http/vulnerabilities/wordpress/wp-user-enum.yaml

id: wp-user-enum

info:
  name: WordPress REST API User Enumeration
  author: Manas_Harsh,daffainfo,geeknik,dr0pd34d
  severity: low
  description: |
    The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API.
  impact: |
    An attacker can easily determine valid usernames, which can lead to targeted attacks such as brute force attacks or social engineering.
  remediation: |
    Install a WordPress plugin such as Stop User Enumeration. Stop User Enumeration is a security plugin designed to detect and prevent hackers scanning your site for user names.
  reference:
    - https://www.acunetix.com/vulnerabilities/web/wordpress-rest-api-user-enumeration/
    - https://wordpress.org/plugins/stop-user-enumeration/
    - https://www.afteractive.com/wordpress-user-enumeration-vulnerability/
  classification:
    cpe: cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: wordpress
    product: wordpress
    shodan-query:
      - http.component:"WordPress"
      - http.component:"wordpress"
      - cpe:"cpe:2.3:a:wordpress:wordpress"
  tags: cve2017,cve,wordpress,wp,edb

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-json/wp/v2/users/"
      - "{{BaseURL}}/?rest_route=/wp/v2/users/"

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"id":'
          - '"name":'
          - '"slug":'
        condition: and

      - type: word
        part: header
        words:
          - "application/json"

      - type: status
        status:
          - 200

    extractors:
      - type: json
        name: "usernames"
        json:
          - '.[] | .slug'
          - '.[].name'
        part: body
# digest: 4b0a00483046022100cf56dabee587a0239f9c2f1b11d4b26f99ef6e5e19d7022a8892207f43cd8fc1022100e80ad268652c3d8d952f04a8834e790160ba92cfcfe8ffa2f8bc525f9fdfdd30:922c64590222798bb761d5b6d8e72950
Update and rename CVE-2017-5487.yaml to wp-user-enum.yaml 2024-02-04 23:42:11 +05:30			`id: wp-user-enum`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 13:38:41 +03:00
Template rename / update 2021-06-10 21:57:07 +05:30			`info:`
Update and rename CVE-2017-5487.yaml to wp-user-enum.yaml 2024-02-04 23:42:11 +05:30			`name: WordPress REST API User Enumeration`
Update CVE-2017-5487.yaml 2022-05-27 09:14:47 +05:30			`author: Manas_Harsh,daffainfo,geeknik,dr0pd34d`
Update and rename CVE-2017-5487.yaml to wp-user-enum.yaml 2024-02-04 23:42:11 +05:30			`severity: low`
			`description: \|`
			`The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API.`
Added Impact 2023-09-27 21:21:13 +05:30			`impact: \|`
			`An attacker can easily determine valid usernames, which can lead to targeted attacks such as brute force attacks or social engineering.`
updated other CVEs 2023-09-06 18:52:34 +05:30			`remediation: \|`
Update and rename CVE-2017-5487.yaml to wp-user-enum.yaml 2024-02-04 23:42:11 +05:30			`Install a WordPress plugin such as Stop User Enumeration. Stop User Enumeration is a security plugin designed to detect and prevent hackers scanning your site for user names.`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 14:37:49 +03:00			`reference:`
Update and rename CVE-2017-5487.yaml to wp-user-enum.yaml 2024-02-04 23:42:11 +05:30			`- https://www.acunetix.com/vulnerabilities/web/wordpress-rest-api-user-enumeration/`
			`- https://wordpress.org/plugins/stop-user-enumeration/`
			`- https://www.afteractive.com/wordpress-user-enumeration-vulnerability/`
Add CPE classification to templates (#9420) * Add CPE classification to templates * misc fix * added tags * format updates * Revert "format updates" This reverts commit b93658be4b50c929d15082258e4d11a15b12cbd8. --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2024-03-26 13:33:04 +05:30			`classification:`
			`cpe: cpe:2.3:a:wordpress:wordpress::::::::`
Update CVE-2017-5487.yaml 2022-05-27 09:14:47 +05:30			`metadata:`
boolean format update 2023-06-04 13:43:42 +05:30			`verified: true`
updated other CVEs 2023-09-06 18:52:34 +05:30			`max-request: 2`
CVE Enrichment :tada: 2023-07-12 01:19:27 +05:30			`vendor: wordpress`
			`product: wordpress`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`shodan-query:`
Revert "chore: update TemplateMan 🤖" This reverts commit c31d574176f2b9e6f8d4fe573a24e7192f808e84. 2025-05-27 10:39:47 +08:00			`- http.component:"WordPress"`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`- http.component:"wordpress"`
			`- cpe:"cpe:2.3:a:wordpress:wordpress"`
auto tagging via templateman 2024-01-14 14:51:50 +05:30			`tags: cve2017,cve,wordpress,wp,edb`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 13:38:41 +03:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 09:58:59 +05:30			`http:`
Template rename / update 2021-06-10 21:57:07 +05:30			`- method: GET`
			`path:`
			`- "{{BaseURL}}/wp-json/wp/v2/users/"`
			`- "{{BaseURL}}/?rest_route=/wp/v2/users/"`
Update CVE-2017-5487.yaml 2022-05-27 09:14:47 +05:30
Update CVE-2017-5487.yaml 2021-09-02 06:59:23 +07:00			`stop-at-first-match: true`
CVE Enrichment :tada: 2023-07-12 01:19:27 +05:30
Template rename / update 2021-06-10 21:57:07 +05:30			`matchers-condition: and`
			`matchers:`
			`- type: word`
Update CVE-2017-5487.yaml 2022-05-27 09:14:47 +05:30			`part: body`
Template rename / update 2021-06-10 21:57:07 +05:30			`words:`
			`- '"id":'`
			`- '"name":'`
Fix FN wp-user-enum.yaml 2025-01-31 19:14:07 +05:30			`- '"slug":'`
Update CVE-2017-5487.yaml Fixes #1985 2021-07-13 18:58:52 +00:00			`condition: and`
Update CVE-2017-5487.yaml 2022-05-27 09:14:47 +05:30
			`- type: word`
			`part: header`
			`words:`
			`- "application/json"`

			`- type: status`
			`status:`
			`- 200`

update to CVE-2017-5487, added extractor 2021-08-02 01:08:39 -04:00			`extractors:`
more strict matchers (#3987) 2022-03-26 16:45:50 +05:30			`- type: json`
Update CVE-2017-5487.yaml 2022-05-27 09:14:47 +05:30			`name: "usernames"`
Added extractor for wordpress login names Added an additional extractor to extract login names (slugs) from the output and split the extraction output to "Full Names" and "Login Names" which can be helpful for automation or recon of a bug bounty or pentest/red team target. 2022-05-26 23:23:47 +00:00			`json:`
			`- '.[] \| .slug'`
Update CVE-2017-5487.yaml 2022-05-27 09:18:34 +05:30			`- '.[].name'`
CVE Enrichment :tada: 2023-07-12 01:19:27 +05:30			`part: body`
chore: sign templates 🤖 2025-02-03 09:31:04 +00:00			`# digest: 4b0a00483046022100cf56dabee587a0239f9c2f1b11d4b26f99ef6e5e19d7022a8892207f43cd8fc1022100e80ad268652c3d8d952f04a8834e790160ba92cfcfe8ffa2f8bc525f9fdfdd30:922c64590222798bb761d5b6d8e72950`