Wordpress XML-RPC listMethods Exposure

The Wordpress XML-RPC system.listMethods exposes standard and custom methods.

wordpress
xml-rcp
listmethods
exposure

XML-RPC system.listMethods is used to view a list of available methods that may be called on the remote system.

Impact

Attackers can use this information to launch various types of attacks against a vulnerable Wordpress installation. For example, it is possible to enumerate the installed blogs as well as users.

Solution

Consider disabling system.listMethods by using XML-RPC method filters.

References

https://codex.wordpress.org/XML-RPC/system.listMethods
https://codex.wordpress.org/XML-RPC_Extending

Was this page helpful?