Stop User Enumeration allows user enumeration via the REST API


Last revised:

Stop User Enumeration optionally allows stopping user enumeration via the WordPress REST API. When that option is enabled, requests to /wp-json/wp/v2/users are blocked and return an error like this:

{"code":"rest_cannot_access","message":"Only authenticated users can access the User endpoint REST API.","data":{"status":401}}

It also successfully blocks requests such as /?rest_route=/wp/v2/users.

The blocking relies upon the following comparison:

if( preg_match('/users/', $_SERVER['REQUEST_URI']) !== 0 ) {

On the surface this looks like it should work. And it seems like we can’t get around the restriction by sending a POST request with the parameter rest_route=/wp/v2/users, because WordPress thinks we want to create a user and responds with an error.

However, the REST API allows simulating different request types. As such, we can perform a POST request with the “users” string in the body of the request, and tell the REST API to act like it’s received a GET request.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 5 Medium
Vector Network
Complexity Low
Authentication None
Confidentiality Partial
Integrity None
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

curl http://localhost/?_method=GET -d rest_route=/wp/v2/users

Advisory timeline

  • 2017-05-16: Discovered
  • 2017-07-18: Reported to vendor via
  • 2017-07-18: First response from vendor
  • 2017-07-19: Vendor reports issue fixed in version 1.3.9
  • 2017-07-25: Published
  • 2017-09-29: Requested CVE

Mitigation/further actions

Upgrade to version 1.3.9 or later.