Exposure of user data via open feed

  • Resolved blandyuk

    (@blandyuk)


    4 years, 2 months ago

    Hi all,

    Noticed in our web server logs this URL is hit:

    /wp-json/wp/v2/users/

    I think this feed only shows users who have posted on WordPress but, it clearly shows usernames, ID numbers, etc. I worry it shows all user in the [wp_users] table.

    I have noticed that once a hacker has hit this page, a wordlist based login attack starts on the login page as well as the /xmlrpc.php pages. They have the usernames so only the passwords are required. Not good at all!

    Wordpress need to ditch it but, it would be good for All-in-one WP Security & Firewall to provide an option to block access to this URL: /wp-json/wp/v2/users/

    I have currently blocked via IIS Content Blocking in URL tab.

    I have tested this on numerous online WP sites and can confirm it is openly available.

    ??

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    Thank you for reaching out to us.

    Our plugin does have the following feature Disallow Unauthorized REST Requests you can enable. This is located in Miscellaneous -> WP REST API.

    Kind regards

    • This reply was modified 4 years, 2 months ago by mbrsolution.
    • This reply was modified 4 years, 2 months ago by mbrsolution.
    Thread Starter blandyuk

    (@blandyuk)

    Perfect thanks. I blocked the User Enumeration initially as this does something similar via redirecting from /?author=1 and showing the usernames also.

    Might be worth mentioning what some of the REST API requests it will block so users have a better understanding like the example I provided above.

    Great work ??

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Exposure of user data via open feed’ is closed to new replies.

Tags