In my experience, look out for ajax callbacks registered with 'wp_ajax_*' and 'wp_ajax_nopriv_'. They're more often than not vulnerable. 1\n
Found a Wordpress site? The easiest place to find bugs is in the plugins.
1. Find the installed plugins with WPScan
2. Set up your own WP instance and install the same plugins
3. Hack your own instance
4. Report your bugs!
The most common bug you'll find with this method is XSS