Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Pingback Function in WordPress Vulnerable To Malicious Use, Serves As Attack Tool

A vulnerability (or unintended function) in WordPress that was dismissed six years ago as a something not worth bothering with, has been given a second glance now that the issue has been exposed to a wider audience. The problem revolves around the pingback function being used as a means to map remote hosts, which can have problematic results for organizations using blogging platform.

A vulnerability (or unintended function) in WordPress that was dismissed six years ago as a something not worth bothering with, has been given a second glance now that the issue has been exposed to a wider audience. The problem revolves around the pingback function being used as a means to map remote hosts, which can have problematic results for organizations using blogging platform.

Pingbacks are a way for a blog owner to see who is linking to their stories. Six years ago, it was discovered that the issue could be used to scan remote hosts (internal networks and those that are forward facing) by altering the pingback link.

This distributed scanning function, something that clearly wasn’t intended when pingbacks were implemented for the XMLRPC API, could lead to DDoS conditions in addition to information exposure.

The problem is that when the issue was first brought to WordPress’ attention, it was dismissed. “There are so many ways to orchestrate a DDOS, I don’t know if this is worth bothering with,” commented WordPress developer Ryan Boren at the time. 

Now, a new tool has been released that automates the pingback vulnerability.

“WordPress exposes a so called Pingback API to link to other blog posts. Using this feature you can scan other hosts on the intra- or internet via this server. You can also use this feature for some kind of distributed port scanning: You can scan a single host using multiple WordPress Blogs exposing this API,” the tool’s instructions explain.

While organizations that host their own WordPress installations are at risk, the countless servers that are owned by hosting providers are also at risk, which can be elevated given that WordPress is often featured as a one-click install for many hosting account promotions, and millions of installations have been left abandoned.

“From the tests I’ve carried out, I’ve seen that WordPress is also supporting URLs with credentials,” explains Acunetix’s Bogdan Calin.

According to his notes, an attacker could use a URL like the one below to reconfigure the internal router.

http://admin:[email protected]/changeDNS.asp?newDNS=aaaa

“This can also be used for distributed DOS (Denial of Service) attacks. An attacker can contact a large number of blogs and ask them to pingback a target URL. All of these blogs will attack the target URL,” he adds.

Moreover, the pingback can be abused by attackers in order to guess hosts inside the internal network, i.e. URLs like http://subversion/; http://bugzilla /; or http://dev/ can be leveraged to see if these hosts exist in the internally.

Unfortunately, only a patch will resolve this issue as disabling the pingback function doesn’t work.

“These are known weaknesses with the pingback system and there are core WordPress.org developers working on counter-measures to harden against this type of abuse for future versions of WordPress,” a spokesperson from WordPress (Automattic) told SecurityWeek via email.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...