If some piece of software has a vulnerability, a hacker might take advantage of this vulnerability (exploit it) to make the software do something it wasn’t originally intended to do. When the intent of the code might be to load an extension to carry out a specific task, exploiting a vulnerability might change the way the code behaves, so instead of loading extension code, the wp-config.php file is loaded and displayed instead. That has bad consequences since sensitive information has been exposed.

Used as a noun, exploit refers to a piece of code written to take advantage of a specific vulnerability. There are numerous sites providing exploit code for vulnerabilities affecting WordPress, and penetration testers use sophisticated frameworks like Metasploit that include exploits for a large number of vulnerabilities and reduce the code a hacker needs to write to exploit a new vulnerability.

Discovering a vulnerability often takes a degree of skill, and this limits the number of people able to take advantage of a specific vulnerability. But writing exploit code for that vulnerability automates the process of take advantage of it, and anyone possessing the exploit code can run the code and take advantage of the vulnerability (e.g. display wp-config.php).

How Many Exploits Are Available for WordPress?

Lots. exploit-db.com lists over 1,000 pieces of code that exploit specific bugs in WordPress or in plugins or themes. Metasploit includes several hundred exploits for WordPress.

All these exploits require minimal skill to run against a given WordPress installation – something that should worry WordPress site owners who don’t have protection against common WordPress attacks.

Similar Posts

Leave a Reply