Share
## https://sploitus.com/exploit?id=D1100CFF-3DB0-577C-9AFF-A4DA7D5B1EFA
Advanced WordPress Vulnerability Scanner & AI-Powered Exploitation Framework
---
## What is WP-Hijack?
**WP-Hijack** is a full-featured, open-source WordPress security scanner built for
penetration testers, bug bounty hunters, and red teams. It runs a **10-phase async
pipeline** โ from passive recon to AI-generated exploit code โ with **zero required
API keys** (works 100% offline with Ollama).
> **DETECT โ CONFIRM โ AI EXPLOIT**
>
> Every vulnerability is actively confirmed with an HTTP proof-of-exploit before AI
> generates a working Python PoC, cURL command, and a business-impact summary.
---
## Highlights
| Area | What it does |
|---|---|
| **CMS Detection** | 7-signal WordPress fingerprinting incl. `/wp-json/` REST API & `Link: api.w.org` header |
| **Enumeration** | 53-slug plugin wordlist + 23-slug theme wordlist โ works on hardened / CDN-fronted sites |
| **User Discovery** | 4 methods: REST API, author archives (URL + body), login oracle, XML-RPC multicall |
| **Active Tests** | XML-RPC abuse ยท REST API checks ยท login oracle ยท 70+ sensitive file paths ยท safe SQLi/XSS |
| **VulnDB** | Bundled SQLite DB (offline) + live WPVulnerability.net API โ no API key required |
| **AI Workflow** | Ollama (local/free), OpenAI, Anthropic, Gemini โ summaries, exploit drafting, FP filter, chat |
| **Reporting** | Dark-mode HTML ยท PDF ยท JSON ยท Markdown โ all from one scan |
| **Resilience** | Exponential-backoff HTTP retry ยท URL typo detection ยท WAF evasion hints |
---
## Installation
```bash
git clone https://github.com/kdo2064/wp-Hijack
cd wp-Hijack
python -m venv .venv
```
```bash
# Windows
.venv\Scripts\activate
# Linux / macOS
source .venv/bin/activate
```
```bash
pip install -e .
wp-hijack --version
```
### Use Local AI โ No API Key Needed
```bash
# Install Ollama from https://ollama.com, then:
ollama pull llama3
ollama serve
wp-hijack scan https://target.tld --yes-ai
```
---
## Quick Start
```bash
# Basic scan
wp-hijack scan https://target.tld
# Scan + auto AI analysis (no prompt)
wp-hijack scan https://target.tld --yes-ai
# Deep scan โ cautious checks + verbose terminal output
wp-hijack scan https://target.tld --cautious --verbose
# Bulk scan from a file (one URL per line)
wp-hijack scan --file targets.txt --output reports
# Interactive AI chat after scan
wp-hijack scan https://target.tld --chat
# Update vulnerability database
wp-hijack update-db
```
---
## Commands & Flags
### Commands
| Command | Purpose |
|---|---|
| `wp-hijack scan ` | Scan a single target |
| `wp-hijack scan --file targets.txt` | Bulk scan from file |
| `wp-hijack update-db` | Refresh local vuln DB from NVD feeds |
| `wp-hijack model-list` | List available Ollama models |
| `wp-hijack model-select` | Choose and save active Ollama model |
| `wp-hijack show-config` | Print resolved config (secrets masked) |
| `wp-hijack chat-report report.json` | AI chat against an existing report |
### Scan Flags
```text
--file Bulk mode from a text file
--config Use a custom config file
--output Change the report output directory
--no-ai Disable AI for this run
--no-confirm Skip active confirmation checks
--cautious Slower, more thorough confirmations
--markdown Also write a Markdown report
--chat Start interactive AI chat after the scan
--model Override AI model for one run
--provider Override AI provider for one run
--verbose Show detailed finding cards in the terminal
--yes-ai Auto-run AI analysis (skip prompt)
--no-ai-prompt Do not ask for AI analysis after scan
```
---
## Configuration
Default behavior is controlled through [`config.json`](config.json):
```json
{
"ai": {
"enabled": true,
"provider": "ollama",
"model": "llama3",
"base_url": "http://localhost:11434/v1"
},
"scanner": {
"threads": 10,
"timeout": 15,
"verify_ssl": false
},
"confirmation": {
"run_confirmations": true,
"allow_cautious_tests": false
},
"reporting": {
"pdf_enabled": true,
"html_enabled": true,
"json_enabled": true,
"markdown_enabled": false
}
}
```
| Provider | `"provider"` value | API Key |
|---|---|:---:|
| Ollama (local) | `"ollama"` | No (free) |
| OpenAI | `"openai"` | Yes |
| Anthropic | `"anthropic"` | Yes |
| Google Gemini | `"gemini"` | Yes |
Run `wp-hijack show-config` to inspect the effective runtime config.
---
## Output & Reports
Reports are saved to `./reports` by default:
| Format | File | Description |
|---|---|---|
| **JSON** | `wp_hijack_.json` | Full machine-readable scan data |
| **HTML** | `wp_hijack_.html` | Dark-mode styled browser report |
| **PDF** | `wp_hijack_.pdf` | Printable client report *(needs WeasyPrint)* |
| **Markdown** | `wp_hijack_.md` | Plain-text โ add `--markdown` flag |
---
## Project Layout
```text
wp_hijack/
โโโ cli.py CLI entry point (Typer)
โโโ scanner.py 10-phase pipeline orchestrator
โโโ recon.py Passive recon โ IP, SSL, headers, title
โโโ http_client.py Async HTTP โ UA rotation, retry, proxy
โโโ config.py Config loading & validation
โโโ ai/ AI providers, exploit gen, chat, scoring
โโโ cms/ CMS detection (WordPress, Joomla, Drupal)
โโโ enumerators/ Plugin / theme / user enumeration
โโโ active_tests/ XML-RPC, REST API, SQLi/XSS, file exposure
โโโ pipeline/ DETECT โ CONFIRM data models
โโโ vulndb/ SQLite DB + WPVulnerability.net client
โโโ waf/ WAF fingerprinting & evasion
โโโ reporting/ JSON / HTML / PDF / Markdown writers
โโโ templates/ Jinja2 HTML report template
```
---
## Roadmap
| Status | Feature |
|:---:|---|
| Done | 10-phase async pipeline |
| Done | Multi-AI (Ollama / OpenAI / Anthropic / Gemini) |
| Done | DETECT โ CONFIRM โ AI EXPLOIT chain |
| Done | 53-plugin + 23-theme wordlist probing |
| Done | Exponential-backoff HTTP retry & URL typo detection |
| Done | Dark-mode HTML + PDF + JSON + Markdown reports |
| In Progress | WooCommerce-specific vuln checks |
| In Progress | Nuclei template export |
| Planned | Docker image |
| Planned | Web dashboard (Flask) |
| Planned | Shodan recon integration |
| Planned | Auto exploit chaining (multi-CVE) |
---
## Contributing
```bash
git clone https://github.com//wp-Hijack
git checkout -b feature/my-feature
# make your changes
git commit -m "feat: describe your change"
git push origin feature/my-feature
# open a Pull Request on GitHub
```
| Area | Where |
|---|---|
| Bug reports | [Open an issue](https://github.com/kdo2064/wp-Hijack/issues) |
| New active-test modules | `wp_hijack/active_tests/` |
| Vuln DB entries | `wp_hijack/vulndb/vulns.json` |
| Better AI prompts | `wp_hijack/ai/exploit_prompts.py` |
| New CMS support | `wp_hijack/cms/` |
---
## Legal Disclaimer
> **Authorized use only.**
>
> You must have **explicit written permission** from the system owner before running any
> scan. Unauthorized scanning is illegal under the CFAA, Computer Misuse Act, and
> equivalent laws worldwide.
>
> The developer (**KDO || Xpert Exploit**) assumes **zero liability** for any misuse,
> damage, or legal consequences from using this software.
>
> You own the target | You have written authorization | Legal testing environment
>
> **Scan responsibly. Hack ethically.**
---
## Author
KDO || Xpert Exploit
GitHub
ยท
Issues
ยท
Project
---
If WP-Hijack helped you, consider starring the repo โ it means a lot.
Made for the security community ยท use it to protect, not to harm.