Description

WordPress includes a REST API that can be used to list the information about the registered users on a WordPress installation. The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API.

Remediation

Install a WordPress plugin such as Stop User Enumeration. Stop User Enumeration is a security plugin designed to detect and prevent hackers scanning your site for user names.

References

Stop User Enumeration

WordPress 4.7.1 Security and Maintenance Release

Related Vulnerabilities

PostgreSQL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-15099)

WordPress 5.0.x Multiple Vulnerabilities (5.0 - 5.0.19)

TCExam Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2020-5743)

ASP.NET viewstate encryption disabled

WordPress Plugin WP-DBManager Multiple Vulnerabilities (2.71)

Severity

Low

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure