Prevent /wp-admin/admin-ajax.php and lost password enumeration

  • Username Form:

    https://www.xxxx.com/xxxx

    POST request processing:
    POST /wp-admin/admin-ajax.php HTTP/1.1
    action=uabb-lf-form-submit&username=aa&password=aaa&rememberme=1&nonce=4ae8ac03b2
    Error: The Username you have entered is Invalid

    Lost Password:

    https://xxxxx.com/wp-login.php?action=lostpassword&wpe-login=true
    POST /wp-login.php?action=lostpassword&wpe-login=true HTTP/1.1
    Host: xxxx.com

    user_login=aaa&redirect_to=&wp-submit=%E6%96%B0%E3%81%97%E3%81%84%E3%83%91%E3%82%B9%E3%83%AF%E3%83%BC%E3%83%89%E3%82%92%E5%8F%96%E5%BE%97 Error: there is no account with that username or email address.`

    Hi there,

    I am trying to prevent username enumeration through the following scenario
    /wp-admin/admin-ajax.php and lost password
    Owasp has mention that this is a vulnerability.

    • This topic was modified 2 years, 11 months ago by flamec.
Viewing 2 replies - 1 through 2 (of 2 total)
Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Prevent /wp-admin/admin-ajax.php and lost password enumeration’ is closed to new replies.

Tags