Security Test: WordPress xmlrpc.php Exposed¶
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | Frontend Scanner |
|---|---|---|
Description¶
Default Severity:
The issue arises when the xmlrpc.php file is exposed and accessible without authentication, allowing attackers to abuse the XML-RPC interface. This can lead to brute-force login attempts, resource-intensive pingbacks, or denial-of-service attacks. Securing or disabling this endpoint is critical to prevent abuse.
Configuration¶
Identifier:
information_disclosure/wordpress_xmlrpc_php_exposed
Examples¶
All configuration available:
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API7:2023 |
| OWASP LLM Top 10 | LLM06:2023 |
| PCI DSS | 6.5.5 |
| GDPR | Article-32 |
| SOC2 | CC6 |
| PSD2 | Article-95 |
| ISO 27001 | A.14.2 |
| NIST | SP800-53 |
| FedRAMP | AC-6 |
| CWE | 200 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C |
| CVSS Score | 5.1 |