wpCodeGrabber is a simple script that facilitates the download of WordPress website code (Active theme + Installed plugins) directly from the wp-admin panel. This can be particularly useful for scenarios where direct access to cPanel or the web server is not available. Additionally, it can serve as a handy tool for auditing code for security vulnerabilities when access is limited to wp-admin panel.
Tested with WP 6.4 version.
For the script to function properly, ensure the following conditions are met:
- Theme and Plugin Editing should be enabled from wp-admin panel (default behaviour).
wordpress_sec_xxxxxxxxcookie of a wordpress account able to edit theme and plugin from wp-admin panel (e.g. admin) should be provided.
-
Clone the repository:
git clone https://github.com/trap-bytes/wpCodeGrabber.git
-
Navigate to the wpCodeGrabber directory:
cd wpCodeGrabber -
Install the required dependencies:
pip install -r requirements.txt
-
To run the script:
python3 wpCodeGrabber.py -u <WordPress_URL> -c "<Cookies>"
Replace
<WordPress_URL>with the URL of the WordPress site and<Cookies>with the cookie string to be sent with the request. In order to run the script, thewordpress_sec_xxx=xyzcookie value should be enough. -
Optionally, you can specify additional options:
-tor--theme: Download theme files only.-por--plugin: Download plugin files only.-eor--extension: Specify additional extensions for file types.-oor--output: Specify the output directory where the code will be saved.
To download theme files only, including .svg files from a WordPress site with the URL https://example.com and cookie wordpress_sec_xxx=xyz, you would run:
python3 wpCodeGrabber.py -u https://example.com -c "wordpress_sec_xxx=xyz" -t -e svgNote: You have to substitute the wordpress_sec_xxx cookie parameter and value with the ones returned by the Wordpress Website after login.