My Thoughts...

Testing for XML-RPC multicall vulnerabilities in WordPress

In response to Sucuri’s disclosure last week regarding the possibility of brute force attacks via XML-RPC using the multicall method in XML-RPC.

Never heard of multicall?  You’re not alone.  Multicall allows you to send multiple XML-RPC requests in one POST, allowing, in theory, a bad guy to try hundreds of sets of credentials in a single request.  Due to the lack of documentation available online, it took me a while to get the syntax correctly, but I did get it sorted out, so, to save you some headache, here’s code that will try 39 incorrect sets of credentials, and then, if you change the details near the end (MYREALUSERNAME and MYREALPASSWORD), will try the correct credentials.  If you POST this to your site’s xmlrpc.php and get back a list of your users at the end of the response, that means you weren’t blocked out by any of your existing security tools and you are vulnerable.

The XML to POST is here: https://gist.github.com/samhotchkiss/5a74d6de2ae99eec62a4

In our testing, we confirmed that Jetpack Protect (and BruteProtect) DO block this attack vector.  If you’re running Jetpack with Protect enabled or you’re running BruteProtect, you don’t need to do anything to keep yourself safe from this, we’ve got your back!