@II0 said:
This is interesting! I am looking to do the same manually. I have my reverse shell plugin ready. Also I have my admin credentials ready.
But how to upload manually like the Metasploit module, without accessing the wp-admin page?
(I know how to upload reverse shells from the wp-admin but Metasploit does it without needing to accessing the wp-admin)
Haven’t looked into the code, but it’s most likely possible via the xmprpc.php endpoint. But it might as well be that MSF just does the whole:
- log into wp-admin
- grab CSRF token for plugins upload
- upload plugin
- activate plugin
dance 
Just because it doesn’t visually open the wp-admin page, doesn’t mean it really isn’t using it.