web

Help Center

What brings you here today?

  • 💳 I want to change my credit card.
  • 🛑 I want to turn off auto renewal.
  • ➕ I want to renew my Trend Micro.
  • 📥 I need help installing my Trend Micro.
  • 📞 I want to talk to someone and get human help.
  • Premium Security
  • Maximum Security
  • Internet Security
  • Antivirus+ Security
  • Mobile Security for Android

Mac & iOS

  • Antivirus for Mac
  • Mobile Security for iOS

Network Security

  • Home Network Security
  • WiFi Protection

Data & Privacy

  • ID Security
  • Password Manager
  • Optimization for Mac
  • Ad Blocker for Mac
  • Password Generator

Browser Protection

  • Security for Microsoft Edge
  • Security for Google Chrome

Premium Services

  • Service Bundles

More Support

  • Troubleshooting
  • Vulnerability Disclosures
  • WEB WordPress XMLRaPC GHOST vulnerability notification

You saw this message on the Trend Micro Home Network Security app:

WEB WordPress XMLRaPC GHOST vulnerability

Why did this happen?

Trend Micro Home Network Security detected a WEB WordPress XMLRaPC GHOST vulnerability on your network.

What are its risks?

This vulnerability may allow an attacker to obtain sensitive information from an exploited system or, in some instances, perform remote code execution with the privileges of the application being exploited.

The WordPress XML-RPC pingback application programming interface (API) is used to send an overly large hostname, resulting in the process handling the request to crash. This means that when someone releases an exploit, any Web servers running WordPress may also be exploitable.

What should I do next?

  • Disable the XML-RPC functionality from WordPress.
  • Keep your WordPress and your plugins updated.
  • Install the latest updates for the affected applications. Show me how .
  • Install a Web application firewall.

What if I have more questions?

For more information, check out these pages:

  • GHOST-CVE-2015-0235
  • WordPress and the GHOST Vulnerability

This website uses cookies for website functionality and traffic analytics. Our Cookie Notice provides more information and explains how to amend your cookie settings.

Home Support

How helpful was this article?

  • It was very unhelpful. It wasn't helpful at all.
  • It was not helpful. Somewhat helpful.
  • Just okay. Just okay.
  • It was helpful. It was somewhat helpful.
  • It was very helpful. It was helpful.

Thank you for your feedback!

Feedback entity isn't available at the moment. Try again later.

  • *Feedback submitted will only be used as reference for future product, service and article improvements.
  • *For any inquiries, please visit the Contact Support page. Moreover, kindly refrain from entering your personal information to protect your privacy.

Talk to a Trend Micro Support Representative

ADVISORY: You may experience some delays before you can speak with a Trend Micro Representative.

You can also start a chat or send us an email . Otherwise, please remain on the line and your call will be answered in the order it was received.

United States and Canada

  • 1-800-864-6027
  • (MON-FRI) 5AM - 5PM PACIFIC TIME
  • 1-877-275-8611
  • 1-888-896-6923
  • 1-300-305-289
  • (MON-FRI) 7AM - 7PM SYDNEY TIME
  • 1-800-653-607
  • 1-800-653-607 OPTION 3

Philippines

  • (+63) 02-8540-0932
  • (MON-FRI) 8AM - 5PM MANILA TIME
  • (+63) 1800-1110-3048

New Zealand

  • 0-800-004-633
  • 0-800-004-630
  • 0-800-004-630 OPTION 3
  • (+62) 811-1211-6868
  • (MON-FRI) 9AM - 6PM INDONESIA TIME
  • 1-800-18-2288
  • (MON-FRI) 8AM - 5PM MALAYSIA TIME
  • 1-800-18-7363
  • 1-800-888-6868
  • (MON-FRI) 8AM - 5PM SINGAPORE TIME
  • 1-800-888-7363
  • 000-800-919-0954
  • (MON-FRI) 9AM - 6PM INDIA STANDARD TIME
  • 918-000-503-557

United Kingdom

  • (+44) 203-549-3381
  • (MON-FRI) 8:00 – 17:30 GMT
  • (+49) 89-839-329-987
  • (+33) 176-686-576
  • (+39) 029-259-3400
  • (+34) 913-697-128
  • (+49) 81-188-990-997
  • (+44) 203-549-3382

Czech Republic

Netherlands, russian federation, switzerland, south africa, saudi arabia.

  • (+966) 800-850-1041
  • (MON-SAT) 8AM – 6PM SAST
  • (+90) 0800 621 2207
  • (MON-SAT) 8AM - 6PM TURKIYE TIME

United Arab Emirates

Hi there  👋.

How can we help you today? Click the button below to start chatting with support.

Product Image

Trend Micro Support

Our Support Representative will be with you shortly.

Usually replies in a few minutes.

Before we start, kindly fill up the details below:

By proceeding, you are acknowledging and consenting to Trend Micro retaining a transcript of your chat session and possibly sharing information that you provide with third parties for business purposes. You also agree to Trend Micro's Privacy Notice and Mandatory Arbitration , which shall govern the handling and use of the information that you provide and your use of this website.

InfosecMatter.com logo

WordPress XMLRPC GHOST Vulnerability Scanner - Metasploit

This page contains detailed information about how to use the auxiliary/scanner/http/wordpress_ghost_scanner metasploit module. For list of all metasploit modules, visit the Metasploit Module Library .

Module Overview

Module ranking and traits, basic usage, required options, msfconsole usage, module options, advanced options, auxiliary actions, evasion options, error messages, related pull requests.

Name: WordPress XMLRPC GHOST Vulnerability Scanner Module: auxiliary/scanner/http/wordpress_ghost_scanner Source code: modules/auxiliary/scanner/http/wordpress_ghost_scanner.rb Disclosure date: - Last modification time: 2021-01-21 20:51:29 +0000 Supported architecture(s): - Supported platform(s): - Target service / protocol: http, https Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888 List of CVEs: CVE-2015-0235

This module can be used to determine hosts vulnerable to the GHOST vulnerability via a call to the WordPress XMLRPC interface. If the target is vulnerable, the system will segfault and return a server error. On patched systems, a normal XMLRPC error is returned.

Module Ranking :

  • normal : The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here .

This module is a scanner module, and is capable of testing against multiple hosts.

Other examples of setting the RHOSTS option:

  • RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

Go back to menu .

Here is how the scanner/http/wordpress_ghost_scanner auxiliary module looks in the msfconsole:

This is a complete list of options available in the scanner/http/wordpress_ghost_scanner auxiliary module:

Here is a complete list of advanced options supported by the scanner/http/wordpress_ghost_scanner auxiliary module:

This is a list of all auxiliary actions that the scanner/http/wordpress_ghost_scanner module can do:

Here is the full list of possible evasion options supported by the scanner/http/wordpress_ghost_scanner auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

This module may fail with the following error messages:

Looks like this site is no WordPress blog

Xmlrpc interface is not enabled, target not vulnerable to ghost.

Check for the possible causes from the code snippets below found in the module source code . This can often times help in identifying the root cause of the problem.

Here is a relevant code snippet related to the " Looks like this site is no WordPress blog " error message:

Here is a relevant code snippet related to the " XMLRPC interface is not enabled " error message:

Here is a relevant code snippet related to the " target not vulnerable to GHOST " error message:

  • #14643 Merged Pull Request: wordpress_ghost_scanner: Update reference URLs
  • #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
  • #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
  • #6655 Merged Pull Request: use MetasploitModule as a class name
  • #6648 Merged Pull Request: Change metasploit class names
  • #6526 Merged Pull Request: Peers for the peer god
  • #6089 Merged Pull Request: Fix HTTP mixins namespaces
  • #4712 Merged Pull Request: Recent module fixups: mostly caps/grammar/spelling, GoodRanking on the MalwareBytes module
  • #4698 Merged Pull Request: remove unused code
  • #4675 Merged Pull Request: add wordpress ghost scanner module
  • CVE-2015-0235
  • https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/ghost-gethostbyname-heap-overflow-in-glibc-cve-2015-0235/
  • https://blog.sucuri.net/2015/01/critical-ghost-vulnerability-released.html

Check also the following modules related to this module:

  • exploit/linux/smtp/exim_gethostbyname_bof
  • auxiliary/scanner/http/wordpress_content_injection
  • auxiliary/scanner/http/wordpress_cp_calendar_sqli
  • auxiliary/scanner/http/wordpress_login_enum
  • auxiliary/scanner/http/wordpress_multicall_creds
  • auxiliary/scanner/http/wordpress_pingback_access
  • auxiliary/scanner/http/wordpress_scanner
  • auxiliary/scanner/http/wordpress_xmlrpc_login
  • auxiliary/dos/http/wordpress_directory_traversal_dos
  • auxiliary/dos/http/wordpress_long_password_dos
  • auxiliary/dos/http/wordpress_xmlrpc_dos
  • auxiliary/admin/http/tomcat_ghostcat
  • exploit/multi/fileformat/ghostscript_failed_restore
  • exploit/unix/fileformat/ghostscript_type_confusion
  • exploit/windows/local/cve_2020_0796_smbghost
  • exploit/windows/smb/cve_2020_0796_smbghost

Related Nessus plugins:

  • Amazon Linux AMI : glibc (ALAS-2015-473)
  • CentOS 5 : glibc (CESA-2015:0090) (GHOST)
  • CentOS 6 / 7 : glibc (CESA-2015:0092) (GHOST)
  • Debian DSA-3142-1 : eglibc - security update
  • Oracle Linux 6 / 7 : glibc (ELSA-2015-0092) (GHOST)
  • RHEL 5 : glibc (RHSA-2015:0090) (GHOST)
  • RHEL 6 / 7 : glibc (RHSA-2015:0092) (GHOST)
  • Scientific Linux Security Update : glibc on SL5.x i386/x86_64 (20150127) (GHOST)
  • Scientific Linux Security Update : glibc on SL6.x, SL7.x i386/x86_64 (20150127) (GHOST)
  • SuSE 11 Security Update : glibc (SAT Patch Numbers 10202,10204,10206)
  • Robert Rowley
  • Christophe De La Fuente
  • Chaim Sanders
  • Felipe Costa
  • Jonathan Claudius
  • Karl Sigler
  • Christian Mehlmauer

This page has been produced using Metasploit Framework version 6.1.29-dev. For more modules, visit the Metasploit Module Library .

pixel

Zscaler: A Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge (SSE)

gartner-mq-security-service-report

Figure 1: The common metadata used in most files in this campaign.

Another feature we found was that InternalName was always a sequence of 2s. Unfortunately, we weren’t able to conclude if this was intentional or not.

The initial layer of the malware is for decoding the URIs used to make initial contact with the C&C server. 

The first section is unpacked as shown in Figure 2:

Figure 2: Decryption Loop

Figure 2: The decryption loop of this program.

This decryption loop is a simple XOR decryption that sequentially runs from B5 to C7, which gives us /lk4238fh317/update.php.

Figure 3 shows the debugger dump.

Figure 3: Decrypted String

Figure 3: The decrypted string of this program.

Next, the domain is generated using another XOR-based decryption where the key goes from B5 to C0.

Figure 4: Decryption Loop

Figure 4: The decryption loop for this program.

The domain generated is k6239847[.]lib. This URL is then used with blockchain DNS.

Figure 5: DNS Query

Figure 5: The DNS query.

The blockchain DNS URI is decrypted using a similar XOR loop as shown in Figure 6.  The value compared depends on the size of the blockchain DNS URI.

Figure 6: Decryption Loop

Figure 6: The decryption loop.

These are first assembled in heap using RtlAllocateHeap .

Figure 7: Decrypted Strings

Figure 7: The decrypted strings.

The code shown in Figure 8 is called several times to allocate heap to save decrypted strings that are used later to perform network activity or for creating files.

Figure 8: Api Call

Figure 8: The API call details.

This same code is reused to assemble user-agent strings, which are later used for making internet connections.

Figure 9: User-Agents used

Figure 9: The user-agents employed in this attack.

This is then used to create a DNS request for the blockchain DNS server.

Figure 10: Concatenated URL

Figure 10: The concatenated URL.

The DNS request generated produces a C&C IP of 217.8.117[.]48, which can be confirmed online at explorer.emercoin[.]com/nvs/dns.

Figure 11: Domains found at emercoin.com

Figure 11: The domains found at emercoin.com.

The segment of a URL created during the first decryption loop (as shown above) is then used with the IP address to contact the C&C. The URL created is 217.8.117[.]48/lk4238fh317/update.

The C&C then replies back with 217.8.117[.]48/j537djjlhg763/svchst.exe, which is the downloaded payload. The payload is downloaded at C:\Users\User-Name\AppData\Roaming\svchst.exe.

Figure 12: Downloading updated version of itself

Figure 12: The program downloading an updated version of itself.

The downloaded sample (MD5:86374F27C1A915D970BE3103D22512B9) is an updated version of the parent sample, which downloads itself to ensure that the latest version of the malicious program is running on the system. This sample also performs a DNS query on k6239847[.]lib. The string is obfuscated by breaking the string in two parts—k623 and 9847.lib, which are concatenated in memory. 

This time, a command is run using cmd.exe /C ping 1.1.1.1 -n 1 -w. , where -n means the number of echo requests to send and -w is the timeout in milliseconds to wait for each reply. 1.1.1.1 is popular DNS service by Cloudflare.  

The full command is cmd.exe /C ping 1.1.1.1 -n 1 -w -n 1 -w3000 > Nul & Del /f /q \"%s.

The program then enumerates system information including information such as user name, processor architecture, and more.

Figure 13:Algorithm to initiate /xmlrpc.php attack

Figure 13: The a lgorithm to initiate the /xmlrpc.php attack.

Figure 14: Attack vectors found in file

Figure 14: The attack vectors found in the file.

Here, the malicious program is using <methodName>wp.getUsersBlogs</methodName> to execute a brute force attack via the “ wp.getUsersBlogs ” method of xmlrpc.php where an attacker is actually doing a reverse IP lookup for the IPs fetched from the C&C and is looking for all the available methods on the corresponding DNS. Once found, it attempts to gain the login via cookie-based authentication by logging into WordPress using cURL, authenticating the server (which ran the cURL script) and providing the username/password to the login page of the desired WordPress site. 

Here is a redacted list of a few WordPress sites the attacker is trying to attack leveraging this malware payload:

Figure 15: Brute Force attack on wordPress sites

Figure 15: The list of WordPress sites targeted for a brute force attack.

We then went on hunting for similar samples. We were able to unearth more samples connecting to the same domains (k6239847.lib) and IP address (217.8.117.48). The samples we found had similar activity but used a .space TLD domain as one of its C&C.

Cloud Sandbox detection

The malware payload was successfully detected and blocked by the Zscaler Cloud Sandbox as seen in the Figure 16.

Figure 16: The Zscaler Cloud Sandbox successfully detected the malware.

Figure 16: The Zscaler Cloud Sandbox successfully detected the malware.

Advanced Threat Signature name:

Win32.Backdoor.Wpbrutebot

Due to its popularity, WordPress is a common target for cyberattacks. As such, WordPress admins need to be on alert to reports of newly found vulnerabilities and attacks. In addition, WordPress admin should keep the XML-RPC option disabled and refrain from using logins from third-party applications.

Zscaler continues to protect our customers from such attacks and detects these malicious programs in our Cloud Sandbox in real time.

MITRE ATT&CK TTP Mapping

2ed7662ec8e2022d9cebec3a8ebaf838 c09cf4312167fa9683d8e8733004b7e6 86374f27c1a915d970be3103d22512b9 d88a7fca98e89aaf593163b787165766 03caf1cf96f95b82536fc8b7d94c5a61 74f5107acd2e51dc407253f15d718be3 a54fa899a524f0cd34ae90f9820b41e0

207.148.83[.]241 5.132.191[.]104 66.70.228[.]164  

Was this post useful?

Explore more zscaler blogs.

A cyber criminal shopping for malware

By submitting the form, you are agreeing to our privacy policy .

Write articles in minutes

Write faster with 70+ templates

Do your work 3x faster

Make images with AI

Support & live chat with customers

Build better customer relationships

Give 24/7 self-service support

Write content fluently in 30+ languages

Ultimate WordPress XML RPC Exploit: Comprehensive Guide 2024

Ultimate WordPress XML RPC Exploit Comprehensive Guide 2024

What is WordPress XML RPC?

WordPress XML RPC is a remote procedure call (RPC) protocol that allows users to interact with their WordPress site remotely. It enables developers to perform various actions on their WordPress site, such as publishing posts, updating content, and managing comments, without having to log in to the WordPress admin panel

How does WordPress XML RPC work?

how does wordpress xml rpc work

WordPress XML RPC works by sending HTTP requests to the XML RPC server endpoint of a WordPress site. These requests are formatted in XML and contain specific methods and parameters to perform various actions on the site. The XML RPC server processes these requests and returns the desired response.

Why is WordPress XML RPC important?

why is wordpress xml rpc important

WordPress XML RPC is important because it provides a convenient way for developers and third-party applications to interact with WordPress sites programmatically. It allows for automation, integration with other systems, and the development of custom solutions that extend the functionality of WordPress.

Understanding the WordPress XML RPC Exploit

The WordPress XML RPC exploit refers to a vulnerability in the XML RPC functionality of WordPress that can be exploited by malicious actors to gain unauthorized access to a WordPress site or perform malicious actions on it. This exploit can pose a significant security risk if not properly addressed.

How does the WordPress XML RPC exploit work?

how does the wordpress xml rpc exploit work

The WordPress XML RPC exploit typically involves sending specially crafted XML RPC requests to a vulnerable WordPress site. These requests exploit weaknesses in the XML RPC implementation and can be used to bypass authentication, execute arbitrary code, or perform other malicious actions.

What are the potential consequences of the WordPress XML RPC exploit?

what are the potential consequences of the wordpress xml rpc exploit

The consequences of the WordPress XML RPC exploit can vary depending on the intentions of the attacker. Some potential consequences include:

  • Unauthorized access to sensitive information
  • Modification or deletion of site content
  • Injection of malicious code or scripts
  • Creation of backdoors for future attacks
  • Use of the compromised site for further attacks

Protecting Your WordPress Site from the XML RPC Exploit

Protecting your WordPress site from the XML RPC exploit is crucial to ensure the security and integrity of your site. Here are some steps you can take to mitigate the risk:

1. Disable XML RPC

1  disable xml rpc

One of the most effective ways to protect against the XML RPC exploit is to disable XML RPC functionality on your WordPress site. This can be done by adding the following code to your site's .htaccess file:

2. Use a Security Plugin

2  use a security plugin

Using a reputable security plugin can help protect your WordPress site from various vulnerabilities, including the XML RPC exploit. Look for a plugin that offers features such as firewall protection , malware scanning , and brute force attack prevention.

3. Keep WordPress and Plugins Updated

3  keep wordpress and plugins updated

Keeping your WordPress installation and plugins up to date is essential for maintaining the security of your site. Updates often include security patches that address known vulnerabilities, so it's important to regularly check for updates and apply them promptly.

4. Use Strong Authentication

4  use strong authentication

Enforcing strong authentication measures, such as using complex passwords and enabling two-factor authentication , can significantly reduce the risk of unauthorized access to your WordPress site. Consider implementing these measures for all user accounts , including administrators and contributors.

5. Limit Login Attempts

5  limit login attempts

Implementing a limit on the number of login attempts can help prevent brute force attacks that target the XML RPC endpoint. This can be done using a security plugin or by adding custom code to your site's functions.php file.

The WordPress XML RPC exploit is a serious security vulnerability that can have severe consequences if not properly addressed. By taking proactive measures to protect your WordPress site, such as disabling XML RPC, using a security plugin, keeping your software up to date, and enforcing strong authentication, you can significantly reduce the risk of falling victim to this exploit. Stay vigilant and stay secure!

Over 15,763 SEO agencies and brands are using AtOnce to rank higher on Google.

It lets you write hundreds of articles on any topic, giving you more clicks to your site.

wordpress xmlrpc ghost vulnerability

Get more traffic and sales — without wasting months of your time.

What is the WordPress XML-RPC exploit?

The WordPress XML-RPC exploit is a vulnerability that allows attackers to gain unauthorized access to a WordPress website through the XML-RPC interface.

How does the WordPress XML-RPC exploit work?

The WordPress XML-RPC exploit takes advantage of a flaw in the XML-RPC interface, which allows remote procedure calls to be made to the WordPress site. Attackers can use this vulnerability to execute malicious code, upload files, and perform other unauthorized actions.

How can I protect my WordPress site from the XML-RPC exploit?

To protect your WordPress site from the XML-RPC exploit, you can disable the XML-RPC interface by adding the following code to your site's .htaccess file: Order Deny,Allow Deny from all Additionally, keeping your WordPress installation and plugins up to date, using strong passwords, and implementing a web application firewall can also help prevent exploitation.

Asim Akhtar

Asim Akhtar

Asim is the CEO & founder of AtOnce. After 5 years of marketing & customer service experience, he's now using Artificial Intelligence to save people time.

You are viewing this page in an unauthorized frame window.

This is a potential security issue, you are being redirected to https://nvd.nist.gov

You have JavaScript disabled. This site requires JavaScript to be enabled for complete site functionality.

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Information Technology Laboratory

National vulnerability database.

  • Vulnerabilities

Weakness Enumeration

Known affected software configurations switch to cpe 2.2, cpes loading, please wait..

Denotes Vulnerable Software Are we missing a CPE here? Please let us know .

Change History

Cve modified by github, inc. 11/06/2023 10:43:39 pm, reanalysis by nist 4/12/2022 2:47:13 pm, modified analysis by nist 2/10/2022 10:09:58 am, cve modified by github, inc. 1/23/2022 4:15:07 pm, modified analysis by nist 1/21/2022 9:49:48 am, cve modified by github, inc. 1/15/2022 11:15:08 pm, cve modified by github, inc. 1/14/2022 8:15:07 am, initial analysis by nist 1/13/2022 8:21:33 pm, cve modified by github, inc. 1/13/2022 2:15:08 pm, cve modified by github, inc. 1/11/2022 11:15:07 am, cve modified by github, inc. 1/10/2022 2:15:07 pm.

  • Technical Forum
  • Water Cooler
  • Community Articles
  • Technical Articles
  • DevCentral News
  • F5 Community MVP
  • DevCentral Connects
  • Distributed Cloud Users
  • North America SLED Users
  • DevCentral 20th Anniversary
  • Suggestions

GHOST Vulnerability (CVE-2015-0235)

  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Printer Friendly Page

Maxim_Zavodchik

  • Article History

Fog

  • application security
  • ASM Advanced WAF
  • cve-2015-0235
  • vulnerability

hooleylist

  • Vulnerability & Exploit Database

Rapid7 Vulnerability & Exploit Database

An error occurred.

  • Lightweight Endpoint Agent
  • Live Dashboards
  • Real Risk Prioritization
  • IT-Integrated Remediation Projects
  • Cloud, Virtual, and Container Assessment
  • Integrated Threat Feeds
  • Easy-to-Use RESTful API
  • Automation-Assisted Patching
  • Automated Containment

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

Exploiting the xmlrpc.php on all WordPress versions

Jul 1, 2019 • cheatsheet , offensive_security , wordpress

XML RPC DDOS attack, port scanning, xmlrpc.php, wordpress

XML-RPC on WordPress is actually an API that allows developers who make 3rd party application and services the ability to interact to your WordPress site. The XML-RPC API that WordPress provides several key functionalities that include:

  • Publish a post
  • Edit a post
  • Delete a post.
  • Upload a new file (e.g. an image for a post)
  • Get a list of comments
  • Edit comments

For instance, the Windows Live Writer system is capable of posting blogs directly to WordPress because of XML-RPC.

Unfortunately on the normal installation (not tampered with settings, and/or configs) of WordPress the XML-RPC interface opens two kinds of attacks:

  • XML-RPC pingbacks
  • Brute force attacks via XML-RPC

According to the WordPress documentation ( https://codex.wordpress.org/XML-RPC_Support ), XML-RPC functionality is turned on by default since WordPress 3.5.

Note that in this tutorial/cheatsheet the domain “example.com” is actually an example and can be replaced with your specific target.

Dorks for finding potential targets

I would like to add that any illegal action is your own , and I can not be held responsible for your actions against a vulnerable target. Test only where you are allowed to do so. Go for the public, known bug bounties and earn your respect within the community.

That’s being said, during bug bounties or penetration testing assessments I had to identify all vulnerable WordPress targets on all subdomains following the rule *.example.com . In this specific case I relied on Google dorks in order to fast discovery all potential targets:

  • inurl:"/xmlrpc.php?rsd" + scoping restrictions
  • intitle:"WordPress" inurl:"readme.html" + scoping restrictions = general wordpress detection
  • allinurl:"wp-content/plugins/" + scoping restrictions = general wordpress detection

Searching for XML-RPC servers on WordPress:

Steps to check:

  • Ensure you are targeting a WordPress site.
  • Ensure you have access to the xmlrpc.php file. In general, it is found at https://example.com/xmlrpc.php and would reply to a GET request with: XML-RPC server accepts POST requests only.
  • It will be pointless to target an XML-RPC server which is disabled/hardcoded/tampered/not working. Therefore, we will check its functionality by sending the following request:

Post Request:

The normal response should be:

Note that in the absence of the above-presented example response, it is rather pointless to proceed with actual testing of the two vulnerabilities. The response might vary based on the settings and configurations of the WordPress installation.

  • If there is an output for <methodName>system.listMethods</methodName> then it is recommended to interact with at least the most basic method called demo.sayHello .

XML-RPC pingbacks attacks

In this case, an attacker is able to leverage the default XML-RPC API in order to perform callbacks for the following purposes:

  • Distributed denial-of-service (DDoS) attacks - An attacker executes the pingback.ping the method from several affected WordPress installations against a single unprotected target (botnet level).
  • Cloudflare Protection Bypass - An attacker executes the pingback.ping the method from a single affected WordPress installation which is protected by CloudFlare to an attacker-controlled public host (for example a VPS) in order to reveal the public IP of the target, therefore bypassing any DNS level protection.
  • XSPA (Cross Site Port Attack) - An attacker can execute the pingback.ping the method from a single affected WordPress installation to the same host (or other internal/private host) on different ports. An open port or an internal host can be determined by observing the difference in time of response and/or by looking at the response of the request.

The following represents an simple example request using the PostBin provided URL as callback:

Example response:

PostBin Output:

XML RPC DDOS attack, port scanning, xmlrpc.php, wordpress

Brute force attacks

Sometimes the only way to bypass request limiting or blocking in a brute force attack against WordPress site is to use the all too forgotten XML-RPC API .

The following request represents the most common brute force attack:

The above request can be sent in Burp Intruder (for example) with different sets of credentials. Note that, even if you guess the password or not, the response code will always be 200 . I highly recommend looking for errors/messages within the body of the response.

Worried about sending way to much requests against the target? - No worries. WordPress XML-RPC by default allows an attacker to perform a single request, and brute force hundreds of passwords.

The following request requires permissions for both system.multicall and wp.getUsersBlogs methods:

The response will look like:

In the above example I tested 4 different credentials sets using a single request. You just have to replace {{ Your Username }} and {{ Your Password }} with your own combinations.

That is it, please comment if I missed something and happy hunting!

Other references:

  • https://www.wordfence.com/blog/2015/10/should-you-disable-xml-rpc-on-wordpress/
  • https://medium.com/@the.bilal.rizwan/wordpress-xmlrpc-php-common-vulnerabilites-how-to-exploit-them-d8d3c8600b32
  • https://github.com/1N3/Wordpress-XMLRPC-Brute-Force-Exploit/blob/master/wordpress-xmlrpc-brute-v2.py

Prototype pollution

Prototype pollution project yields another Parse Server RCE

Prototype-pollution

Bug Bounty Radar

The latest programs for February 2023

Bug bounties

All Day DevOps

AppSec engineer keynote says Log4j revealed lessons were not learned from the Equifax breach

DevOps

Infosec beginner?

A rough guide to launching a career in cybersecurity

cyber-career

Cybersecurity conferences

A schedule of events in 2022 and beyond

More topics

WordPress XXE injection vulnerability could allow attackers to remotely steal host files

Researchers provide technical details of bug that was fixed in latest security release

WordPress XXE injection vulnerability could allow attackers to remotely steal host files

An XML External Entity (XXE) injection bug in WordPress could allow attackers to remotely steal a victim’s files, researchers have revealed.

Security researchers at SonarSource who discovered the vulnerability published a blog post today (April 27) that provides technical details on the now-patched bug.

Read more of the latest WordPress vulnerability news

An XXE vulnerability allows an attacker to interfere with an application’s processing of XML data. This can enable them to view files on the application server filesystem and interact with any back-end or external systems that the application itself can access.

In this case, the XXE bug was present in WordPress versions 5.7 and below, and could allow for remote arbitrary file disclosure and server-side request forgery ( SSRF ).

Restrictions

The blog post caveats that this issue is only present in systems running affected WordPress installations on PHP 8.

Additionally, the permissions to upload media files are needed,” SonarSource researchers explained in the blog post.

READ MORE WordPress 5.7 offers ‘one-click’ HTTP to HTTPS site upgrade feature

“On a standard WordPress installation this translates to having author privileges. However, combined with another vulnerability or a plugin allowing visitors to upload media files, it could be exploited with lower privileges.”

The researchers disclosed the code vulnerability to the WordPress security team, who fixed it in the latest version (5.7.1) and assigned CVE-2021-29447.

WordPress, the world’s most popular content management software, powers around 40% of all websites in use, making it a clear target for malicious actors.

Fortunately, thanks to ongoing security work from the maintainers of the open source CMS framework, many sites running WordPress will now auto-update .

Web admins who do not have this feature enabled can update via their WordPress admin dashboard.

YOU MAY ALSO LIKE WordPress security flaws: 800,000 sites running NextGen Gallery plugin potentially vulnerable to pwnage

Jessica Haworth

Jessica Haworth

@JesscaHaworth

We’re going teetotal – It’s goodbye to The Daily Swig

Indian gov flaws allowed creation of counterfeit driving licenses, related stories, password managers part ii, chromium bug allowed samesite cookie bypass on android devices.

PHP Applications, WordPress Subject to Ghost glibc Vulnerability

' src=

Share this article:

wordpress xmlrpc ghost vulnerability

Researchers at Sucuri revealed that applications such as WordPress that support PHP could also be subject to the Ghost vulnerability in glibc.

Less than 48 hours after the disclosure of the Ghost vulnerability in the GNU C library (glibc) , researchers have uncovered that PHP applications, including the WordPress content management system, could be another weak spot and eventually in the crosshairs of attackers.

Ghost is a vulnerability in glibc that attackers can use against only a handful of applications right now to remotely run executable code and gain control of a Linux server. The vulnerability is a heap-based buffer overflow and affects all Linux systems, according to experts, and has been present in the glibc code since 2000.

The buffer overflow in glibc was found in the __nss_hostname_digits_dots() function; that particular function is used by the _gethostbyname function call. PHP applications such as WordPress also use the gethostbyname() function wrapper, which expands the scope of the vulnerability even as Linux distributions roll out patches.

“An example of where this could be a big issue is within WordPress itself: it uses a function named wp_http_validate_url() to validate every pingback’s post URL,” wrote Sucuri research Marc-Alexandre Montpas in an advisory published Wednesday. “And it does so by using gethostbyname() . So an attacker could leverage this vector to insert a malicious URL that would trigger a buffer overflow bug, server-side, potentially allowing him to gain privileges on the server.”

Until now, the only a proof-of-concept was built against the Exim mail transfer agent (MTA). Experts agree that such an exploit would have to climb some significant hurdles.

“The exploitation depends on being able to convince a program to perform a DNS lookup of a host name provided by the attacker,” said researcher Michal Zalewski said. “The lookup has to be done in a very particular way and must lack a couple of commonly-employed (but certainly not mandatory) sanity checks.”

Montpas told Threatpost that an attack against a PHP application such as WordPress would really depend on the context in which gethostbyname() is executed.

“In WordPress, one could easily flag an attack by looking at the domains that are ‘pingbacking’ his site,” Montpas said. “A domain containing more than 255 bytes should be considered as malicious (RFC2181 explicitly states that a full domain name is limited to this exact amount of bytes).”

Montpas said Sucuri does not have a working exploit, but did use a particular XMLRPC request to try to force gethostbyname() to crash, indicating the vulnerability is present.

“It makes servers more exposed to attacks, given XMLRPC is enabled by default in WordPress and that this CMS powers 23.3 percent of all websites,” Montpas said. “This is mostly a case-by-case type of vulnerability. A successful exploitation relies a lot on what code an attacker can use within the target application. Qualys apparently succeeded in exploiting Exim, a popular MTA. But chances are their exploit wouldn’t work on, say, PHP. That said, if someone came with a working GHOST-PHP exploit, there’s a lot we’d have to be worried about.”

The vulnerability affects glibc 2.2 through 2.17, but was patched in May 2013, though the patch was not labeled a security vulnerability and as a result may not have been widely deployed. Several other mitigations have been made public . Exim, clockdiff, procmail and pppd have been identified as vulnerable to Ghost exploits.

“This is a very critical vulnerability and should be treated as such,” Montpas said. “If you have a dedicated server or VPN running Linux, you have to make sure you update it right away.”

Montpas provided test PHP code admins can run on a server terminal; if the code returns a segmentation fault, the Linux server is vulnerable to Ghost:

php -r ‘$e=”0″;for($i=0;$i<2500;$i++){$e="0$e";} gethostbyname($e);' Segmentation fault

Patching Ghost in Linux systems figures to be a bit more streamlined than the Bash vulnerability affecting Linux, UNIX and Mac OS X systems last fall, with experts suggesting that patches from the respective Linux distributions followed by a system reboot should take care of the issue. So far, Debian 7, Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7 and Ubuntu 12.04 were running vulnerable versions glibc; all have released updates.

“To be clear, this is NOT the end of the Internet as we know it, nor is it another Heartbleed. In a general sense, it’s not likely to be an easy bug to exploit,” said Rapid7 CSO and Metasploit creator HD Moore. “Still, it could potentially be nasty if exploited so we strongly recommend immediate patching and rebooting.  Without a reboot, services using the old library will not be restarted.”

Suggested articles

wordpress xmlrpc ghost vulnerability

Designing a Proactive Ransomware Playbook for Today’s Threat Landscape

Asset inventories and risk assessments are critical tools in defending against the increasing scourge of ransomware.

Orbit Fox WordPress Bug

Critical WordPress-Plugin Bug Found in ‘Orbit Fox’ Allows Site Takeover

Two security vulnerabilities — one a privilege-escalation problem and the other a stored XSS bug — afflict a WordPress plugin with 40,000 installs.

wordpress xmlrpc ghost vulnerability

RCE ‘Bug’ Found and Disputed in Popular PHP Scripting Framework

Impacted are PHP-based websites running a vulnerable version of the web-app creation tool Zend Framework and some Laminas Project releases.

Cybersecurity for your growing business

InfoSec Insider

wordpress xmlrpc ghost vulnerability

Securing Your Move to the Hybrid Cloud

wordpress xmlrpc ghost vulnerability

Why Physical Security Maintenance Should Never Be an Afterthought

wordpress xmlrpc ghost vulnerability

Conti’s Reign of Chaos: Costa Rica in the Crosshairs

wordpress xmlrpc ghost vulnerability

How War Impacts Cyber Insurance

Cutting Through the Noise from Daily Alerts

Rethinking Vulnerability Management in a Heightened Threat Landscape

Cybersecurity for your growing business

  • Cloud Security
  • Vulnerabilities
  • Critical Infrastructure
  • Cryptography
  • Mobile Security
  • Security Analyst Summit
  • Web Security
  • Elizabeth Montalbano
  • Nate Nelson

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

Search code, repositories, users, issues, pull requests...

Provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

  • Notifications

Trustwave Enters Next Phase of Growth with Completion of Acquisition by MC² Security Fund. Learn More

Experiencing a security breach?

Get access to immediate incident response assistance.

  • AMERICAS +1 855 438 4305
  • EMEA +44 8081687370
  • AUSTRALIA +61 1300901211
  • SINGAPORE +65 68175019
  • Why Trustwave

Capture

Eradicate cyberthreats with world-class intel and expertise

twi-cloud-lock-color-svg

Expand your team’s capabilities and strengthen your security posture

twi-briefcase-color-svg

Tap into our global team of tenured cybersecurity specialists

twi-dashboard-color-svg

Subscription- or project-based testing, delivered by global experts

twi-database-color-svg

Get ahead of database risk, protect data and exceed compliance requirements

twi-email-color-svg

Catch email threats others miss with layered security & maximum control

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

  • Financial Services
  • Manufacturing
  • Data Privacy
  • Trustwave Blog
  • SpiderLabs Blog
  • Document Library
  • Video Library
  • Analyst Reports
  • Webinar Replays
  • Case Studies
  • Trials & Evaluations
  • Security Advisories
  • Software Updates

WordPress XML-RPC PingBack Vulnerability Analysis

9695_676021f1-18e7-43b0-a026-9055754aa29a

Not A New Vulnerabilty

The vulnerability in WordPress's XML-RPC API is not new. Here is data from the WordPress bug tracker from 7 years ago.

10306_82ba514c-8411-4834-a3f6-f11226bb3f56

While the vulnerability itself is not new, it has only been within the past couple years that attack code/tools have been made available . This has certainly helped increase attacks by ScriptKiddies and resulted in more actual DDoS attacks .

WordPress XML-RPC Pingback DDoS Attack Walkthrough

The XML-RPC pingback functionality has a legitimate purpose with regards to linking blog content from different authors. The issue is that this functionality can be abuse by attackers to use the XML-RPC pingback feature of a blog site to attack a 3rd party site.

Patsy Proxy Attacks

SpiderLabs colleague Daniel Crowley gave a great presentation at DerbyCon in 2012 entitled " The Patsy Proxy: Getting others to do your dirty work " where he discussed various scenarios for sending attack traffic through 3rd party sites/services that will forward data onto other sites. ( Slides here ). Additionally, there have tools released in the community that extend this concept. One such tool is called " DDoS attacks via other sites execution tool (DAVOSET) " and it has the capability to send attacks through many different public sites that will forward traffic. Here is an example listing of URLs from DAVOSET -

12441_ea0cccf5-af49-4b63-ba32-404669f69739

As you can see, sending attack data through a "Patsy Proxy" site is quite easy. Now let's take a look at the WordPress XML-RPC Pingback issue.

WordPress XML-RPC Pingback DDoS attack

Here is an example attack command using curl -

7925_0f0701b9-509a-4838-b632-02b87beaadae

The YELLOW highlighted data is a WordPress "Patsy Proxy" site while teh ORANGE highlighted data is the target/victim website. It is important to note for testing purposes that you must include the " Content-Type: text/xml " request header data otherwise the XML-RPC service will not treat the request as valid and will issue the following response:

11676_c520ee47-4ff1-43cd-82b1-005b5de7ecd5

With the previous request sent by the attacker, the Patsy Proxy WordPress site then initiates this HTTP request to the target/victim site -

12356_e6dce918-22fa-4be1-b72e-4fcccff99b43

Notice that the format of the HTTP request is only two lines :

  • Host request header

This intelligence can be used by Web Application Firewalls (WAFs) that are protecting the victim sites to identify attack requests. Normal web browsers send many more request headers. While the pingback DDoS attack doesn't utilize any type of amplification as other more recent network protocol attacks (e.g. NTP), requests can cause more damage on the victim site if the URI is initiating a computationally expensive back-end query or process.

Protections

Disable xml-rpc.

It is possible to disable the XML-RPC process altogether if you do not want to use it. There are even plugins that will disable it.

Disable Pingback Reqests

You may also disable the pingback feature by adding the following to your functions.php file:

11620_c21111ce-d828-4304-8489-390a50763c3c

Identify Initial Pingback Requests

By using a WAF, you can identify inital pingback XML attack requests on your WordPress site. We have added rules to our commercial SpiderLabs ModSecurity rules package to identify this attack.

Identifying Pingback Initiated Requests on the Victim Site

As mentioned previously, even though the construct of the URI line might be dynamic, the fact is that all proxies XML-RPC pingback requests will only have two lines in the HTTP request . WAFs can be used to identify these anomalies and then respond (perhaps by pushing out IP based blocking to infrastructure systems).

Latest SpiderLabs Blogs

Cve-2023-50916: authentication coercion vulnerability in kyocera device manager.

Overview of Authentication Coercion Vulnerability

Fueling Chaos: Hacker Group Grinds 70% of Iran's Gasoline System to a Halt

The Iranian government has made the claim that a cyber threat group, identified as Gonjeshke Darande or "Predatory Sparrow" in Persian, is linked to Israel and has taken responsibility for the...

Top 10 SpiderLabs Blog Posts of 2023

The Top 10 Trustwave SpiderLabs’ blogs in 2023 reflected the cybersecurity landscape impacting security teams around the world with malicious email extensions, phishing and the Rilide infostealer...

Stay Informed

Sign up to receive the latest security news and trends straight to your inbox from trustwave..

  • Leadership Team
  • Our History
  • News Releases
  • Media Coverage
  • Global Locations
  • Awards & Accolades
  • Terms of Use
  • Privacy Policy

Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.

IMAGES

  1. How to Protect Your WordPress Site from XML-RPC Attacks?

    wordpress xmlrpc ghost vulnerability

  2. Protect your WordPress site from xmlrpc.php brute force attack

    wordpress xmlrpc ghost vulnerability

  3. Protect WordPress from brute-force XML-RPC attacks

    wordpress xmlrpc ghost vulnerability

  4. How To Easily Disable XML-RPC PHP On WordPress

    wordpress xmlrpc ghost vulnerability

  5. A Complete Guide on xmlrpc.php(Security Risks) in WordPress.

    wordpress xmlrpc ghost vulnerability

  6. How to automatically block XML-RPC brute force amplification attacks

    wordpress xmlrpc ghost vulnerability

VIDEO

  1. How to Find XmlRpc Vulnerability and Exploit it !

  2. Wordpress XML-RPC Bruteforce Attack

  3. WordPress Vulnerability Scanning With WPScan

  4. WordPress Mobile App: What does this XML-RPC error mean and how do I fix it?

  5. What is XML-RPC And How to Disable XML-RPC in #WordPress

  6. To disable XML RPC from WordPress

COMMENTS

  1. WordPress and the GHOST Vulnerability

    The vulnerability is a buffer overflow vulnerability within the __nss_hostname_digits_dots () function of the GNU C Library (glibc). The buffer overflow can be triggered within the...

  2. WEB WordPress XMLRaPC GHOST vulnerability notification

    WEB WordPress XMLRaPC GHOST vulnerability Why did this happen? Trend Micro Home Network Security detected a WEB WordPress XMLRaPC GHOST vulnerability on your network. What are its risks?

  3. WordPress XMLRPC GHOST Vulnerability Scanner

    This module can be used to determine hosts vulnerable to the GHOST vulnerability via a call to the WordPress XMLRPC interface. If the target is vulnerable, the system will segfault and return a server error. On patched systems, a normal XMLRPC error is returned. Module Ranking and Traits Module Ranking:

  4. Wordpress xmlrpc.php -common vulnerabilites & how to exploit them

    <methodCall> <methodName>system.listMethods</methodName> <params></params> </methodCall> Search for the following , if you find that they are available then we can proceed with the attack...

  5. Nvd

    This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided. Description wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post. Severity

  6. Malware exploiting XML-RPC vulnerability in WordPress

    XML-RPC on WordPress, which is enabled by default, is actually an API that provides third-party applications and services the ability to interact with WordPress sites, rather than through a browser.

  7. Preventing WordPress XMLRPC Attack: Essential Security Guide 2024

    In a WordPress XMLRPC attack, hackers exploit vulnerabilities in the XMLRPC functionality to gain unauthorized access to a website. They use brute force techniques to guess the username and password combination for the targeted WordPress site.

  8. Ultimate WordPress XML RPC Exploit: Comprehensive Guide 2024

    1. Disable XML RPC. One of the most effective ways to protect against the XML RPC exploit is to disable XML RPC functionality on your WordPress site. This can be done by adding the following code to your site's .htaccess file: # Disable XML RPC Order Deny,Allow Deny from all. 2. Use a Security Plugin. Using a reputable security plugin can help ...

  9. Nvd

    Description. WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3.

  10. Is WordPress XMLRPC a security problem?

    A quick search on wpscan.com shows the following vulnerabilities: The vulnerabilities go as far back as WordPress 1.5.1.2 and include SQL Injection vulnerabilities , Server-Side Request Forgery (CSRF) vulnerabilities , Denial of Service (DoS) vulnerabilities and others. How to disable XML‑RPC

  11. GHOST Vulnerability (CVE-2015-0235)

    WordPress content management system using xml-rpc ping back functionality was found to be vulnerable to the GHOST vulnerability. WordPress automatically notifies popular Update Services that you've updated your blog by sending a XML-RPC ping each time you create or update a post.

  12. Rapid7 Vulnerability & Exploit Database

    Rapid7's VulnDB is curated repository of vetted computer software exploits and exploitable vulnerabilities. Products. NEW. Cloud Migration with Unlimited Risk Coverage. Cloud Risk Complete. Explore Offer. Insight Platform Solutions; XDR & SIEM. INSIGHTIDR. Cloud Security. INSIGHTCLOUDSEC. Vulnerability Management.

  13. Exploiting the xmlrpc.php on all WordPress versions

    Steps to check: Ensure you are targeting a WordPress site. Ensure you have access to the xmlrpc.php file. In general, it is found at https://example.com/xmlrpc.php and would reply to a GET request with: XML-RPC server accepts POST requests only. It will be pointless to target an XML-RPC server which is disabled/hardcoded/tampered/not working.

  14. WordPress XXE injection vulnerability could allow attackers to remotely

    Researchers provide technical details of bug that was fixed in latest security release. An XML External Entity (XXE) injection bug in WordPress could allow attackers to remotely steal a victim's files, researchers have revealed.. Security researchers at SonarSource who discovered the vulnerability published a blog post today (April 27) that provides technical details on the now-patched bug.

  15. What is WordPress XML-RPC and How to Disable It in WordPress?

    Updated on: August 9, 2021 Aakanchha Keshri 4 mins read If you are here searching for ways to disable XML-RPC to secure your website from WordPress XML-RPC exploit, you are in the right place. But before that, you need to know the answers to these questions. This Blog Includes show What is XML-RPC.php?

  16. WordPress XMLRPC GHOST Vulnerability Scanner

    This module can be used to determine hosts vulnerable to the GHOST vulnerability via a call to the... DATABASE RESOURCES PRICING ABOUT US. ... This module can be used to determine hosts vulnerable to the GHOST vulnerability via a call to the WordPress XMLRPC interface. If the target is vulnerable, the system will segfault and return a server ...

  17. Wordpress xmlrpc.php -common vulnerabilites & how to exploit them

    <methodCall> <methodName>system.listMethods</methodName> <params></params> </methodCall> Search for the following , if you find that they are available then we can proceed with the attack...

  18. PHP Applications, WordPress Subject to Ghost glibc Vulnerability

    Ghost is a vulnerability in glibc that attackers can use against only a handful of applications right now to remotely run executable code and gain control of a Linux server. The vulnerability is a ...

  19. PDF WordPress Penetration Testing using WPScan & Metasploit

    P a g e | 7 As we can see, WPScan has discovered various facts about the target's website including and not limited to: XMLRPC.php (XML-RPC Interface) is open for exploitation like brute-forcing and DDoS pingbacks. WordPress core version is identified: 2.0.1 15 WordPress core vulnerability: o wp-register.php Multiple Parameter XSS o admin.php Module Configuration Security Bypass

  20. GitHub: Let's build from here · GitHub

    {"payload":{"allShortcutsEnabled":false,"fileTree":{"modules/auxiliary/scanner/http":{"items":[{"name":"a10networks_ax_directory_traversal.rb","path":"modules ...

  21. WordPress XML-RPC PingBack Vulnerability Analysis

    The vulnerability in WordPress's XML-RPC API is not new. Here is data from the WordPress bug tracker from 7 years ago. While the vulnerability itself is not new, it has only been within the past couple years that attack code/tools have been made available.

  22. WordPress XML-RPC authentication brute force

    Description. WordPress provides an XML-RPC interface via the xmlrpc.php script. XML-RPC is remote procedure calling using HTTP as the transport and XML as the encoding. An attacker can abuse this interface to brute force authentication credentials using API calls such as wp.getUsersBlogs.