WordPress is a popular, open source, blogging tool and content management system based on PHP and MySQL. According to the latest BuiltWith statistics, a total of 18,619,652 live websites use WordPress! That figure is 5% of the total internet websites!
Link: <http://example.com/wp-json/>; rel="https://api.w.org/">
Graphically, this looks like:
With this information over us, it is now easier to understand a user enumeration vulnerability that plagued WordPress 4.7 versions prior to 4.7.1.
This user enumeration vulnerability existed in the wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php source file, which did not restrict access to sensitive user information. On a vulnerable machine, a simple request to the /wp-json/wp/v2/users/ URI would expose information about all users that have atleast one published post. This information includes a userid, username, gravatar hash and website URL. Vulnerable systems display the following behaviour:
WordPress fixed this by ‘enforcing’ authorization via the “show_in_rest” directive. If this is enabled, user enumeration is no longer possible and we see a display similar to this:
and we get a HTTP 401 Unauthorized response from the web server:
QualysGuard QID 11772 – WordPress REST API User Enumeration Vulnerability will alert you of any affected WordPress installations in your network.