**Description:**
XML-RPC on WordPress is actually an API that allows developers who make 3rd party application and services the ability to interact to your WordPress site. The XML-RPC API that WordPress provides several key functionalities that include:
Publish a post
Edit a post
Delete a post.
Upload a new file (e.g. an image for a post)
Get a list of comments
Edit comments
For instance, the Windows Live Writer system is capable of posting blogs directly to WordPress because of XML-RPC.
Unfortunately on the normal installation (not tampered with settings, and/or configs) of WordPress the XML-RPC interface opens two kinds of attacks:
XML-RPC pingbacks
Brute force attacks via XML-RPC
##References
https://medium.com/@the.bilal.rizwan/wordpress-xmlrpc-php-common-vulnerabilites-how-to-exploit-them-d8d3c8600b32
https://medium.com/@protector47/how-to-hack-wordpress-website-via-xmlrpc-php-61c813fa3740
https://hackerone.com/reports/325040?fbclid=IwAR0qgG-Xfzfi8epruslb_aB91f-Nj8DitF0su8O9ibFKSFdvefJ8h_qWNyc
https://hackerone.com/reports/752073?fbclid=IwAR2i3AM4woHlr01MvyJR-Vu485XQg_gxb1doWmAhSBTfxPK9cUSRFxO2iFo
## Impact
–>XML-RPC pingbacks
–>Brute force attacks via XML-RPC
## System Host(s)
âââ.org
## Affected Product(s) and Version(s)
## CVE Numbers
## Steps to Reproduce
1) Go to https://âââââââââ.org/xmlrpc.php to check if it is enabled or not.
2)If it is enabled, change the HTTP header to POST and make the following requests as shown in the POC
## Suggested Mitigation/Remediation Actions
Disable or remove the xmlrpc.php file completely.Read More