We saw that Stapler had a web application running on port
12380, with WordPress hosted. In this recipe, we are going to look at how to perform password-cracking attacks on the login panel of WordPress. The tool we will be using in this case is WPScan.
WPScan is a WordPress scanner. It has many functionalities, such as enumerating WordPress version, vulnerable plugins, listing available plugins, wordlist-based password cracking.
wpscan -u https://<IP address>:12380/blogblog/ --enumerate u
The output will be as shown in the following screenshot: