Description

WordPress provides an XML-RPC interface via the xmlrpc.php script. XML-RPC is remote procedure calling using HTTP as the transport and XML as the encoding. An attacker can abuse this interface to brute force authentication credentials using API calls such as wp.getUsersBlogs.

Remediation

It is possible to disable the XML-RPC script if you do not want to use it. Consult references for a WordPress plugin that does that. If you don't want to disable XML-RPC you can monitor for XML-RPC authentication failures with a Web Application Firewall like ModSecurity.

References

WordPress XML-RPC Brute Force Scanning

Prevent XMLRPC

WordPress brute force attack via wp.getUsersBlogs

Related Vulnerabilities

Oracle E-Business Suite Frame Injection (CVE-2017-3528)

JIRA Security Advisory 2013-02-21

JSP authentication bypass

MongoDB injection

WordPress plugin WPtouch insecure nonce generation

Severity

Medium

Classification

CWE-521 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality Buffer Overflow