WordPress Enumeration Strategy for Version-Specific Testing

Hi all,

I’m a beginner working on an authorized VDP target running WordPress. I’ve already identified the core version and started basic recon, and I’d like to refine my enumeration approach before moving further.

Current findings:

• WordPress version identified-WordPress:6.7.5

• Initial plugin/theme discovery :wp-job-openings

• simply-schedule-appointments

• elementor

• counter-number-showcase

• elementor-pro

• Web Server:Lite speed
  AS Names:AS-HOSTINGER, CY

• Theme: twentynineteen

Looking for guidance on:

1. Efficient techniques for deep enumeration of:

   • Plugins/themes (including hidden ones)

   • Users and roles

   • Exposed endpoints (REST API, XML-RPC, etc.)

2. Reliable ways to correlate enumeration results with known vulnerabilities (CVE mapping)

3. Recommended tools/workflows for structured WordPress recon

4. Common mistakes beginners make during enumeration

I’m aiming to build a solid methodology, so any clear explanations or practical tips would really help.

Thanks!

sigh

This is why you read, to answer the questions you’re asking. I’m not doing the work for you dude. Go read up on the tools that do wordpress enumeration, then come back and ask better questions.

Bro I tried my best ,using that tool,they get easily blocked by the wordfence,I tried ip spoofing,header changing,nothing works .

Yeah, it’s unhackable

Thats why we are here bro,don’t give up ,every machine has vulnerabilities,we can find .If you have any valuable info please share it with me.With our collective work we can make an unhackable system hackable .We have to find all the api that these wordfence systems uses and target that …

We can’t this system is so unhackable. It’s just too sophisticated. am sorry bud

There’s that ‘we’ again. Like what kind of proxy bull is this? Lol. Why don’t you tell ‘we’ that you might need some more skillz

This is killin’ me Hahahahaha

Atleast I tried my best to motivate him lol