WordPress Users Disclosure [500$ Bounty]

This is my 21st blog on web application security penetration testing. In this blog I will explain about WordPress Users Disclosure Vulnerability.

In my last blog, I have explained about Insufficient Logging and Monitoring Hope everyone liked it. If you haven’t read it yet please follow along.

In this blog, I will explain about How I was able to enumerate WordPress users and got 500$ bounty on a private program. To maintain confidentiality let’s consider the domain name is redacted.com running WordPress on it. Below is the step by step POC:

  1. Identify whether website is running WordPress on it or not. I have used Wappalyzer to identify used technologies. You can install this extension into chrome browser.

2. Method 1: Try to access below endpoint to enumerate WordPress users. If it is protected then you will see custom error like below:

https://www.redacted.com/wp-json/wp/v2/users/

3. Let’s try Method2: You can install Wpscan on kali-linux and run below command to enumerate WordPress users from site. Following usernames are successfully enumerated using wpscan (WordPress Scanning Tool).

Command: wpscan --url https://www.redacted.com --enumerate u1–100

Impact:

Successful username enumeration leads to brute force attack or password guessing attack which further leads to account takeover.

Recommendation:

Use this code which will hide the users list and give 404 as the result, while rest of the api calls keep running as they were.

References:

Hackerone Report:

Please do like and follow for more reads!

Thanks!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store