Page MenuHomePhabricator
Create Task
Maniphest T419017

xmlrpc.php is publicly exposed at diff.wikimedia.org
Closed, ResolvedPublicSecurity
Actions

Description

Via security@:

During a routine security assessment, I observed that the WordPress XML-RPC endpoint is accessible:

URL:
https://diff.wikimedia.org/xmlrpc.php

Description:
The XML-RPC interface is enabled and publicly accessible. While this is default behavior in WordPress, it has historically been leveraged for:

- Brute force amplification attacks
- Credential stuffing via multicall methods
- Distributed denial-of-service reflection
- Enumeration of enabled methods

Impact:
If not required for operational purposes, leaving XML-RPC enabled may increase the attack surface.

Recommendation:
- Disable XML-RPC if not actively used
- Alternatively restrict access via:
  • Web server rules
  • WAF policy
  • Application firewall filtering
- Implement rate limiting on authentication endpoints

This message is shared in good faith for security awareness purposes.

It's forbidden via GET but can be accessed via POST. We should disable the page or block it via .htaccess et al, as a best practice.

Details

Risk Rating
Medium
Author Affiliation
Other (Please specify in description)

Event Timeline

sbassett created this task.Mar 4 2026, 2:17 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 4 2026, 2:17 PM
sbassett added projects: Vuln-Infoleak, Vuln-RCE.Mar 4 2026, 2:17 PM
sbassett added subscribers: Reedy, mmartorana, CKoerner_WMF.

@CKoerner_WMF - is this something you'd be able to do on your end? Thanks.

sbassett updated the task description. (Show Details)Mar 4 2026, 2:21 PM
sbassett changed Risk Rating from N/A to Medium.
CKoerner_WMF added a comment.Mar 4 2026, 4:04 PM

Following the documentation provided by our hosting company I have configured the endpoint accordingly:

"Default: Requests to the XML-RPC endpoint can only be authenticated with an application password."

https://docs.wpvip.com/security-controls/wordpress/xml-rpc/

sbassett closed this task as Resolved.Mar 9 2026, 5:44 PM
sbassett claimed this task.
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.
sbassett added a project: SecTeam-Processed.
In T419017#11673981, @CKoerner_WMF wrote:

Following the documentation provided by our hosting company I have configured the endpoint accordingly:

"Default: Requests to the XML-RPC endpoint can only be authenticated with an application password."

https://docs.wpvip.com/security-controls/wordpress/xml-rpc/

Thanks! Resolving for now.

sbassett triaged this task as Medium priority.Mar 9 2026, 5:44 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits