WordPress Exploit Framework [WPXF]

Last Release: 10/06/2018    

WordPress Exploit Framework [WPXF]


WordPress Exploit Framework is a framework, written in Ruby, for developing and using modules which aid in the pentesting of WordPress powered websites and systems. This framework is completely free and it allows you to write your own payloads. So, you can modify it to suit your needs.

WordPress Exploit Framework Logo
Disclaimer: Running WordPress Exploit Framework against websites without prior mutual consent may be illegal in your country. The author and parties involved in its development are not responsible for any misuse or damage caused by WordPress Exploit Framework.

WordPress Exploit Framework [WPXF]: Pentesting Framework for WordPress Systems

The WordPress Exploit Framework [WPXF] provides a set of tools (modules and payloads) to assess and exploit WordPress websites/systems. You can use it for pentesting and vulnerability analysis tasks, but know: If you are at the beginning of the penetration testing career, you may find this tool a little bit harder/advanced for usage.

Features (2.0.x):

  • Loot is now stored into a .wpxf directory inside your home directory
  • A data store (by default sqlite3) is now used to store information gathered by modules
  • Harvested credentials can be viewed using the creds command
  • Gathered loot can be viewed using the loot command
  • Support for workspaces is now available and can be utilised using the workspace command
  • Numerous improvements to the API have been introduced
  • Custom modules can now be added to the .wpxf directory


  • bind_php: uploads a script that will bind to a specific port and allow WPXF to establish a remote shell.
  • custom: uploads and executes a custom PHP script.
  • download_exec: downloads and runs a remote executable file.
  • meterpreter_bind_tcp: a Meterpreter bind TCP payload generated using msfvenom.
  • meterpreter_reverse_tcp: a Meterpreter reverse TCP payload generated using msfvenom.
  • exec: runs a shell command on the remote server and returns the output to the WPXF session.
  • reverse_tcp: uploads a script that will establish a reverse TCP shell.


  • Ruby 2.4.4 (Supported platforms: Linux, Windows)


First install dependencies:

$ bundle install 

Make sure you have all the tooling necessary to compile C extensions:

$ sudo apt-get install build-essential patch

Development header files also need to be installed:

$ sudo apt-get install ruby-dev zlib1g-dev liblzma-dev libsqlite3-dev

Then clone the GitHub repo:

$ git clone https://github.com/rastating/wordpress-exploit-framework.git


To launch WPXF, simply run:

$ sudo wpxf.rb

Once loaded, you’ll be able to search for modules using the search command. To load module, run the use command.

To get a list of available auxiliary modules run:

wpxf > show auxiliary

  [+] 58 Auxiliaries

      Module                                    Title                        
      --------------------------------------    --------------------------------------------   
      auxiliary/dos/load_scripts_dos            WordPress "load-scripts.php" DoS
      auxiliary/dos/long_password_dos           Long Password DoS
      auxiliary/dos/post_grid_file_deletion     Post Grid <= 2.0.12 Unauthenticated Arbitrary File Deletion
      auxiliary/dos/wp_v4.7.2_csrf_dos          WordPress 4.2-4.7.2 - CSRF DoS


  wpxf >

Show all available exploits:

wpxf > show exploits

  [+] 289 Exploits

      Module                                                    Title
      --------------------------------------------------------  --------------------------------------------
      exploit/rfi/advanced_custom_fields_remote_file_inclusion  Advanced Custom Fields Remote File Inclusion
      exploit/rfi/fast_image_adder_v1.1_rfi_shell_upload        Fast Image Adder <= 1.1 RFI Shell Upload
      exploit/rfi/flickr_picture_backup_rfi_shell_upload        Flickr Picture Backup RFI Shell Upload
      exploit/rfi/gwolle_guestbook_remote_file_inclusion        Gwolle Guestbook Remote File Inclusion
      exploit/rfi/wp_mobile_detector_rfi_shell_upload           WP Mobile Detector RFI Shell Upload


wpxf >

To show basic options of the currently loaded module, run:

wpxf [exploit/shell/admin_shell_upload] > show options

  Module options:

    Name                  Current Setting   Required   Description
    -------------------   ---------------   --------   -------------------------------------------
    host                  wordpress.vm      true       Address of the target host.
    http_client_timeout   5                 true       Max wait time in seconds for HTTP responses
    password                                true       The WordPress password to authenticate with
    port                  80                true       Port the remote host is listening on
    proxy                                   false      Proxy address ([protocol://]host:port)
    ssl                   false             true       Use SSL/HTTPS for all requests
    target_uri            /                 true       Base path to the WordPress application
    username                                true       The WordPress username to authenticate with
    verbose               false             true       Enable verbose output
    vhost                                   false      HTTP server virtual host

wpxf [exploit/shell/admin_shell_upload] >

For the detailed usage guide, click the “documentation” button below.

Documentation Box
Download Box