wpCodeGrabber is a simple script that facilitates the download of WordPress website code (Active theme + Installed plugins) directly from the wp-admin panel. This can be particularly useful for scenarios where direct access to cPanel or the web server is not available. Additionally, it can serve as a handy tool for auditing code for security vulnerabilities when access is limited to wp-admin panel.
Tested with WP 6.4 version.
For the script to function properly, ensure the following conditions are met:
- Theme and Plugin Editing should be enabled from wp-admin panel (default behaviour).
wordpress_sec_xxxxxxxx
cookie of a wordpress account able to edit theme and plugin from wp-admin panel (e.g. admin) should be provided.
-
Clone the repository:
git clone https://github.com/trap-bytes/wpCodeGrabber.git
-
Navigate to the wpCodeGrabber directory:
cd wpCodeGrabber
-
Install the required dependencies:
pip install -r requirements.txt
-
To run the script:
python3 wpCodeGrabber.py -u <WordPress_URL> -c "<Cookies>"
Replace
<WordPress_URL>
with the URL of the WordPress site and<Cookies>
with the cookie string to be sent with the request. In order to run the script, thewordpress_sec_xxx=xyz
cookie value should be enough. -
Optionally, you can specify additional options:
-t
or--theme
: Download theme files only.-p
or--plugin
: Download plugin files only.-e
or--extension
: Specify additional extensions for file types.-o
or--output
: Specify the output directory where the code will be saved.
To download theme files only, including .svg files from a WordPress site with the URL https://example.com
and cookie wordpress_sec_xxx=xyz
, you would run:
python3 wpCodeGrabber.py -u https://example.com -c "wordpress_sec_xxx=xyz" -t -e svg
Note: You have to substitute the wordpress_sec_xxx cookie parameter and value with the ones returned by the Wordpress Website after login.