<methodCall> <methodName>system.multicall</methodName> <params> <param> <value> <array> <data> <!-- Repeat struct for each password attempt --> </data> </array> </value> </param> </params> </methodCall>
Older versions of WordPress and some plugins are vulnerable to PHP Object Injection if user input is passed to the unserialize() function. hacktricks wordpress
Also check:
: Allows attackers to read sensitive files like wp-config.php or execute remote code. <methodCall> <methodName>system