get_vulnerabilities(); $url = get_site_url() . '/xmlrpc.php'; // First check if the xmlrpc.php file returns a 405 code. $is_available = wp_remote_get( $url, array( 'timeout' => 5 ) ); $is_available_code = wp_remote_retrieve_response_code( $is_available ); if ( 405 !== $is_available_code ) return; // Try an authenticated request. $authenticated_body = 'wp.getUsers1usernamepassword'; $authenticated_response = wp_remote_post( $url, array( 'body' => $authenticated_body ) ); if ( is_wp_error( $authenticated_response ) ) { // The authenticated_response returned a WP_Error. error_log( $authenticated_response->get_error_message() ); } else { if ( preg_match( '/Incorrect username or password.<\/string>/', $authenticated_response['body'] ) ) { $this->add_vulnerability( __( 'The XML-RPC interface is enabled. This significantly increases your site\'s attack surface.', 'wpscan' ), 'medium', sanitize_title( $url ), 'https://blog.wpscan.com/2021/01/25/wordpress-xmlrpc-security.html' ); return; } else { // Try an unauthenticated request. $unauthenticated_body = 'demo.sayHello'; $unauthenticated_response = wp_remote_post( $url, array( 'body' => $unauthenticated_body ) ); if ( preg_match( '/Hello!<\/string>/', $unauthenticated_response['body'] ) ) { $this->add_vulnerability( __( 'The XML-RPC interface is partly disabled, but still allows unauthenticated requests.', 'wpscan' ), 'low', sanitize_title( $url ), 'https://blog.wpscan.com/2021/01/25/wordpress-xmlrpc-security.html' ); } } } } }