CVSS Summary
| Score | 5 Medium |
|---|---|
| Vector | Network |
| Complexity | Low |
| Authentication | None |
| Confidentiality | Partial |
| Integrity | None |
| Availability | None |
Advisory:
Stop User Enumeration allows user enumeration via the REST API
Vulnerability
Last revised:
Stop User Enumeration optionally allows stopping user enumeration via the WordPress REST API. When that option is enabled, requests to /wp-json/wp/v2/users are blocked and return an error like this:
{"code":"rest_cannot_access","message":"Only authenticated users can access the User endpoint REST API.","data":{"status":401}}
It also successfully blocks requests such as /?rest_route=/wp/v2/users.
The blocking relies upon the following comparison:
if( preg_match('/users/', $_SERVER['REQUEST_URI']) !== 0 ) {
On the surface this looks like it should work. And it seems like we can’t get around the restriction by sending a POST request with the parameter rest_route=/wp/v2/users, because WordPress thinks we want to create a user and responds with an error.
However, the REST API allows simulating different request types. As such, we can perform a POST request with the “users” string in the body of the request, and tell the REST API to act like it’s received a GET request.
Current state: Fixed
Proof of concept
curl http://localhost/?_method=GET -d rest_route=/wp/v2/users
Advisory timeline
- 2017-05-16: Discovered
- 2017-07-18: Reported to vendor via info@fullworks.net
- 2017-07-18: First response from vendor
- 2017-07-19: Vendor reports issue fixed in version 1.3.9
- 2017-07-25: Published
- 2017-09-29: Requested CVE
Mitigation/further actions
Upgrade to version 1.3.9 or later.