Here is the way I usually follow to test a Wordpress install.

Information gathering

Get basic informations with WPScan:

wpscan -r --enumerate u --url http://www.example.com

If it can’t retrieve the user list, try to use provided script stop_user_enumeration_bypass.rb For each user found, try to brute with basic passwords:

wpscan -r --url http://www.example.com --wordlist /Wordlists/Passwords/best1050.txt --username <username>

If the version of Wordpress has been found, download it from the official archive directory: https://wordpress.org/download/release-archive/

Open the tested website and take a look at the source to find those strings: wp-content/themes and wp-content/plugins This could reveal more themes/plugins.

...

I already wrote a post about Amazon S3 buckets but they became so popular these last weeks that many people explain what is a bucket, what is the danger and how to exploit misconfiguration. My goal here is more: how/where to find those vulnerable buckets.

First I assume you already know the basics, if not, you can read the excellent article from Frans Rosen on Detectify.

...

Project

  • Find Amazon s3 buckets:
    s3-buckets-bruteforce /opt/SecLists/mine/s3-buckets.txt <project>-
    if found: s3-buckets-extractor <bucket>
  • Explore GitHub account:
    github-search -o <project> -r 1000 -s password
    gitrob analyze quizlet --no-color --no-server
...

Here is a non exhausted list of vulnerabilities that I use as a reminder with links for reference. It’s based on many different resources available on the Internet.

...

Actarus is a custom tool that can perform automatic recon and store all datas in a database. Afterwards you could consult/search keywords in it to find vulnerabilities or at least entry points.

After some months of inactivity, I finally decided to publicly release the source code of Actarus. I started this project to learn Symfony, now I hate it. Maybe someone will give him another chance to grow up.

...