Wordpress Penetration Testing
Run an authorized WordPress security assessment covering core, plugins, themes, and WordPress 7.0-specific attack surfaces.
Overview
WordPress Penetration Testing is an agent skill for the Ship phase that guides authorized WordPress assessments including WordPress 7.0 RTC, AI Connector, and Abilities API attack surfaces.
Install
npx skills add https://github.com/sickn33/antigravity-awesome-skills --skill wordpress-penetration-testingWhat is this skill?
- Authorized-use-only scope for assessments, defensive validation, or controlled education
- WordPress 7.0 surfaces: Real-Time Collaboration (Yjs), AI Connector `/wp-json/ai/v1/`, Abilities API manifest and invoca
- DataViews admin endpoints, filter/sort injection, and client-side validation bypass considerations
- PHP upgrade risk framing (7.2/7.3 EOL, 8.3+ recommendations) as part of attack surface
- End-to-end WordPress assessment flow: user/theme/plugin enumeration, scanning, and exploitation techniques
- WordPress ~35% of websites cited in skill purpose
- WordPress 7.0 (April 2026) feature set called out for RTC, AI, Abilities, DataViews
Adoption & trust: 446 installs on skills.sh; 40.1k GitHub stars; 0/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are launching or operating WordPress and lack a checklist for modern 7.0 REST, collaboration, and AI integration risks beyond plugin CVE lists.
Who is it for?
Builders with explicit authorization hardening a WordPress or WooCommerce property before go-live or after a major version upgrade.
Skip if: Unauthorized scanning, bug-bounty guessing, or anyone without a signed scope of work—HARD-GATE on authorized use only.
When should I use this skill?
Assess WordPress installations for common vulnerabilities and WordPress 7.0 attack surfaces under authorized scope only.
What do I get? / Deliverables
You get a structured assessment plan and finding categories you can turn into remediations, retests, and launch blockers for authorized targets only.
- Enumeration findings (users, themes, plugins)
- 7.0-specific API and collaboration risk notes
- Prioritized remediation list for authorized target
Recommended Skills
Journey fit
Penetration testing belongs in Ship when hardening or certifying a site before launch—not during raw feature build. The skill targets vulnerability enumeration, credential testing, and new 7.0 APIs (RTC, AI Connector, Abilities)—classic pre-launch appsec work.
How it compares
Offensive assessment playbook for agents, not a passive WAF or managed WordPress host.
Common Questions / FAQ
Who is wordpress-penetration-testing for?
Security-conscious solo builders and consultants performing authorized WordPress reviews, especially when upgrading toward WordPress 7.0 feature sets.
When should I use wordpress-penetration-testing?
During Ship security before launch, after major WP/PHP upgrades, or when enabling AI Connector and Abilities API integrations on staging clones.
Is wordpress-penetration-testing safe to install?
The skill is tagged offensive-risk community content—use only with legal authorization; review the Security Audits panel on this page and never point automation at third-party sites without permission.
SKILL.md
READMESKILL.md - Wordpress Penetration Testing
> AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments. # WordPress Penetration Testing ## WordPress 7.0 Security Considerations WordPress 7.0 (April 2026) introduces new features that create additional attack surfaces: ### Real-Time Collaboration (RTC) - Yjs CRDT sync provider endpoints - `wp_sync_storage` post meta - Collaboration session hijacking - Data sync interception ### AI Connector API - `/wp-json/ai/v1/` endpoints - Credential storage in Settings > Connectors - Prompt injection vulnerabilities - AI response manipulation ### Abilities API - `/wp-json/abilities/v1/` manifest exposure - Ability invocation endpoints - Permission boundary bypass - MCP adapter integration points ### DataViews - New admin interface endpoints - Client-side validation bypass - Filter/sort parameter injection ### PHP Requirements - PHP 7.2/7.3 no longer supported (upgrade attacks) - PHP 8.3+ recommended (new attack vectors) ## Purpose Conduct comprehensive security assessments of WordPress installations including enumeration of users, themes, and plugins, vulnerability scanning, credential attacks, and exploitation techniques. WordPress powers approximately 35% of websites, making it a critical target for security testing. ## Prerequisites ### Required Tools - WPScan (pre-installed in Kali Linux) - Metasploit Framework - Burp Suite or OWASP ZAP - Nmap for initial discovery - cURL or wget ### Required Knowledge - WordPress architecture and structure - Web application testing fundamentals - HTTP protocol understanding - Common web vulnerabilities (OWASP Top 10) ## Outputs and Deliverables 1. **WordPress Enumeration Report** - Version, themes, plugins, users 2. **Vulnerability Assessment** - Identified CVEs and misconfigurations 3. **Credential Assessment** - Weak password findings 4. **Exploitation Proof** - Shell access documentation ## Core Workflow ### Phase 1: WordPress Discovery Identify WordPress installations: ```bash # Check for WordPress indicators curl -s http://target.com | grep -i wordpress curl -s http://target.com | grep -i "wp-content" curl -s http://target.com | grep -i "wp-includes" # Check common WordPress paths curl -I http://target.com/wp-login.php curl -I http://target.com/wp-admin/ curl -I http://target.com/wp-content/ curl -I http://target.com/xmlrpc.php # Check meta generator tag curl -s http://target.com | grep "generator" # Nmap WordPress detection nmap -p 80,443 --script http-wordpress-enum target.com ``` Key WordPress files and directories: - `/wp-admin/` - Admin dashboard - `/wp-login.php` - Login page - `/wp-content/` - Themes, plugins, uploads - `/wp-includes/` - Core files - `/xmlrpc.php` - XML-RPC interface - `/wp-config.php` - Configuration (not accessible if secure) - `/readme.html` - Version information ### Phase 2: Basic WPScan Enumeration Comprehensive WordPress scanning with WPScan: ```bash # Basic scan wpscan --url http://target.com/wordpress/ # With API token (for vulnerability data) wpscan --url http://target.com --api-token YOUR_API_TOKEN # Aggressive detection mode wpscan --url http://target.com --detection-mode aggressive # Output to file wpscan --url http://target.com -o results.txt # JSON output wpscan --url http://target.com -f json -o results.json # Verbose output wpscan --url http://target.com -v ``` ### Phase 3: WordPress Version Detection Identify WordPress version: ```bash # WPScan version detection wpscan --url http://target.com # Manual version checks curl -s http://target.com/readme.html | grep -i version curl -s http://target.com/feed/ | grep -i generator curl -s http://target.com | grep "?ver=" # Check meta generator curl -s http://target.com |