It's good that you've drew attention on possibility of port scanning and made nice software for abusing this WP feature.
But I want to remind about another vulnerability in XML-RPC, which I've disclosed in 2012. The most important hole in WordPress XML-RPC is Brute Force (http://securityvulns.ru/docs27916.html, http://lists.grok.org.uk/pipermail/full-disclosure/2012-March/086271.html). I've wrote on example of WordPress, but it concerns every web application with in XML-RPC support. To BF are vulnerable all versions of WP, but since WordPress 2.6 XML-RPC was turned on by default.
And when WordPress developers turned in on in WordPress 3.5 they returned the hole back to the masses. Earlier for WP 2.6 - 3.4.2 only those web sites were vulnerable, which had turned it on, then since WP 3.5 all web sites would be vulnerable again.
The interesting part with Brute Force attacks via XML-RPC and the same with Atom Publishing Protocol (to which vulnerable are WP 2.3 - 3.4.2), this hole I've also disclosed in 2012 (http://securityvulns.ru/docs27917.html, http://lists.grok.org.uk/pipermail/full-disclosure/2012-March/086328.html), as I've wrote at my site - it's better reliability then brute forcing via login form. Because unlike login form (for which there are plugins to protect against BF), no plugins can protect against attacks via XML-RPC and AtomPub.
WP developers removed AtomPub from the core (made it as a plugin), so they "removed" this BF hole from the core, but at that they enabled BF hole via XML-RPC (plus added port scanning functionality). Such wise decision :-).
Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
From: FireFart_(at)gmail.com <FireFart(at)_gmail.com> Date: 18.12.2012 Subject: Wordpress Pingback Port Scanner
> Hi folks, > Wordpress 3.5 has it's XML-RPC Interface enabled by default. See here for more information: > http://www.ethicalhack3r.co.uk/security/introduction-to-the-wordpress-xml-rpc-api > / > http://codex.wordpress.org/Version_3.5#Settings > > I read through the article and took a look at the Pinback API since it is public available on many Wordpress installations. > The cool thing is: you can do a port scan using the Pingback API > You can even scan the server itself or discover some hosts on the internal Network this server is on. > So i wrote this little Ruby Script to utilize this "feature": > > https://github.com/FireFart/WordpressPingbackPortScanner > > You can even use multiple Wordpress XML-RPC Interfaces to scan a single host so this can be some kind of distributed port scanning. > > Chris