WordPress Exploit Framework v2.0.1 releases

WordPress Exploit Framework is a Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems.




  • Add bypass for admin shell uploads when write permissions are not present on the plugins directory
  • Update dependencies


This version is NOT compatible with 1.x. To upgrade to 2.0, remove your previous installation and install the gem by running gem install wpxf.

New Features

  • Loot is now stored into a .wpxf directory inside your home directory
  • A data store (by default sqlite3) is now used to store information gathered by modules
  • Harvested credentials can be viewed using the creds command
  • Gathered loot can be viewed using the loot command
  • Support for workspaces is now available and can be utilized using the workspace command
  • Numerous improvements to the API have been introduced
  • Custom modules can now be added to the .wpxf directory

Using Custom Modules

If you have a custom module you wish to use, you can now place it within the ~/.wpxf/modules/directory and then load it in the CLI using the normal use {exploit_path} syntax.


sudo apt-get install build-essential patch
sudo apt-get install ruby-dev zlib1g-dev liblzma-dev
git clone https://github.com/rastating/wordpress-exploit-framework.git



What payloads are available?

  • bind_php: uploads a script that will bind to a specific port and allow WPXF to establish a remote shell.
  • custom: uploads and executes a custom PHP script.
  • download_exec: downloads and runs a remote executable file.
  • meterpreter_bind_tcp: a Meterpreter bind TCP payload generated using msfvenom.
  • meterpreter_reverse_tcp: a Meterpreter reverse TCP payload generated using msfvenom.
  • exec: runs a shell command on the remote server and returns the output to the WPXF session.
  • reverse_tcp: uploads a script that will establish a reverse TCP shell.

All these payloads, with the exception of custom and the Meterpreter payloads, will delete themselves after they have been executed, to avoid leaving them lying around on the target machine after use or in the event that they are being used to establish a shell which fails.


ruby wpxf.rb


wordpress exploit framework


Copyright (C) 2015-2018 rastating

Source: https://github.com/rastating/


Read more…


Anastasis Vasileiadis

PC Technical || Penetration Tester || Ethical Hacker || Cyber Security Expert || Cyber Security Analyst || Information Security Researcher || Malware analyst || Malware Investigator || Reverse Engineering

Leave a Reply

SC ProDefence SRL - Cyber Security Services