WordPress Users Disclosure [500$ Bounty]
This is my 21st blog on web application security penetration testing. In this blog I will explain about WordPress Users Disclosure Vulnerability.
In my last blog, I have explained about Insufficient Logging and Monitoring Hope everyone liked it. If you haven’t read it yet please follow along.
In this blog, I will explain about How I was able to enumerate WordPress users and got 500$ bounty on a private program. To maintain confidentiality let’s consider the domain name is redacted.com running WordPress on it. Below is the step by step POC:
- Identify whether website is running WordPress on it or not. I have used Wappalyzer to identify used technologies. You can install this extension into chrome browser.
2. Method 1: Try to access below endpoint to enumerate WordPress users. If it is protected then you will see custom error like below:
https://www.redacted.com/wp-json/wp/v2/users/
3. Let’s try Method2: You can install Wpscan on kali-linux and run below command to enumerate WordPress users from site. Following usernames are successfully enumerated using wpscan (WordPress Scanning Tool).
Command: wpscan --url https://www.redacted.com --enumerate u1–100
Impact:
Successful username enumeration leads to brute force attack or password guessing attack which further leads to account takeover.
Recommendation:
Use this code which will hide the users list and give 404 as the result, while rest of the api calls keep running as they were.
References:
Hackerone Report:
Please do like and follow for more reads!
Thanks!
