XMLRPC bruteforcer – An XMLRPC Brute Forcer targeting WordPress

XMLRPC bruteforcer Logo - An XMLRPC Brute Forcer For WordPress xploitlab

What is XMLRPC ?

XML-RPC is a remote procedure call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism.

In WordPress XML-RPC is a specification that aims to standardize communications between different systems. It uses HTTP as the transport mechanism and XML as encoding mechanism which allows for a wide range of data to be transmitted.

what is XMLRPC xploitlab

The meaning is XML-RPC on WordPress is actually an API or “application program interface“. It gives developers who make mobile apps, desktop apps and other services the ability to talk to your WordPress site. The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface. These include:

  • Publish a post
  • Edit a post
  • Delete a post.
  • Upload a new file (e.g. an image for a post)
  • Get a list of comments
  • Edit comments

Common Vulnerabilities in XML-RPC

The main weaknesses associated with XML-RPC are: Brute force attacks: Attackers try to login to WordPress using xmlrpc.php .

You can try to Brute Force your own XML-RPC with tool called “XML-RPC brute-forcer“. Learn how attacker can exploit your site with this vulnerability.

Whats is XML-RPC brute-forcer

An XMLRPC brute forcer targeting WordPress written in Python 3. In the context of xmlrpc brute forcing, its faster than Hydra and WpScan. It can brute force 1000 passwords per second.


python3 xmlrcpbruteforce.py http://wordpress.org/xmlrpc.php passwords.txt username
python3 xmlrpcbruteforce.py http://wordpress.org/xmlrpc.php passwords.txt userlist.txt 


If you get an xml.etree.ElementTree.ParseError:

  • Did you forget to add ‘xmlrpc’ in the url ?
  • Try to add or remove ‘https’ or ‘www’.

I’m working on the Exception Handling. Will fix it soon.


XMLRPC bruteforcer - An XMLRPC Brute Forcer For WordPress xploitlab

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

9 + 11 =