## Summary: Hello, I know that isn't in the Scope But this The Only Way I can Report With And It Belongs to the Main Domain. ==At first please see all those references given below:== ##References: https://hackerone.com/reports/768151 https://hackerone.com/reports/1167869 https://hackerone.com/reports/1170185 ##Details: It's possible to get information about the users registered (such as id, name, login name, etc.) without authentication in WordPress via API. ## Steps To Reproduce: + Intercept this URL https://sifchain.finance/wp-json/ to Burp + Then add `Origin: http://bing.com` in request & forward the request + In response, you will able to see `Access-Control-Allow-Origin: http://bing.com` > Simple Exploit given below: ```

``` ==For better understanding please watch the POC Video.== #POC Video: {F1293211} #Remediation: There are 2 ways that it's possible to fix this problem. ==FIX 1== - It's possible to remove this access for anyone by changing the source code where when someone requests the Rest API and the server sends a 404 (Not Found) message for the user who made the request. Reference: https://github.com/WP-API/WP-API/issues/2338 ==FIX 2== - It's also possible to create a rewrite rule on .htaccess (if the webserver it's Apache) to redirect any request that contains restricted (eg.: "^.restroute=/wp/") to a Not Found (404) or a Default Page. Regards, @emptymahbob ## Impact It's possible to get all the users registered on the system and create a brute force directed to these users. Cross Misconfiguration -Leakage Sensitive Information.

Sifchain: CORS Misconfiguration Leads to Sensitive Exposure on Sifchain main domain