No Valid Passwords Found

[m3kgt99]

When I perform a XML-RPC password attack with multicall, it always gives me a "No Valid Passwords Found" notification at the end.
I know that the maximum number of passwords to send by request with XMLRPC multicall is 500 at a time. I'd really like to use this multicall instead of singlecall.
I used a wordlist that was 500 lines long, made sure that it was UTF8, and I am 100% positive that the correct password is in the list.
sudo wpscan --url example.com --rua -U username -P test --password-attack xmlrpc-multicall -v
Obviously I did not use example.com and I used my correct username.
If I perform a password attack with nothing specified, it uses XML-RPC and it uses singlecall, and if the password is in the dictionary, it works. But this takes too long.
Any suggestions?

[erwanlr]

Such attack was patched in WP 4.4, so using xmlrpc-multicall will only work for blogs using WP below 4.4. That's why when not setting the --password-attack option, it automatically uses the best method available, in your case xmlrpc with singlecall

[m3kgt99]

Now that you say this... I remember vaguely that I saw that it was patched a while ago.
Thank you so much erwanlr for helping me remember this.

[erwanlr]

You're welcome, I've updated the --password-attack help text to reflect this as well :)