PHPackages wordfence/exkit - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. wordfence/exkit ActiveLibrary[Security](/categories/security) wordfence/exkit =============== 1.0.8(9y ago)1220ApachePHPPHP >=5.4 Since May 10Pushed 9y ago11 watchersCompare [ Source](https://github.com/wordfence/exkit)[ Packagist](https://packagist.org/packages/wordfence/exkit)[ RSS](/packages/wordfence-exkit/feed)WikiDiscussions master Synced 2mo ago READMEChangelogDependencies (1)Versions (10)Used By (0) ExKit ===== [](#exkit) ExKit is a convenience library for proof of concept code developed by Wordfence. It includes common actions such as logging in as a user with a specific role, returning the path for an endpoint (e.g., admin-ajax.php), grabbing WP nonces, and so on. Configuration ------------- [](#configuration) Most proofs of concept will require some degree of customization for the host being targeted. Each PoC will automatically prompt as needed for these values, but for repeated testing it may be useful to create a configuration file to pass in to avoid extra typing. The configuration file is a simple, one-level JSON file. All of the common fields are defined in the file `config-sample.json`, but PoCs may define their own as needed. Using this file when executing a PoC is done with the `--config` command line option. The syntax is `proofofconcept.php --config=/path/to/config.json`. Available Functions ------------------- [](#available-functions) This is just a broad overview of the available functions. For any additional details, consult the source code for the documentation and syntax. --- ### Cli [](#cli) The `Cli` class defines a number of convenience functions for getting and sending information via the console. #### options [](#options) Returns a pre-parsed associative array of all options provided when the script was invoked. #### write [](#write) Writes to the console, optionally with coloring. #### prompt [](#prompt) Prompts the user for a value, optionally providing a default. --- ### Config [](#config) The `Config` class provides a unified interface for getting and storing environment-dependent values. This includes things like user credentials, host URLs, and so on. #### useConfigurationFile [](#useconfigurationfile) Merges the given file with the stored value array. #### get [](#get) Returns the value for the desired key, optionally prompting for it or returning a default value. #### set [](#set) Stores the value for the given key. --- ### Endpoint [](#endpoint) The `Endpoint` class provides a unified interface for getting the URLs for the common endpoints for PoCs. It causes a prompt for these values if they have not been provided. #### baseURL [](#baseurl) The base URL to the site. #### loginURL [](#loginurl) The login URL for the site. This defaults to the `baseURL` + `/wp-login.php` if not yet known. #### adminURL [](#adminurl) The admin URL for the site. This defaults to the `baseURL` + `/wp-admin/admin.php` if not yet known. #### adminAjaxURL [](#adminajaxurl) The admin AJAX URL for the site. This defaults to the `baseURL` + `/wp-admin/admin-ajax.php` if not yet known. #### adminPostURL [](#adminposturl) The admin post URL for the site. This defaults to the `baseURL` + `/wp-admin/admin-post.php` if not yet known. #### uploadsURL [](#uploadsurl) The uploads URL for the site. This defaults to the `baseURL` + `/wp-content/uploads` if not yet known. #### url [](#url) Checks the config for the given URL and prompts the user for it if needed. --- ### ExitCodes [](#exitcodes) Defines several exit codes to ensure PoCs use a common set of values. #### EXIT\_CODE\_INFORMATIONAL\_ONLY [](#exit_code_informational_only) Use if displaying some information only and not running the exploit (e.g., displaying the help message). #### EXIT\_CODE\_EXPLOIT\_FAILED [](#exit_code_exploit_failed) Use if the exploit fails. #### EXIT\_CODE\_EXPLOIT\_SUCCEEDED [](#exit_code_exploit_succeeded) Use if the exploit succeeds. #### EXIT\_CODE\_FAILED\_PRECONDITION [](#exit_code_failed_precondition) Use if some precondition for running the exploit fails (e.g., invalid login credentials). #### EXIT\_CODE\_VALID\_REQUEST\_FAILED [](#exit_code_valid_request_failed) Use if a test for a valid request fails. --- ### Page [](#page) Provides convenience functions to interface with a page. #### find [](#find) Loads the given page and applies the regex to the response, returning any matches. --- ### WPAuthentication [](#wpauthentication) Provides login capabilities. This may be for a specific user or for a user with the desired role. #### logInAsUserRole [](#loginasuserrole) Logs in as a user with the desired role (calls `logInAsUser`). If no user is found in the configuration cache, it will prompt for the user's credentials. #### logInAsUser [](#loginasuser) Logs in as the user with the given credentials. If logging in fails, it will write out an error and exit with the code `EXIT_CODE_FAILED_PRECONDITION`. --- ### WPNonce [](#wpnonce) Convience class for finding nonces. #### findOnPage [](#findonpage) Loads the given page and searches it for a nonce. Currently this is just done by applying a regex, but future versions may use a smarter approach. ### Health Score 30 — LowBetter than 64% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity13 Limited adoption so far Community12 Small or concentrated contributor base Maturity64 Established project with proven stability Bus Factor1 Top contributor holds 92.3% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~9 days Total 9 Last Release 3576d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/4960c082f7752f49cb6bc9396d93152c0c0d1a4fafd79853900197f859d6e936?d=identicon)[rbritton](/maintainers/rbritton) --- Top Contributors [![panvagenas](https://avatars.githubusercontent.com/u/4025410?v=4)](https://github.com/panvagenas "panvagenas (12 commits)")[![rbritton](https://avatars.githubusercontent.com/u/332283?v=4)](https://github.com/rbritton "rbritton (1 commits)") ### Embed Badge ![Health badge](/badges/wordfence-exkit/health.svg) ``` [![Health](https://phpackages.com/badges/wordfence-exkit/health.svg)](https://phpackages.com/packages/wordfence-exkit) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M214](/packages/defuse-php-encryption)[roave/security-advisories Prevents installation of composer packages with known security vulnerabilities: no API, simply require it 2.9k97.3M6.4k](/packages/roave-security-advisories)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41278.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 86917.5M63](/packages/bjeavons-zxcvbn-php)[enlightn/security-checker A PHP dependency vulnerabilities scanner based on the Security Advisories Database. 33732.2M110](/packages/enlightn-security-checker) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)