WordPress REST API User Enumeration Abuse

WordPress is a popular, open source, blogging tool and content management system based on PHP and MySQL. According to the latest BuiltWith statistics, a total of 18,619,652 live websites use WordPress! That figure is 5% of the total internet websites!

About three months ago with the advent of WordPress 4.7, support for REpresentational State Transfer (REST) API was released. This API provides anonymous, public as well as private data access to the website data using JSON (JavaScript Object Notation). This API is enabled by default on WordPress 4.7 and above versions. One of the easiest ways to detect this capability by looking for the following text in the Link header field of a WordPress website:

Link: <http://example.com/wp-json/>; rel="https://api.w.org/">

Graphically, this looks like:

WordPress REST API Link Header
WordPress REST API Link Header

With this information over us, it is now easier to understand a user enumeration vulnerability that plagued WordPress 4.7 versions prior to 4.7.1.

This user enumeration vulnerability existed in the wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php source file, which did not restrict access to sensitive user information. On a vulnerable machine, a simple request to the /wp-json/wp/v2/users/ URI would expose information about all users that have atleast one published post. This information includes a userid, username, gravatar hash and website URL. Vulnerable systems display the following behaviour:

Vulnerable to WordPress REST API
Vulnerable to WordPress REST API user enumeration attacks

WordPress fixed this by ‘enforcing’ authorization via the “show_in_rest” directive. If this is enabled, user enumeration is no longer possible and we see a display similar to this:

Response from a patched target.
Response from a patched target.

and we get a HTTP 401 Unauthorized response from the web server:

HTTP 401 - Unauthorized
HTTP 401 – Unauthorized

QualysGuard QID 11772 – WordPress REST API User Enumeration Vulnerability will alert you of any affected WordPress installations in your network.

Leave a Reply

Your email address will not be published. Required fields are marked *