H3-2026-0040¶

WordPress XML-RPC API Methods Exposed

Description¶

The WordPress XML-RPC endpoint is publicly accessible, and exposes available methods including system.multicall. The XML-RPC interface can be abused for credential brute-forcing via the wp.getUsersBlogs or wp.getUsers methods, and system.multicall allows batching hundreds of login attempts in a single HTTP request, bypassing rate-limiting controls.

Impact¶

An attacker can enumerate valid usernames and brute-force credentials at scale using system.multicall to batch authentication attempts. The XML-RPC interface may also be used for pingback-based DDoS amplification or internal port scanning.

References¶

• CWE-16: Configuration
• Brute Force Amplification Attacks Against WordPress XMLRPC
• WordPress XML-RPC Brute Force Attacks via system.multicall