59 lines
1.9 KiB
YAML
59 lines
1.9 KiB
YAML
id: wp-user-enum
|
|
|
|
info:
|
|
name: WordPress REST API User Enumeration
|
|
author: Manas_Harsh,daffainfo,geeknik,dr0pd34d
|
|
severity: low
|
|
description: |
|
|
The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API.
|
|
impact: |
|
|
An attacker can easily determine valid usernames, which can lead to targeted attacks such as brute force attacks or social engineering.
|
|
remediation: |
|
|
Install a WordPress plugin such as Stop User Enumeration. Stop User Enumeration is a security plugin designed to detect and prevent hackers scanning your site for user names.
|
|
reference:
|
|
- https://www.acunetix.com/vulnerabilities/web/wordpress-rest-api-user-enumeration/
|
|
- https://wordpress.org/plugins/stop-user-enumeration/
|
|
- https://www.afteractive.com/wordpress-user-enumeration-vulnerability/
|
|
metadata:
|
|
verified: true
|
|
max-request: 2
|
|
vendor: wordpress
|
|
product: wordpress
|
|
shodan-query: http.component:"WordPress"
|
|
tags: cve2017,cve,wordpress,wp,edb
|
|
|
|
http:
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/wp-json/wp/v2/users/"
|
|
- "{{BaseURL}}/?rest_route=/wp/v2/users/"
|
|
|
|
stop-at-first-match: true
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- '"id":'
|
|
- '"name":'
|
|
- '"avatar_urls":'
|
|
condition: and
|
|
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- "application/json"
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
extractors:
|
|
- type: json
|
|
name: "usernames"
|
|
json:
|
|
- '.[] | .slug'
|
|
- '.[].name'
|
|
part: body
|
|
# digest: 4a0a004730450220739ef9fd058cf4027e5393103ef4001283e4f20793f7fbd7cc6e0242181f692d022100f91de73bf7e60b6afe94fc098b11f5b8151f0ddaef43cc52d282aff64f8023a1:922c64590222798bb761d5b6d8e72950 |