Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneHammodmtH1:1663363
HistoryAug 08, 2022 - 11:11 p.m.

Top Echelon Software: Wordpress Users Disclosure (/wp-json/wp/v2/users/)

2022-08-0823:11:05
hammodmt
hackerone.com
49
rest api
wordpress
user information
bruteforce attacks
bug bounty
JSON

Hello Team @top_echelon_software
Information:
Using REST API, we can see all the WordPress users/author with some of their information.

Step To Reproduce:
You can get user info by entering below url in your browser:
https://www.topechelon.com/wp-json/wp/v2/users/
███████

Impact

Authors : LTR , LTREditor can be created scenario of doing bruteforce attacks to this users

Malicious counterpart could collect the usernames disclosed (and the admin user) and be focused throughout BF attack (as the usernames are now known)

JSON