Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?


Failed to load latest commit information.
Latest commit message
Commit time
June 13, 2017 14:29

Malicious WordPress plugin

This utility simply generates a WordPress plugin that will grant you a reverse shell once uploaded. I recommend installing Kali Linux, as MSFvenom is used to generate the payload.

It goes without mentioning that in order for this method to be effective, you must have credentials to a valid User account, with rights to add plugins to the WordPress website ;)

Usage Example

root@wetw0rk:~# python
__        __            _
\ \      / /__  _ __ __| |_ ____      ___ __
 \ \ /\ / / _ \|  __/ _  |  _ \ \ /\ / /  _ \
  \ V  V / (_) | | | (_| | |_) \ V  V /| | | |
   \_/\_/ \___/|_|  \__,_| .__/ \_/\_/ |_| |_|

Example: 8888 Y

How and When do I use this?

Usage is super simple, simply pass wordpwn your listening address and listening port and execute the script. You are also given the option to start a handler, I recommend that you do... since by default the plugin will be made using a php/meterpreter/reverse_tcp reverse shell.If you have your own nefarious PHP payload simply adjust the script to accept it.

After the script is ran, a zip file (the plugin) called will be created in the current directory (and a handler will be started if you specified it with the Y option). Upload this zip file as a new plugin (by browsing to the URL http://(target)/wp-admin/plugin-install.php?tab=upload). Once uploaded, you have to activate the plugin.

Be sure to start our listener (if you didn't specify the handler with the Y option) !

Once the plugin installed and activated, just navigate to the following URLs to launch the reverse shell :

  • http://(target)/wp-content/plugins/malicious/wetw0rk_maybe.php
  • http://(target)/wp-content/plugins/malicious/QwertyRocks.php

Note: if the script usage is still a mystery to you, JavaRockstar has made a tutorial on his website HackingVision about it.


I want to be 100% sure that I give credit to Rob Carr. Rob Carr is the author of the Metasploit module wp_admin_shell_upload, which this script is based on. You can find more information on his module at Rapid7 .


Simply generates a wordpress plugin that will grant you a reverse shell once uploaded. I recommend installing Kali Linux, as msfvenom is used to generate the payload.







No releases published


No packages published