Details ================ Software: Stop User Enumeration Version: 1.3.8 Homepage: https://wordpress.org/plugins/stop-user-enumeration/ Advisory report: https://security.dxw.com/advisories/stop-user-enumeration-rest-api/ CVE: Awaiting assignment CVSS: 5 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:N) Description ================ Stop User Enumeration allows user enumeration via the REST API Vulnerability ================ Stop User Enumeration optionally allows stopping user enumeration via the WordPress REST API. When that option is enabled, requests toA /wp-json/wp/v2/users are blocked and return an error like this: {\"code\":\"rest_cannot_access\",\"message\":\"Only authenticated users can access the User endpoint REST API.\",\"data\":{\"status\":401}} It also successfully blocks requests such asA /?rest_route=/wp/v2/users. The blocking relies upon the following comparison: if( preg_match(\'/users/\', $_SERVER[\'REQUEST_URI\']) !== 0 ) { On the surface this looks like it should work.A And itA seems like we canat get around the restriction by sending a POST request with the parameter rest_route=/wp/v2/users, because WordPress thinks we want to create a user and responds with an error. However, the REST API allows simulating differentA request types. As such, we can perform a POST request with the ausersa string in the body of the request, and tell the REST APIA to act like itas received a GET request. Proof of concept ================ curl http://localhost/?_method=GET -d rest_route=/wp/v2/users Mitigations ================ Upgrade to versionA 1.3.9 or later. Disclosure policy ================ dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/ Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf. This vulnerability will be published if we do not receive a response to this report with 14 days. Timeline ================ 2017-05-16: Discovered 2017-07-18: Reported to vendor viaA info@fullworks.net 2017-07-18: First response from vendor 2017-07-19: Vendor reports issue fixed in version 1.3.9 2017-07-25: Published Discovered by dxw: ================ Tom Adams Please visit security.dxw.com for more information. # Iranian Exploit DataBase = http://IeDb.Ir [2017-08-06]