WordPress User Enumeration

medium Web Application Scanning Plugin ID 98203

Synopsis

WordPress User Enumeration

Description

In default WordPress installation there are several methods to enumerate authors username. These WordPress users can then be used in brute-force attacks against WordPress login page to guess passwords.

Solution

Block requests to sensitive user information at the server using .htaccess file or WAF for example. You should block or redirect all requests made to '/wp-json/wp/v2/users/' and to 'author' parameter (via GET and POST requests).

See Also

https://wordpress.org/support/article/htaccess/

https://hackertarget.com/wordpress-user-enumeration/

Plugin Details

Severity: Medium

ID: 98203

Type: remote

Published: 9/9/2020

Updated: 1/27/2022

Scan Template: scan, pci

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

Reference Information