diff --git a/misconfiguration/wordpress-register-option-enabled.yaml b/misconfiguration/wordpress-register-option-enabled.yaml deleted file mode 100644 index 4281345062..0000000000 --- a/misconfiguration/wordpress-register-option-enabled.yaml +++ /dev/null @@ -1,32 +0,0 @@ -id: wordpress-register-option-enabled - -info: - name: WordPress User Registration Enabled - author: tess,DhiyaneshDK - severity: high - tags: wordpress,wp-plugin,wp - description: Your WordPress site is currently configured so that anyone can register as a user. If you are not using this functionality, it's recommended to disable user registration as it caused some security issues in the past and is increasing the attack surface. - remediation: Disable user registration if not needed. To disable user registration, log in as an administrator and go to Settings -> General and uncheck "Anyone can register". - reference: https://www.acunetix.com/vulnerabilities/web/wordpress-user-registration-enabled/ - -requests: - - method: GET - path: - - "{{BaseURL}}/wp-login.php" - - matchers-condition: and - - matchers: - - type: word - words: - - '?action=register">Register' - part: body - - - type: word - words: - - 'text/html' - part: header - - - type: status - status: - - 200 diff --git a/misconfiguration/wp-registration-enabled.yaml b/misconfiguration/wp-registration-enabled.yaml new file mode 100644 index 0000000000..f6ba1a0d20 --- /dev/null +++ b/misconfiguration/wp-registration-enabled.yaml @@ -0,0 +1,34 @@ +id: wp-registration-enabled + +info: + name: WordPress User Registration Enabled + author: tess,DhiyaneshDK + severity: info + description: | + Your WordPress site is currently configured so that anyone can register as a user. If you are not using this functionality, it's recommended to disable user registration as it caused some security issues in the past and is increasing the attack surface. + remediation: | + Disable user registration if not needed. To disable user registration, log in as an administrator and go to Settings -> General and uncheck "Anyone can register". + reference: https://www.acunetix.com/vulnerabilities/web/wordpress-user-registration-enabled/ + tags: wordpress,wp,misconfig + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-login.php" + + matchers-condition: and + + matchers: + - type: word + part: body + words: + - '?action=register"' + + - type: word + part: header + words: + - 'text/html' + + - type: status + status: + - 200