27).
| Found By: Rss Generator (Passive Detection)
| - https://192.168.239.148:12380/blogblog/?feed=rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
| - https://192.168.239.148:12380/blogblog/?feed=comments-rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
[+] WordPress theme in use: bhost
| Location: https://192.168.239.148:12380/blogblog/wp-content/themes/bhost/
| Last Updated: 2025-03-07T00:00:00.000Z
| Readme: https://192.168.239.148:12380/blogblog/wp-content/themes/bhost/readme.txt
| [!] The version is out of date, the latest version is 1.9
| Style URL: https://192.168.239.148:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1
| Style Name: BHost
| Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ...
| Author: Masum Billah
| Author URI: http://getmasum.net/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.2.9 (80% confidence)
| Found By: Style (Passive Detection)
| - https://192.168.239.148:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1, Match: 'Version: 1.2.9'
[+] Enumerating All Plugins (via Aggressive Methods)
Checking Known Locations - Time: 00:01:42 <==================================================> (110234 / 110234) 100.00% Time: 00:01:42
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] advanced-video-embed-embed-videos-or-playlists
| Location: https://192.168.239.148:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/
| Latest Version: 1.0 (up to date)
| Last Updated: 2015-10-14T13:52:00.000Z
| Readme: https://192.168.239.148:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.239.148:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/, status: 200
|
| Version: 1.0 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.239.148:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt
[+] akismet
| Location: https://192.168.239.148:12380/blogblog/wp-content/plugins/akismet/
| Latest Version: 5.3.7
| Last Updated: 2025-04-14T23:37:00.000Z
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.239.148:12380/blogblog/wp-content/plugins/akismet/, status: 403
|
| The version could not be determined.
[+] shortcode-ui
| Location: https://192.168.239.148:12380/blogblog/wp-content/plugins/shortcode-ui/
| Last Updated: 2019-01-16T22:56:00.000Z
| Readme: https://192.168.239.148:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt
| [!] The version is out of date, the latest version is 0.7.4
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.239.148:12380/blogblog/wp-content/plugins/shortcode-ui/, status: 200
|
| Version: 0.6.2 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.239.148:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - https://192.168.239.148:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt
[+] two-factor
| Location: https://192.168.239.148:12380/blogblog/wp-content/plugins/two-factor/
| Latest Version: 0.13.0
| Last Updated: 2025-04-02T14:33:00.000Z
| Readme: https://192.168.239.148:12380/blogblog/wp-content/plugins/two-factor/readme.txt
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.239.148:12380/blogblog/wp-content/plugins/two-factor/, status: 200
|
| The version could not be determined.
[+] Enumerating All Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:29 <====================================================> (29475 / 29475) 100.00% Time: 00:00:29
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] Theme(s) Identified:
[+] bhost
| Location: https://192.168.239.148:12380/blogblog/wp-content/themes/bhost/
| Last Updated: 2025-03-07T00:00:00.000Z
| Readme: https://192.168.239.148:12380/blogblog/wp-content/themes/bhost/readme.txt
| [!] The version is out of date, the latest version is 1.9
| Style URL: https://192.168.239.148:12380/blogblog/wp-content/themes/bhost/style.css
| Style Name: BHost
| Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ...
| Author: Masum Billah
| Author URI: http://getmasum.net/
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Known Locations (Aggressive Detection)
| - https://192.168.239.148:12380/blogblog/wp-content/themes/bhost/, status: 500
|
| Version: 1.2.9 (80% confidence)
| Found By: Style (Passive Detection)
| - https://192.168.239.148:12380/blogblog/wp-content/themes/bhost/style.css, Match: 'Version: 1.2.9'
[+] creative-blog
| Location: https://192.168.239.148:12380/blogblog/wp-content/themes/creative-blog/
| Last Updated: 2021-11-24T00:00:00.000Z
| Readme: https://192.168.239.148:12380/blogblog/wp-content/themes/creative-blog/readme.txt
| [!] The version is out of date, the latest version is 1.1.5
| Style URL: https://192.168.239.148:12380/blogblog/wp-content/themes/creative-blog/style.css
| Style Name: Creative Blog
| Style URI: http://napitwptech.com/themes/creative-blog/
| Description: Creative Blog is an extremely creative WordPress theme to create your own personal blog site very ea...
| Author: Bishal Napit
| Author URI: http://napitwptech.com/themes/
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.239.148:12380/blogblog/wp-content/themes/creative-blog/, status: 500
|
| Version: 0.9 (80% confidence)
| Found By: Style (Passive Detection)
| - https://192.168.239.148:12380/blogblog/wp-content/themes/creative-blog/style.css, Match: 'Version: 0.9'
[+] sydney
| Location: https://192.168.239.148:12380/blogblog/wp-content/themes/sydney/
| Last Updated: 2025-04-04T00:00:00.000Z
| Readme: https://192.168.239.148:12380/blogblog/wp-content/themes/sydney/readme.txt
| [!] The version is out of date, the latest version is 2.53
| Style URL: https://192.168.239.148:12380/blogblog/wp-content/themes/sydney/style.css
| Style Name: Sydney
| Style URI: http://athemes.com/theme/sydney
| Description: Sydney is a powerful business theme that provides a fast way for companies or freelancers to create ...
| Author: aThemes
| Author URI: http://athemes.com
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.239.148:12380/blogblog/wp-content/themes/sydney/, status: 500
|
| Version: 1.28 (80% confidence)
| Found By: Style (Passive Detection)
| - https://192.168.239.148:12380/blogblog/wp-content/themes/sydney/style.css, Match: 'Version: 1.28'
[+] trope
| Location: https://192.168.239.148:12380/blogblog/wp-content/themes/trope/
| Last Updated: 2018-06-12T00:00:00.000Z
| Readme: https://192.168.239.148:12380/blogblog/wp-content/themes/trope/readme.txt
| [!] The version is out of date, the latest version is 1.2
| Style URL: https://192.168.239.148:12380/blogblog/wp-content/themes/trope/style.css
| Style Name: Trope
| Style URI: http://wpdean.com/trope-wordpress-theme/
| Description: Trope is a free WordPress theme that comes with clean, modern, minimal and fully responsive design w...
| Author: WPDean
| Author URI: http://wpdean.com/
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.239.148:12380/blogblog/wp-content/themes/trope/, status: 500
|
| Version: 1.1.0 (80% confidence)
| Found By: Style (Passive Detection)
| - https://192.168.239.148:12380/blogblog/wp-content/themes/trope/style.css, Match: 'Version: 1.1.0'
[+] twentyfifteen
| Location: https://192.168.239.148:12380/blogblog/wp-content/themes/twentyfifteen/
| Last Updated: 2025-04-15T00:00:00.000Z
| Readme: https://192.168.239.148:12380/blogblog/wp-content/themes/twentyfifteen/readme.txt
| [!] The version is out of date, the latest version is 4.0
| Style URL: https://192.168.239.148:12380/blogblog/wp-content/themes/twentyfifteen/style.css
| Style Name: Twenty Fifteen
| Style URI: https://wordpress.org/themes/twentyfifteen/
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.239.148:12380/blogblog/wp-content/themes/twentyfifteen/, status: 500
|
| Version: 1.1 (80% confidence)
| Found By: Style (Passive Detection)
| - https://192.168.239.148:12380/blogblog/wp-content/themes/twentyfifteen/style.css, Match: 'Version: 1.1'
[+] twentyfourteen
| Location: https://192.168.239.148:12380/blogblog/wp-content/themes/twentyfourteen/
| Last Updated: 2025-04-15T00:00:00.000Z
| [!] The version is out of date, the latest version is 4.2
| Style URL: https://192.168.239.148:12380/blogblog/wp-content/themes/twentyfourteen/style.css
| Style Name: Twenty Fourteen
| Style URI: https://wordpress.org/themes/twentyfourteen/
| Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern design...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.239.148:12380/blogblog/wp-content/themes/twentyfourteen/, status: 500
|
| Version: 1.4 (80% confidence)
| Found By: Style (Passive Detection)
| - https://192.168.239.148:12380/blogblog/wp-content/themes/twentyfourteen/style.css, Match: 'Version: 1.4'
[+] twentythirteen
| Location: https://192.168.239.148:12380/blogblog/wp-content/themes/twentythirteen/
| Last Updated: 2025-04-15T00:00:00.000Z
| [!] The version is out of date, the latest version is 4.4
| Style URL: https://192.168.239.148:12380/blogblog/wp-content/themes/twentythirteen/style.css
| Style Name: Twenty Thirteen
| Style URI: https://wordpress.org/themes/twentythirteen/
| Description: The 2013 theme for WordPress takes us back to the blog, featuring a full range of post formats, each...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.239.148:12380/blogblog/wp-content/themes/twentythirteen/, status: 500
|
| Version: 1.5 (80% confidence)
| Found By: Style (Passive Detection)
| - https://192.168.239.148:12380/blogblog/wp-content/themes/twentythirteen/style.css, Match: 'Version: 1.5'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:01 <==========================================================> (10 / 10) 100.00% Time: 00:00:01
[i] User(s) Identified:
[+] John Smith
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By: Rss Generator (Passive Detection)
[+] harry
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] tim
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] john
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] elly
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] peter
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] barry
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] heather
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] garry
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] scott
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] kathy
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Apr 29 00:34:43 2025
[+] Requests Done: 139833
[+] Cached Requests: 33
[+] Data Sent: 46.085 MB
[+] Data Received: 19.343 MB
[+] Memory used: 513.156 MB
[+] Elapsed time: 00:02:30The target WordPress instance is 4.2.1
It uses advanced-video-embed-embed-videos-or-playlists 1.0
Users have been identified;
John Smithharrytimjohnellypeterbarryheathergarryscottkathy
Vulnerabilities
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/stapler]
└─$ searchsploit WordPress Core 4.2.1
-------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------- ---------------------------------
WordPress Core < 4.7.1 - Username Enumeration | php/webapps/41497.php
WordPress Core < 4.7.4 - Unauthorized Password Reset | linux/webapps/41963.txt
WordPress Core < 4.9.6 - (Authenticated) Arbitrary File | php/webapps/44949.txt
WordPress Core < 5.2.3 - Viewing Unauthenticated/Passwo | multiple/webapps/47690.md
WordPress Core < 5.3.x - 'xmlrpc.php' Denial of Service | php/dos/47800.py
-------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No ResultsThere are so many vulnerabilities affecting the WordPress version 4.2.1
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/stapler]
└─$ searchsploit WordPress advanced-video-embed-embed-videos-or-playlists 1.0
--------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------- ---------------------------------
WordPress Plugin Advanced Video 1.0 - Local File Inclusion | php/webapps/39646.py
--------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No ResultsThe target WordPress instance has the advanced-video-embed-embed-videos-or-playlists plugin installed; 1.0