WordPress User Enumeration

Medium Web Application Scanning Plugin ID 98203

Synopsis

WordPress User Enumeration

Description

In default WordPress installation there are several methods to
enumerate authors username. These WordPress users can then be used
in brute-force attacks against WordPress login page
to guess passwords.

Solution

Block requests to sensitive user information at the server using .htaccess file or WAF for example. You should block or redirect all requests made to '/wp-json/wp/v2/users/' and to 'author' parameter (via GET and POST requests).

See Also

https://codex.wordpress.org/htaccess

http://cwe.mitre.org/data/definitions/200.html

Plugin Details

Severity: Medium

ID: 98203

Type: remote

Published: 2018/03/06

Updated: 2018/03/08

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS v3.0

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference Information

CWE: 200

WASC: Information Leakage

OWASP: 2017-A6, 2013-A5, 2010-A6