CMS frameworks like WordPress, Drupal generally use xmlrpc where they require making procedures calls between disparate environments.

Xmlrpc is a set of implementations that allows software running on disparate operating system in different environments to make procedure calls over the internet. It uses HTTP to transport the data and XML as the encoding.

XML-RPC is a remote procedure call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism. “XML-RPC” also refers generically to the use of XML for remote procedure call, independently of the specific protocol. XML-RPC for PHP is affected by a remote code-injection vulnerability. An attacker may exploit this issue to execute arbitrary commands or code in the context of the webserver. This may facilitate various attacks, including unauthorized remote access.

Working of XML-RPC:

In XML-RPC, a HTTP request is sent to a server implanting the protocol. A client in the scenario is a software wanting to call a single method of remote system. Multiple input parameters can be passed to the remote method, one return value is returned. Nesting of the parameter types can be used to transport a larger request structure. Therefore, XML-RPC can be used to transport objects or structures both as input and as output parameters.

The main difference in REST and XML-RPC protocol is, where resource representations (documents) are transferred, XML-RPC is designed to call methods.

Vulnerability in XML-RPC allows an attacker to make system call which can be dangerous for the application and servers. Also attacker can use this methods to craft a successful DOS attack against the application. There are various exploits in the market are publically available, which can be used by an attacker to leverage the presence of XML-RPC on the application server.

Detection of XML-RPC:

Crawl the FULL web application to see whether XMP-RPC is being used or not. Once you get the URL try to access the URL in browser.

See the burp response for the same below

After detecting that XML-RPC is enabled on the server, an attacker can craft a XML request to list down all the methods that are enabled on the server as shown below. Replace Get with POST request and add method call in the request.

As observed in the screenshot that many dangerous methods like file.delete, node.delete, file.create etc, are allowed on server side. An attacker can use this methods to perform any malicious activity. There are exploits available on exploitDB for remote code execution.


Mitigation with Indusface Total Application Security:

Indusface Total Application Security reports this remote code execution with scanning. You can request a custom rule and POC for the vulnerability through our portal. The web application firewall will mitigate attacks by adding the following to .htaccess -file

<Files xmlrpc.php>

Order allow,deny

Deny from all



Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.