A security hole in WordPress’ Pingback system – a mechanism utilized by web authors to know when someone links to one of their documents – can be leveraged by cybercriminals to launch distributed denial-of-service (DDOS) attacks.
According to Bogdan Calin of Acunetix, the WordPress XMLRPC API, which can be accessed via the xmlrpc.php file, can be abused not only for DDOS attacks, but also to find out if a host exists on the internal network, to port scan hosts inside the network, and even to reconfigure an internal router.
The expert reveals that users can only protect themselves by renaming or deleting the xmlrpc.php file.
The vulnerability was reported to Automattic, the developers of WordPress, around 6 years ago, but the ticket was closed at the time after someone argued that “there are so many ways to orchestrate a DDOS attack.”
Five days ago, the ticket was re-opened after a script that took advantage of the Pingback API was released.