This vulnerability allows a malicious attacker to rename user names in various services, with the help of permissive settings in Web applications and with the proper use of Brute-force the malicious attacker can reveal the username of the administration panel. Exposing this sensitive information is a serious loophole because, if the admin panel is not protected in any way, the attacker can perform another brute-force attack on the password parameter, thus completing the puzzle needed to penetrate the site’s administration area.
What are Facts about WordPress Website Security – Username Enumeration
In WordPress systems there is a default setting which with the help of the author parameter allows the names of users on the site to be revealed, this information is possible because wordpress assigns each editor-author to a certain ID parameter, id number 1 will always be the user with the highest permissions, if this setting is not Blocked ahead of time, you can run – Brute-force of numbers on the author parameter, the server response will contain the Location Header which will reveal the username associated with the same id.
During the resilience test, the Nmap tool and the script were used – http-wordpress-users, this script performed a brute-force of numbers while passing the author parameter to the site, the
scan revealed the main user of the site – root, which is associated with id number 1.
Manual testing can be done By accessing the address: http://3.120.144.6:31120/?author=1 and checking the location title returning from the server.
Pictures for illustration and the course of the test
Running the script and finding the user
Illustration for the title – “location” after passing the parameter “author = 1”
Recommendations for repair
The option that allows the names of the users to
be revealed must be blocked immediately, it is not allowed to pass the parameter – author with the number values that indicate the ID of the users on the site.
This can be blocked in 2 ways:
Modify the Function.php code in the site template
Server-level blocking by editing the .htaccess file and using mod_rewrite to set the rule.
