WordPress 6.4.3 Username Disclosure Vulnerability Last updated: March 17th, 2024 08:54 pm

In hacking be it Ethical or Non-Ethical, information gathering forms step 1. Users Enumeration is a sub process in the step. The attackers goal is to enumerate users and gathers information about a particular host/victim. While Most hackers operate in the Dark-Web some online tools and cms makes things so sweet and smooth to this critical stage.  Lets say you plan to attack a certain wordpress site. How do you know the specific user or users in a site. This is a ZERO Day attack but very key in acquiring key information for a particular site. By the time you are reading this – this may have been fixed but since most users do not do auto update their site the vulnerability may still be in their sites. We will also leave our Site Vulnerable to this for your tests.

Alongside our work in penetration Testing tasks. we discovered this vulnerability in wordpress. Wordpress is a Powerful tool and has been used by many to create websites. The version 6.4.3 includes a username disclosure vulnerability. One of the steps used by attackers is to get to know who are the users of your site. This has been made Simple by this Disclosure.

Wordpress includes a powerful REST API that simulates the different Request types be they Get or POST. To a REST APPLication Programmer, interchanging this still works as long as request type is not strict. For this case lets perform a POST request with the “users” string in the body of the request, and cheat the REST API to interpret it as a Get REQUEST. The Outcome – discloses the USERs of the system
and additionally even gives you the Avator or the profile picture of the User
How to:
1. Get any wordpress running version 6.4.3 (Or updated to this version)
2. Type https://wordpresssite.com/wp-json/?rest_route=/wp/v2/users/
3. and Hit Go

Wordpress Api will Return a JSON value

All Management Usernames will be returned in the slug

An Example is while using k***.co.ke – Type https://www.k***.co.ke/wp-json/?rest_route=/wp/v2/users/

This will return

[{"id":1,"name":"admin","url":"https:\/\/k***.co.ke ","description":"","link":"https:\/\/k***.co.ke \/?author=1","slug":"admin_1l","avatar_urls":{"24":"https:\/\/ secure.gravatar.com \/avatar\/f796ffd8af7172647b2f54ce8104919e?s=24&d=mm&r=g","48":"https:\/\/ secure.gravatar.com \/avatar\/f796ffd8af7172647b2f54ce8104919e?s=48&d=mm&r=g","96":"https:\/\/ secure.gravatar.com \/avatar\/f796ffd8af7172647b2f54ce8104919e?s=96&d=mm&r=g"},"meta":[],"_links":{"self":[{"href":"https:\/\/ k***.co.ke \/index.php?rest_route=\/wp\/v2\/users\/1"}],"collection":[{"href":"https:\/\/ k***.co.ke\/index.php?rest_route=\/wp\/v2\/users"}]}}]

The Users for the above Site admin and can be found in the slug variable.

How Simple is it to?

Try it on any wordpress Site You Come Across. Will not mention sites but all tested are victims of this?

The Worst part is that even those sites protected by security Plugins such still show the same and wordpress has not yet raised a patch for the same. 

 

A Simple fix Includes Adding a Custom Route in the Themes Function File. Though it is not a Ultimate Solution as the url can be exploited Further. Watching for developments from the wordpress team

add_filter( ‘rest_endpoints’, function( $endpoints ){

if ( isset( $endpoints[‘/wp/v2/users’] ) ) {

unset( $endpoints[‘/wp/v2/users’] );

}return $endpoints;});

J Mathenge - Cyber Security Enthusiast and Programmer

Comments

Cannot Find What you are Looking for?

We are a Call away from you - Use our Contact form and a representative will get back to you as soon as Possible. Or Simply you can call our Support Line.

Cannot Find What you are Looking for?

We are a Call away from you - Use our Contact form and a representative will get back to you as soon as Possible. Or Simply you can call our Support Line.