Because of the potential vector size of this vulnerability, xxxx made sure to responsibly disclose the vulnerability to the WordPress and Drupal teams before sharing the results with the public.

Really? So these clever bunnies gave the CMS makers 5 minutes warning before advertising the exploit to the public?

How often do we see this and how absoluteley caring for attention to their self. I for one do not want to update my CMS versions, especially when they may be customized and/or require PHP and/or MYSQL versions not avilable on my server.

As for the potential of being exploited, if these prats did the right thing and informed the CMS makers only then it would be very unlikely for the vulnerability to ever be exploited!

Apparently the XML function can be disabled by adding the following code to the .htaccess file...

 # START XML RPC BLOCKING
 <Files xmlrpc.php>
 Order Deny,Allow
 Deny from all
 </Files>

This can apply to both Drupal amd WordPress.

I saw this report shortly after it came out, but the fixes were rolled out fast enough that I had actually updated critical sites before I got the Sucuri notice.

Wordpress used to always have it disabled by default, though the file addresses are widely known. A few version ago WP finally decided it was secure enough to enable it by default.

Kendo - in addition to blocking access to xmlrpc.php, the Drupal security notice says that on Drupal you should disable the OpenID module. Since almost nobody I know actually has it enabled, that's likely a moot point, but I thought I'd mention it.

In any case, not to diminish the threat of a DDOS attack, but it's not the same to me as what I would consider a true security threat that allows access to secure areas of the site or allows installing malware on the site.