Skip to content

Information Disclosure: WordPress oEmbed Endpoint Exposure

Identifier: wordpress_oembed_endpoint_exposed

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner

Description

The issue arises when WordPress exposes its oEmbed endpoint at /oembed/1.0/embed, which allows unauthenticated users to request embedded content. This could potentially lead to information leakage, allowing attackers to enumerate posts or extract metadata about the site. It's essential to either restrict access to this endpoint or disable it entirely if it's not required for the site.

Configuration

Example

Example configuration:

---
security_tests:
  wordpress_oembed_endpoint_exposed:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference

assets_allowed

Type : List[AssetType]*

List of assets that this check will cover.

skip

Type : boolean

Skip the test if true.