Skip to content

Information Disclosure: WordPress REST API Users Exposed

Identifier: wordpress_rest_api_users_exposed

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner

Description

The issue occurs when the WordPress REST API exposes user details through an unauthenticated request to /wp/users. This can allow attackers to enumerate users, aiding in reconnaissance and potentially targeting specific individuals for attacks.

Configuration

Example

Example configuration:

---
security_tests:
  wordpress_rest_api_users_exposed:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference

assets_allowed

Type : List[AssetType]*

List of assets that this check will cover.

skip

Type : boolean

Skip the test if true.