wordpress-cors-xmlrpc-rce-chain
CommunityWordPress RCE chain via CORS, XMLRPC, open reg
Authoruphiago
Version1.0.0
Installs0
System Documentation
What problem does it solve?
This skill eliminates the manual, error-prone work of chaining multiple common WordPress misconfigurations to achieve remote code execution during penetration testing and red team engagements, reducing exploitation time from hours to minutes.
Core Features & Use Cases
- Proven Field-Validated Chain: Combines CORS credential reflection, XMLRPC abuse, and open registration into a reliable end-to-end exploitation workflow tested across 58+ company targets in mass recon campaigns.
- Blocker Bypass Guidance: Includes workarounds for common chain breakers like subscriber role upload restrictions, staging environment XMLRPC 405 errors, and failed IMDS SSRF attempts via pingback.ping.
- Real-World Examples: Documents actual target case studies including ecommerce-wine.com, senior-living-platform.com, and mattress-retailer.com to illustrate chain application and edge case handling. Red teamers and penetration testers can use this skill to quickly validate and exploit chained WordPress vulnerabilities during authorized security assessments.
Quick Start
Use this skill to execute the full WordPress CORS → XMLRPC → RCE attack chain against a target WordPress instance that has CORS credential reflection, enabled XMLRPC, or open user registration enabled.
Dependency Matrix
Required Modules
None requiredComponents
Standard package💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: wordpress-cors-xmlrpc-rce-chain Download link: https://github.com/uphiago/recon-skills/archive/main.zip#wordpress-cors-xmlrpc-rce-chain Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 536,000+ vetted skills library on demand.