WordPress Pingback Vulnerability

In het pingback-mechanisme van WordPress is een kwetsbaarheid ondekt (pingback.ping API van xmlrpc.php). Er zijn in ieder geval vier manieren bekend om dit te misbruiken, waarvan één zelfs kan leiden tot een distributed DoS (Denial of Service) aanval. Dit soort aanvallen staan bekend onder de noemer XSPA/SSRF (Cross Site Port Attack / Server Side Request Forgery). Bogdan Calin van Acunetix schrijft erover:


Recently somebody posted on Redit about a WordPress scanner that is taking advantage of a new WordPress vulnerability. The vulnerability is abusing the Pingback system, which is a well-known feature that’s used by a lot of bloggers.

WordPress has an XMLRPC API that can be accessed through the xmlrpc.php file. One of the methods exposed through this API is the pingback.ping method. With this method, other blogs can announce pingbacks. When WordPress is processing pingbacks, it’s trying to resolve the source URL, and if successful, will make a request to that URL and inspect the response for a link to a certain WordPress blog post. If it finds such a link, it will post a comment on this blog post announcing that somebody mentioned this blog post in their blog.

This can be abused in at least fours ways:

Lees verder bij Acunetix:


Did you like this post? Buy Me a Cup of Coffee

Did you find this article useful? Has it helped you solve a problem? Or has it saved you time?

Support Saotn.org and buy me a coffee (we sysadmins thrive on coffee :P ). A small, one-time, donation of USD $2.50 is more than enough and helps me with the research time, growth and hosting costs. Or use this link to enter your own donation amount.

Fast and secure through Paypal this'll support me in my research time and hosting costs, thank you!


Do you have anything interesting to add, or have an opinion? Found an error or typo? Found something to your liking? Let me know and leave a comment! As always, don't forget to share this post with your friends, family and co-workers!