Security Test: WordPress oEmbed Endpoint Exposure¶
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | Frontend Scanner |
|---|---|---|
Description¶
Default Severity:
The issue arises when WordPress exposes its oEmbed endpoint at /oembed/1.0/embed, which allows unauthenticated users to request embedded content. This could potentially lead to information leakage, allowing attackers to enumerate posts or extract metadata about the site. It's essential to either restrict access to this endpoint or disable it entirely if it's not required for the site.
Configuration¶
Identifier:
information_disclosure/wordpress_oembed_endpoint_exposed
Examples¶
All configuration available:
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API7:2023 |
| PCI DSS | 6.5.5 |
| GDPR | Article-32 |
| SOC2 | CC6 |
| PSD2 | Article-95 |
| ISO 27001 | A.14.2 |
| NIST | SP800-53 |
| CWE | 200 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C |
| CVSS Score | 5.1 |