OffSec Sydney • University Talk

Breaking WordPress Through Plugin Vulnerabilities

From reconnaissance and enumeration to plugin abuse and remote code execution, this talk shows how attackers build momentum — and where defenders can stop them.

Prashant Ghatani (Pzod) • Security Consultant / Pentester @ NCC Group
WP → RCE
Recon, enumeration, vulnerable plugin discovery, exploit path, impact, and defensive lessons.
© OffSec-inspired redesign1

Tell me and I forget. Teach me and I may remember. Involve me and I learn.

Benjamin Franklin

Opening hook2
Agenda

Attack path of the talk

01

Pentesting 101

What a pentest is, why it matters, and how attackers think in stages.

02

Recon

Network scanning, OSINT, and web enumeration to map the target.

03

WordPress

Themes, plugins, version leaks, and where real-world exposure often starts.

04

Exploit path

How a weakness becomes code execution, compromise, and business impact.

05

Demo

A clear attacker workflow from discovery to evidence.

06

Defence

What students should remember, fix, and practise ethically.

Agenda3
Speaker

$ whoami

  • Security Consultant / Pentester @ NCC Group
  • OSCP certified and active in offensive security education
  • NASA Hall of Fame 2024 recognition
  • Sydney Ambassador for OffSec
operator profile
$ skills --list
web app testing • exploit validation • attacker tradecraft • student outreach
$ mission
Teach offensive security in a way that is memorable, practical, and ethical.
teach • test • defend
About the speaker4
Pentesting 101

A pentest proves impact, not just exposure

01

Authorised

A penetration test is legal, scoped, and permission-based.

02

Adversarial

It simulates attacker behaviour to see what can actually be reached.

03

Evidence-led

The goal is not a list of bugs. The goal is demonstrable business risk.

Recon

Find what exists.

Scan

Identify doors and services.

Exploit

Turn weakness into access.

Report

Translate technical proof into risk.

Pentesting 1015
Inside the network

Think in maps, ports, and pathways

  • A network is a system of connected devices exchanging data.
  • Ports are service entry points such as 80 for HTTP and 22 for SSH.
  • Attackers look for exposed services, weak configs, and trusted paths.
  • Good recon reduces guesswork before exploitation starts.
$ nmap -sV -Pn target
First objective: build the battlefield map. Which hosts answer? Which ports are open? Which software versions are exposed?
80

HTTP surface

22

SSH access

443

TLS web app

Network recon6
Tools

Offensive workflows need a reliable operating base

Kali Linux

  • Debian-based distro built for offensive security.
  • Comes preloaded with recon, exploitation, web, wireless, and forensic tools.
  • Portable across USB, VM, or full install.

Why it matters

Nmap

host and service discovery

Burp

web traffic and abuse

Searchsploit

local exploit lookup

Kali and toolkit7
Enumeration

Nmap turns unknown space into an attack map

  • Find live hosts and reachable services.
  • Fingerprint versions to spot outdated software.
  • Prioritise interesting ports before wasting time elsewhere.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.x
80/tcp open http Apache / WordPress
443/tcp open https TLS web portal
This is why Nmap is the opening move: it gives you the routes, protocols, likely attack surfaces, and a rational place to start instead of guessing.
Nmap8
OSINT

The quietest recon often comes first

Google Dorks

Find exposed files, dashboards, backups, and login paths.

TheHarvester

Collect emails, hosts, and subdomains from public sources.

Recon-ng / Shodan

Enrich the picture with modular intelligence and exposed-device search.

site:example.com filetype:pdf confidential
OSINT matters because it can reveal the same forgotten weaknesses defenders left behind, without sending a single packet to the target.
OSINT9
Web enumeration

Passive recon tells you what exists. Active recon tells you what still works.

Passive

  • Search engines, GitHub leaks, Wayback Machine, Shodan.
  • Silent and safe, but sometimes stale.

Active

  • ffuf, gobuster, arjun, header probing, subdomain brute force.
  • Noisier, but fresher and much richer.
ffuf -u https://target/FUZZ -w common.txt -fc 404
Directory busting often reveals admin panels, forgotten backups, writable uploads, and sensitive files such as .git or .env.
Web recon10
Why WordPress matters

WordPress still conquers roughly 42% of the web

W3Techs reports WordPress is used by 42.2% of all websites and 59.6% of websites with a known CMS, which helps explain why plugin vulnerabilities remain such a valuable target for attackers.[web:11]

42.2%

of all websites use WordPress.[web:11]

59.6%

share among sites with a known CMS.[web:11]

91.9%

of WordPress sites run version 6.[web:11]

42.2% WordPress of all sites
Source: W3Techs, 20 Apr 2026 [web:11]
WordPress scale11
Exploit chain

From vulnerable plugin to server-side impact

Discover

Find an exposed plugin and identify the version.

Correlate

Search CVEs, advisories, or Searchsploit for a matching weakness.

Exploit

Use the vulnerable path, upload, or parameter to gain execution.

Impact

Dump data, take over the site, pivot, or prove business risk.

RCE

Remote command execution on the host.

XSS / SQLi

Browser compromise or database abuse.

Privilege escalation

Unexpected admin access or workflow abuse.

Exploit path12
WordPress

Plugins create speed for admins and surface area for attackers

  • WordPress powers a huge share of the web, which is exactly why it keeps appearing in attacker playbooks.
  • Core, themes, and especially plugins often leak useful version information during recon.
  • Third-party code quality varies, and old plugins often preserve old bugs long after site owners forget they exist.
  • That scale means even a small percentage of vulnerable installs can translate into a very large real-world attack surface.
users • plugins • themes
WPScan is useful because it quickly enumerates the WordPress core version, installed plugins, themes, and users, then maps these findings to known vulnerabilities.
wpscan --url https://target --enumerate u,p,t
WordPress recon11
Demo

Live attack path

  • Identify the WordPress site and fingerprint exposed components.
  • Enumerate plugins and versions with WPScan and browser recon.
  • Match a vulnerable plugin to a known exploit path.
  • Show controlled exploitation and explain impact, not chaos.
  • Close by mapping the weakness to a defensive fix.
demo flow
recon -> enumerate -> validate -> exploit -> explain
The goal of the demo is clarity. Every action should answer one question: what did we learn, why did it work, and how should it be fixed?
Audience takeaway

Exploitation is not magic. It is usually the result of methodical recon, weak patching, and small mistakes chained together.

Demo12
OffSec mindset

Try → fail → learn → apply → grow

Why students get stuck

Recon is messy. Results are incomplete. Exploits fail. Payloads break. That is normal.

Why practitioners improve

Repeating the loop builds pattern recognition, confidence, and better decision-making under uncertainty.

failure is part of the methodology
Learning loop13
Closing

Know the battlefield. Prove the risk. Stay ethical.

Networks, enumeration, WordPress plugins, and exploit chains all matter — but the lasting skill is disciplined thinking and legal, responsible practice.

Thank you
Closing slide14
1 / 16