Xmlrpc is vulnerable to xxe attack?

Question

May be this is out of the topic but it is important aspect for me, so i am now asking to you guys,

I have a website contains the xmlrpc.php file then Is it vulnerable to the xxe attack like if any one can pull out all the methods by using the system.listMethods. Hope you understand what i am talking about. How an attacker can exploit it?

Thank you.

Answer 1

Assuming you are referring to the Wordpress xmlrpc.php file, the short answer is: no.

The long answer is:

Wordpress uses (a fork of) the Incutio XMLRPC library to parse incoming XML. You can find it in your installation wp-includes/IXR folder.

That library uses a family of functions from a php extension known as "XML Parser" (which implements under the hood a libexpat-compatible API on top of libxml2).

And the XMLParser by default does no parsing of external XML entities. The only way to make that happen is to explicitly add a call to xml_set_external_entity_ref_handler. You can grep through your codebase and, as long as you find no trace of that, you are safe.

On a side note: the phpxmlrpc libary, also commonly used in alternative to IXR to add xml-rpc support to php apps, is also immune to XXE attacks. Since 2025/2/14 it even includes a test for that in its CI suite...

Answer 2

IDK about XXE, but you should prefer the REST-API over XMLRPC because it is vulnerable to DDoS amplification, XSPA, SSRF and brute force. Otherwise, if you really need it, then restrict it to the trusted IP addresses which you want to allow to use XMLRPC, so that attackers can't abuse it.

Answer 3

In default settings, XMLRPC is not vulnerable in Java and Python against XXE attacks. You can check it here; http://www.securiteam.com/securitynews/6D0100A5PU.html