Content management systems (CMS) such as wordpress,drupal,and joomla make up the vast majority of the internet. According to a survey performed by W3Techs 62% of the internet is run on a CMS and 39.1% percent of the internet is run on wordpress. As an attacker this means the vast majority of the sites you are going to be going up against will be run by a CMS.


As of right now over a quarter (25%) of the internet is built using WordPress. This is useful to know because that means a single exploit has the potential to impact a large portion of your target’s assets. There are in fact hundreds of exploits and misconfigurations impacting WordPress and its associated plugins. One common tool to scan for these vulnerabilities is wpscan:


The only thing that’s annoying about this tool is that it’s written in ruby, I prefer tools written in python or Golang. During the fingerprinting phase you should’ve discovered the technologies running on your target’s assets so it should be easy to search for sites running WordPress. Once you find a site scan it with wpscan as shown below:

● wpscan –URL<URL>

The vast majority of the sites you scan are going to be patched. This is because most of these WordPress sites are managed by third party vendors who perform automatic updates. However, you will run into vulnerable plugins quite frequently but many of these exploits require credentials to exploit. Another thing I find all the time is directly listing on the uploads folder. Always make sure to check:

“/wp- content/uploads/”

You can often find sensitive information such as user emails, passwords, paid digital products, and much more.


Drupal is the third most popular CMS yet I seem to run into Drupal sites more than Joomla. If you find a Drupal site you want to use droopescan to scan it. This scanner also has the ability to scan additional CMSs as well:

● python3 droopescan scan Drupal -u<URL Here> -t 32


WordPress is by far the most popular CMS with over 60% of the market share. Joomla comes in second so you can expect to run into this CMS as well. Unlike WordPress sites who seem to be fairly locked down Joomla is a mess. If you want to scan for vulnerabilities the most popular tool is Joomscan:

● perl -u<URL Here>

Adobe AEM:-

If you ever run into the Adobe AEM CMS you’re about to find a whole bunch of vulnerabilities. 99% of the time this is an instant win! This CMS is riddled with public vulnerabilities and I’m 100% positive there are hundreds more zero days. Seriously this is one of the worst CMSs I have ever seen. If you want to scan an AEM application for vulnerabilities use the tool aemhacker:
● python -u<URL Here> –host

Note that in order to test for the SSRF vulnerabilities you need to have a public IP that the target server can connect back to.


There are hundreds of different CMSs so it wouldn’t be practical for me to mention every single one of them. The vast majority of sites are going to be running WordPress, Joomla, and Drupal but you still might run into other CMSs.

If you come across a CMS you haven’t seen before the first step is to go to exploit db and see if it has any known CVEs:
For instance, if I discover a CMS named “Magento” I would perform the following search on exploit-db:

In addition to finding single exploits you want to search GitHub to see if there is a tool that can scan for all the possible vulnerabilities and misconfigurations. Like the tools for wordpress,drupal, joomla, and adobe aem there are scanners that target other platforms.
As it turns out there is a Magento vulnerability scanner called magescan so we can just use that:
Make sure to use this process whenever you come across a CMS framework you don’t

Over half of the internet is being run by a CMS framework. So, you are almost guaranteed to run into a CMS at one point or another. When you do find a CMS, you don’t want to waste time manually testing the endpoint, you want to test for known CVEs and misconfigurations. The best way to do this is to find some sort of CMS specific vulnerability scanner. If you can find that you can try searching exploit-db and
google for known CVEs. If you still come up empty handed it’s probably best to move on unless you’re hunting for zero days.

Leave a Reply

Your email address will not be published. Required fields are marked *