Description

WordPress includes a REST API that can be used to list the information about the registered users on a WordPress installation. The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API.

Remediation

Install a WordPress plugin such as Stop User Enumeration. Stop User Enumeration is a security plugin designed to detect and prevent hackers scanning your site for user names.

References

Stop User Enumeration

WordPress 4.7.1 Security and Maintenance Release

Related Vulnerabilities

Insecure transition from HTTP to HTTPS in form post

TYPO3 Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2009-0815)

ASP.NET WCF service include exception details

PHP upload arbitrary file disclosure vulnerability

Configuration file disclosure

Severity

Low

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure