Enumerating Wordpress With XML-RPC

During a recent pentest engagement, I was reminded of an enumeration technique with wordpress. The weakness lies within xml in wordpress being enabled and it only becomes more vulnerable if you have credentials to test against the wordpress instance.

Even though a lack of credentials would return less information to you as the attacker, you can still gather some decent nuggets to further your pentest engagement along. First, you should run wpscan against the wordpress target to determine if xml-rpc is enabled:

wpscan --url  https://target.com

You should see the following in the output (WPScan even gives you some metasploit modules you can automate this task with) :

Once you've confirmed that XML-RPC is enabled, you can then capture a request using BurpSuite and ensure that you change your 'GET' request to a 'POST' request with /xmlrpc endpoint. Send the request to ensure you receive a 200 status response. If you receive a 200 status code response, copy the below methodCall at the bottom of your POST request and you should see a list of methods returned that you can run on the wordpress instance.

From there, you should see a list of methods and go forth with your imagination. Lastly, I should note that in order to run some of the listed methods, you will need credentials. If you do not have credentials, you can brute force user id's or usernames to further focus your attacks.

Signed_Ro0t