Automate Recon and scanning process with Vidoc. All security teams in one place
By kannthu
The "Wordpress Git Config" module is a test case designed to detect misconfigurations in WordPress themes and plugins. It searches for the presence of the pattern ".git/config" within the respective folders. This module has an informative severity level and was authored by nerrorsec.
If the ".git/config" file is exposed in the themes or plugins folder of a WordPress site, it can potentially leak sensitive information about the site's configuration and version control history. This information could be exploited by attackers to gain unauthorized access or gather intelligence for further attacks.
The "Wordpress Git Config" module sends HTTP requests to the following paths:
- /wp-content/plugins/.git/config
- /wp-content/themes/.git/config
It then applies the following matching conditions:
- The response body must contain the "[core]" keyword. - The response body must not contain the "If all the conditions are met, the module considers the presence of the ".git/config" file as a potential misconfiguration and reports it.For more information, you can refer to the HackerOne report related to this module.
Metadata: max-request: 2