• If permalinks are enabled, in many WordPress installations it is possible to enumerate all the WordPress usernames iterating through the author archives. Whenever a post is published, the username or alias is shown as the author. For example, the URL http://site.com/?author=1 will show all the posts from user id 1. Attackers can abuse this functionality to figure out which usernames are available on the site.

• You can use an .htaccess rewrite rule to prevent this disclosure but you should also be sure to use nicknames to avoid disclosing usernames. <br/> <pre> # Stop WordPress username enumeration vulnerability RewriteCond %{REQUEST_URI} ^/$ RewriteCond %{QUERY_STRING} ^/?author=([0-9]*) RewriteRule ^(.*)$ http://yoursite.com/somepage/? [L,R=301] </pre>

• 

• CWE-200

• CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

• Information Disclosure

• JBoss web service console
• WordPress Plugin Plugin:Newsletter 'data' Parameter Information Disclosure (1.5)
• SNMP information disclosure
• PHP curl_exec() url is controlled by user
• Backup files