pwnpress

Blog

🚀 PwnPress Framework CLI v1.3.1 – Updated JDK and now Kali-ready

By pwnpress • September 7, 2025

The wait is over — PwnPress Framework just got a fresh upgrade with version 1.3.1. Whether you’re deep into pentesting, solving CTFs, or just fed up with the limits of tools like WPScan, this release brings powerful new improvements that make WordPress security testing smoother than ever. --- ## 🆕 What’s new in v1.3.1 This release is small but mighty — here’s what’s packed inside: - **JDK upgrade**: We’ve moved from OpenJDK 17 to **OpenJDK 21**, ensuring compatibility with modern systems and better performance. - **Kali Linux support**: Thanks to the JDK bump, PwnPress now installs and runs flawlessly on **Kali Linux** (tested on 2025.2). Yes, it’s finally at home in the world’s favorite pentesting distro. ![PwnPress console on Kali Linux](https://raw.githubusercontent.com/amtzespinosa/pwnpress/refs/heads/main/pwnpress_img/pwnpress_kali.png) - **HTTP support for CTFs**: You asked, we listened. PwnPress can now scan plain **HTTP endpoints**, making it perfect for local labs and capture-the-flag challenges. ```bash [!] Warning: Connection to http://localhost:8080/ is not encrypted (HTTP only). [+] WordPress detected: http://localhost:8080/ [+] Scanning: http://localhost:8080/ ``` - **Extra fingerprinting:** Improved server and security detection helps you map out defenses more accurately — spotting WAFs, server tech, cookies, and more. ```bash [+] Server fingerprinting: ├─ Server: Sucuri/Cloudproxy ├─ IP Address: 192.124.249.21 ├─ WAF / Security: | - Sucuri WAF detected └─ Cookies: └─ No cookies set in response. ``` --- ## 🔧 Core features (still rocking) - ✅ Automated scanning for WordPress vulnerabilities - ✅ Batch target validation and filtering by version status - ✅ Directory scraping for hidden files - ✅ WordPress phishing page generator - ✅ XML-RPC brute forcing (`system.Multicall`) - ✅ Request crafting & settings management 👉 With more exploitation features **coming soon** (SQLi, XSS, RCE, SSRF, file upload tests). --- ## ⚡ Installation You’ve got options — pick your flavor: **Option 1 – Java (any OS)** ``` java -jar pwnpress_1_3_1_cli.jar ``` **Option 2 – Debian** ``` sudo apt install openjdk-21-jre sudo dpkg -i pwnpress_1_3_1_cli.deb pwnpress ``` **Option 3 – Windows** Unzip the package and run the `.exe` — simple. --- ## 💡 Quick Usage Fire up the tool and type: ``` help ``` From there, explore sections like scanner, target, phisher, bruteforce, and pingbacker. Some commands are still under development so watch out! --- ## 🤝 Call for collaborators PwnPress is growing fast, but the **exploitation engine** and advanced modules need builders. If you code in Java, love hacking, or just want to push WordPress security further, join the project: - 📧 [email protected] - 🌐 [Contact form](https://pwnpress.org/#contact) --- ### 🔓 **Pwn harder. Recon smarter. And now, do it on Kali.**

🔧 PwnPress Framework is here — Time to ditch WPScan

By pwnpress • April 24, 2025

Welcome to a new era of WordPress security testing. If you've ever felt shackled by API rate limits, outdated vulnerability scans, or just the sluggish pace of community tools like WPScan — you're not alone. Enter **[PwnPress Framework](https://pwnpress.org/)**: a fresh, fast, and fully open-source alternative that’s ready to shake up the scene. --- ## Why PwnPress? PwnPress is a powerful and automated WordPress vulnerability scanner — but calling it just a scanner doesn’t do it justice. It’s a growing **framework** for reconnaissance, enumeration, and (soon) exploitation of WordPress sites. It’s built for hackers, by hackers — and that means no signup walls, no API keys, no arbitrary limits. > 🧠 The goal? Combine speed, modularity, and automation into a single tool that actually makes your recon easier — and way more fun. Whether you’re scraping directories, building phishing pages, or validating thousands of WordPress targets, PwnPress gets it done. --- ## 🔧 Features at a glance - ✅ **Automated scanning** for core, plugin, and theme vulnerabilities - ✅ **Batch target validation** to detect real WordPress sites - ✅ **Directory scraping** for juicy file listings - ✅ **Phishing page generation** for default or custom WP logins - ✅ **XML-RPC brute forcing** (via `system.Multicall`) - ✅ **Request crafting & settings management** ### Coming soon - 🚧 **Response analysis** and smarter detection logic - 🚧 **Built-in exploitation modules** for RCE, SQLi, XSS, and more - 🚧 **Integration with external tools** like Mockbin --- ## 🚀 Getting started PwnPress runs on Java 17 and is available for **Linux**, **Windows**, and as a plain `.jar`. **Option 1 – Java (any OS)** ```bash java -jar pwnpress_1.2.0_cli.jar ``` **Option 2 – Debian** ```bash sudo apt install openjdk-17-jre sudo dpkg -i pwnpress_1.2.0.deb pwnpress ``` **Option 3 – Windows** Unzip and run the executable — no setup needed. ## 💡 Pro tips Once you're in, type `help` to explore available commands. Navigate between sections like `scanner`, `phisher`, `bruteforce`, and `target` to dig deep into your recon flow. Some commands are still in development, but what's there now is already robust and ready to use in your next engagement. See the full list of commands in the [official Github repo](https://github.com/amtzespinosa/pwnpress). ---------- ## 🤝 Contribute to the Mission The code is still rough around the edges — but that’s where you come in. If you’re a dev, hacker, reverse engineer, or just a curious soul, help shape the future of this tool. - 📧 Email: [email protected] - 🌐 Or join via [our contact form](https://pwnpress.org/#contact). ---------- 🔓 **Pwn smarter. Recon faster. And finally, ditch WPScan for good.**