>From a quick couple minute cursory check, I do not see how login checks
differ from regular login and xmlrpc in regards to when a login limit
plugin is used.
Example is wordpress 3.5 and limit-login-attempts plugin.
wordpress 3.5 (class-wp-xmlrpc-server.php):
function login( $username, $password
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -
Debian Security Advisory DSA-2605-2 secur...@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
January 19, 2013
On Sat, Jan 19, 2013 at 08:53:24PM +0200, MustLive wrote:
> And when WordPress developers turned in on in WordPress 3.5 they returned
> the hole back to the masses. Earlier for WP 2.6 - 3.4.2 only those web sites
> were vulnerable, which had turned it on, then since WP 3.5 all web sites
> would
Hi Chris!
It's good that you've drew attention on possibility of port scanning and
made nice software for abusing this WP feature.
But I want to remind about another vulnerability in XML-RPC, which I've
disclosed in 2012. The most important hole in WordPress XML-RPC is Brute
Force (http://secu