metasploit-gs/documentation/modules/auxiliary/scanner/http/wordpress_pingback_access.md at 55152da83acd030976ba8d90ff40e0ca9e3cfac0

Files

T

Devansh7006 b9666f5f0e Improve formatting and clarity of WordPress pingback module

Reformatted the verification steps and options for clarity. Removed redundant lines and added example usage.

2026-03-31 12:40:19 +05:30

1.4 KiB

Raw Blame History

Vulnerable Application

This module checks for accessible WordPress pingback functionality.

Pingback is an XML-RPC feature in WordPress that allows blogs to notify each other of references. If enabled, it can be abused for:

DDoS amplification attacks
Internal network scanning
Information disclosure

To test this module:

Set up a WordPress instance (any version with XML-RPC enabled)
Ensure /xmlrpc.php is accessible
Pingback functionality should not be disabled

Verification Steps

Start Metasploit: msfconsole
Load the module: use auxiliary/scanner/http/wordpress_pingback_access
Set the target: set RHOSTS example.com
Run the module: run

If vulnerable, the module will indicate that pingback access is enabled.

Options

This module has no additional options beyond the standard ones.

Scenarios

Example usage against a WordPress site with pingback enabled:

msf > use auxiliary/scanner/http/wordpress_pingback_access
msf auxiliary(scanner/http/wordpress_pingback_access) > set RHOSTS example.com
RHOSTS => example.com
msf auxiliary(scanner/http/wordpress_pingback_access) > run
[*] Checking pingback access on example.com
[+] Pingback is enabled and accessible at /xmlrpc.php
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/http/wordpress_pingback_access) >

1.4 KiB Raw Blame History

Vulnerable Application

Verification Steps

Options

Scenarios

1.4 KiB

Raw Blame History