WordPress User Enumeration

Medium Web Application Scanning Plugin ID 98203


WordPress User Enumeration


In default WordPress installation there are several methods to
enumerate authors username. These WordPress users can then be used
in brute-force attacks against WordPress login page
to guess passwords.


Block requests to sensitive user information at the server using .htaccess file or WAF for example. You should block or redirect all requests made to '/wp-json/wp/v2/users/' and to 'author' parameter (via GET and POST requests).

See Also



Plugin Details

Severity: Medium

ID: 98203

Type: remote

Published: 2018/03/06

Updated: 2018/03/08

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS v3.0

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference Information

CWE: 200

WASC: Information Leakage

OWASP: 2017-A6, 2013-A5, 2010-A6