Skip to content

H3-2022-0080

WordPress Unauthenticated User Enumeration

Category SECURITY_MISCONFIGURATION
Base Score 3.0

Description

WordPress users can be enumerated without authentication using the REST API or author archives.

Impact

An unauthenticated attacker can query the Wordpress instance and compile a list of known usernames. These usernames can be used to conduct credential attacks such as password spray and credential stuffing.

References