wordpress-penetration-testing

> AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments. # WordPress Penetration Testing ## WordPress 7.0 Security Considerations WordPress 7.0 (April 2026) introduces new features that create additional attack surfaces: ### Real-Time Collaboration (RTC) - Yjs CRDT sync provider endpoints - `wp_sync_storage` post meta - Collaboration session hijacking - Data sync interception ### AI Connector API - `/wp-json/ai/v1/` endpoints - Credential storage in Settings > Connectors - Prompt injection vulnerabilities - AI response manipulation ### Abilities API - `/wp-json/abilities/v1/` manifest exposure - Ability invocation endpoints - Permission boundary bypass - MCP adapter integration points ### DataViews - New admin interface endpoints - Client-side validation bypass - Filter/sort parameter injection ### PHP Requirements - PHP 7.2/7.3 no longer supported (upgrade attacks) - PHP 8.3+ recommended (new attack vectors) ## Purpose Conduct comprehensive security assessments of WordPress installations including enumeration of users, themes, and plugins, vulnerability scanning, credential attacks, and exploitation techniques. WordPress powers approximately 35% of websites, making it a critical target for security testing. ## Prerequisites ### Required Tools - WPScan (pre-installed in Kali Linux) - Metasploit Framework - Burp Suite or OWASP ZAP - Nmap for initial discovery - cURL or wget ### Re...