Opened 8 years ago
Closed 8 years ago
#41808 closed defect (bug) (invalid)
Attacks against wp.getUsersBlogs with no user name but with a password
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 4.8 |
| Component: | Security | Keywords: | |
| Focuses: | rest-api | Cc: |
Description
In the past few hours I've seen several attacks that POST to /xmlrpc.php with content like this resulting in a 200 HTTP response:
POST /xmlrpc.php HTTP/1.1 Content-Type: application/xml Host: skepticism.us Content-Length: 173 Connection: Close <?xml version="1.0"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value></value></param><param><value>123456789</value></param></params></methodCall>
That method is not correctly validating its input.
Change History (1)
Note: See
TracTickets for help on using
tickets.
@krader The 200 response contains the results of the
WP_Erroryou would expect.While this doesn't seem to be an actual security issue, if you think something *is* security related it should be reported responsibly via HackerOne. Disclosing any security issue publicly is dangerous for all WordPress users.