Description

WordPress includes a REST API that can be used to list the information about the registered users on a WordPress installation. The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API.

Remediation

Install a WordPress plugin such as Stop User Enumeration. Stop User Enumeration is a security plugin designed to detect and prevent hackers scanning your site for user names.

References

Stop User Enumeration

WordPress 4.7.1 Security and Maintenance Release

Related Vulnerabilities

WordPress Plugin Simple History Information Disclosure (2.7.4)

phpMyAdmin Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-6627)

IBM WebSphere/WebLogic application source file exposure

WordPress Plugin Slack-Chat Information Disclosure (1.5.5)

WordPress Plugin JS MultiHotel Multiple Vulnerabilities (2.2.1)

Severity

Low

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure