Hi fellas,

Today, I wanted to spend some time explaining you why Wordpress is, and will still be, the best CMS of all time !

Indeed, since its release on May 27, 2003, no flaw has been found and its founders are kept hard work to maintain and enhance this fabulous solution that help thousand users to put online a secure and flawless website.

To convince the most sceptics, here are a few examples, illustrating the magnificence of this product.

Well …. Troll apart, this short article aims to describe a new and odd way, that I found during a pentesting, to enumerate users. It is important to note that this method has not been implemented by well-known Wordpress application scanners such as WPScan, Droopescan, etc.

Indeed, since two or three version release in the past, the Wordpress team implemented a REST API whose aim is to simplify the information gathering within the application e.g categories, articles, products, etc.

This API is accessible through the URL below

https://yourWordpressApp.com/?rest_route=/

Following a careful analysis of the various endpoints provided by this API, I can assume that no privilege escalation attack is possible on the last release of the CMS. However, a specific route caught my attention !

In fact, when accessing the endpoint /wp/v2/users, the application returns any users registered alongside the website, showing their ID, name, slug, etc.

But that’s not all ! Indeed, this functionality is available natively and, only the installation of plugin can restrict the access to authenticated users ! Consequently, any fresh install present over the internet are vulnerable to this kind of user enumeration, making easier the next phase, the brute force attack !

REST API is not the only way to enumerate Wordpress users, however, plenty of hardening articles explain how to prevent such attack by disabling the author path (?author=ID) or using a generic message error when a connexion attempt fails !

To continue with, I forked the WPScan repository and added this enumeration vector. I’m currently waiting for a Ruby expert to review my piece of code before submitting my pull request cause this tool is so huge that I’m afraid to break the design pattern implemented So, if someone is motivated to do a code review, feel free to access my repo on github !

I hope you enjoyed this article !

Best,

Nitrax