Opened 7 years ago
Closed 7 years ago
#41808 closed defect (bug) (invalid)
Attacks against wp.getUsersBlogs with no user name but with a password
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.8 |
Component: | Security | Keywords: | |
Focuses: | rest-api | Cc: |
Description
In the past few hours I've seen several attacks that POST
to /xmlrpc.php
with content like this resulting in a 200 HTTP response:
POST /xmlrpc.php HTTP/1.1 Content-Type: application/xml Host: skepticism.us Content-Length: 173 Connection: Close <?xml version="1.0"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value></value></param><param><value>123456789</value></param></params></methodCall>
That method is not correctly validating its input.
Change History (1)
Note: See
TracTickets for help on using
tickets.
@krader The 200 response contains the results of the
WP_Error
you would expect.While this doesn't seem to be an actual security issue, if you think something *is* security related it should be reported responsibly via HackerOne. Disclosing any security issue publicly is dangerous for all WordPress users.