WordPress Users Disclosure [500$ Bounty]

This is my 21st blog on web application security penetration testing. In this blog I will explain about WordPress Users Disclosure Vulnerability.

In my last blog, I have explained about Insufficient Logging and Monitoring Hope everyone liked it. If you haven’t read it yet please follow along.

In this blog, I will explain about How I was able to enumerate WordPress users and got 500$ bounty on a private program. To maintain confidentiality let’s consider the domain name is redacted.com running WordPress on it. Below is the step by step POC:

  1. Identify whether website is running WordPress on it or not. I have used Wappalyzer to identify used technologies. You can install this extension into chrome browser.

2. Method 1: Try to access below endpoint to enumerate WordPress users. If it is protected then you will see custom error like below:


3. Let’s try Method2: You can install Wpscan on kali-linux and run below command to enumerate WordPress users from site. Following usernames are successfully enumerated using wpscan (WordPress Scanning Tool).

Command: wpscan --url https://www.redacted.com --enumerate u1–100


Successful username enumeration leads to brute force attack or password guessing attack which further leads to account takeover.


Use this code which will hide the users list and give 404 as the result, while rest of the api calls keep running as they were.


Hackerone Report:

Please do like and follow for more reads!




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store