WordPress User Enumeration

medium Web Application Scanning Plugin ID 98203

Synopsis

WordPress User Enumeration

Description

In default WordPress installation there are several methods to enumerate authors username. These WordPress users can then be used in brute-force attacks against WordPress login page to guess passwords.

Solution

Block requests to sensitive user information at the server using .htaccess file or WAF for example. You should block or redirect all requests made to '/wp-json/wp/v2/users/' and to 'author' parameter (via GET and POST requests).

See Also

https://wordpress.org/support/article/htaccess/

https://hackertarget.com/wordpress-user-enumeration/

Plugin Details

Severity: Medium

ID: 98203

Type: remote

Published: 9/9/2020

Updated: 3/8/2018

Scan Template: scan, pci

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS v3.0

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference Information