/ Reconnaissance & Enumeration, Uncategorized / By

CMSmap: Enumerating WordPress, Joomla, and Drupal Like a Pro

When you’re testing a Content Management System (CMS) like WordPress, Joomla, or Drupal, your recon needs to go deeper than default credentials and login forms. This is where CMSmap comes in. It’s a Python-based scanner designed specifically for enumerating and testing known vulnerabilities in popular CMS platforms — and it can operate entirely offline.

This post covers what CMSmap does, when to use it, and how to make the most of it, especially during engagements where API access or internet connectivity isn’t guaranteed.

What Is CMSmap?

CMSmap is a CMS-focused vulnerability scanner written in Python. It supports:

  • WordPress
  • Joomla
  • Drupal

It can enumerate:

  • Users
  • Plugins
  • Themes
  • Known CVEs from its local database

It’s not as thorough as WPScan in terms of fingerprinting, but it’s fast, simple to use, and doesn’t require any API tokens. It’s especially useful during air-gapped assessments, offline labs, or certification exams where internet access is limited.

Installation

CMSmap isn’t built into Kali by default. To install it:

git clone https://github.com/Dionach/CMSmap.git
cd CMSmap
pip3 install -r requirements.txt

You can run it directly:

python3 cmsmap.py -h

Optional: Move it to your path to run it globally.

chmod +x cmsmap.py
sudo mv cmsmap.py /usr/local/bin/cmsmap

WordPress Scanning Syntax

Basic scan:

python3 cmsmap.py http://target.com -f W

-f W specifies WordPress as the target CMS.

Disable online checks and use local database only:

python3 cmsmap.py http://target.com -f W --noedb

Useful when you’re working offline or want a fast scan without pulling data from Exploit-DB.

Brute-force login credentials:

python3 cmsmap.py http://target.com -f W -u usernames.txt -p passwords.txt

Full scan with brute-force, plugin checks, and no external database:

python3 cmsmap.py http://target.com -f W -u users.txt -p pass.txt -F --noedb

-F enables a full scan, including known paths and brute-force attempts.

Custom Plugin Enumeration

CMSmap uses a local file to enumerate plugins. You’ll find it here:

CMSmap/data/wordpress_plugins.txt

You can modify this file to add specific plugin names you want to check. Each line should correspond to a plugin directory, like:

akismet
wordfence
revslider

CMSmap attempts to detect these using typical plugin paths like:

/wp-content/plugins/plugin-name/

This is handy if you want to add plugins based on manual page source inspection.

Limitations and Considerations

  • CMSmap is noisy. It sends a lot of requests and is not suited for stealth assessments.
  • It doesn’t implement WAF evasion or rate-limiting techniques.
  • Plugin detection is based on brute-forcing plugin paths, not passive fingerprinting.
  • Joomla and Drupal support is more limited compared to WordPress.
  • It won’t always detect deeply hidden or obfuscated plugins.

When to Use CMSmap

CMSmap is a good fit when:

  • You’re working offline (e.g., CTFs, exams, isolated labs)
  • WPScan fails to find plugins or is blocked
  • You want a fast brute-force utility for CMS logins
  • You need a plugin scanner that doesn’t rely on external APIs

Conclusion

CMSmap is a lightweight but effective tool for CMS reconnaissance, especially for WordPress targets. While not a replacement for WPScan in all cases, its ability to function offline and its simplicity make it a reliable tool to have in your CMS enumeration workflow.

If you want to create a cheat sheet or a CMSmap vs. WPScan comparison guide, let me know and I’ll put it together.

Related Posts

Scroll to Top