Wordpress has never been safer!

hacking
tool
webhacking
websec

#1

Hi fellas,

Today, I wanted to spend some time explaining you why Wordpress is, and will still be, the best CMS of all time !
Indeed, since its release on May 27, 2003, no flaw has been found and its founders are kept hard work to maintain and enhance this fabulous solution that help thousand users to put online a secure and flawless website.

To convince the most sceptics, here are a few examples, illustrating the magnificence of this product.

Well …. Troll apart, this short article aims to describe a new and odd way, that I found during a pentesting, to enumerate users. It is important to note that this method has not been implemented by well-known Wordpress application scanners such as WPScan, Droopescan, etc.

Indeed, since two or three version release in the past, the Wordpress team implemented a REST API whose aim is to simplify the information gathering within the application e.g categories, articles, products, etc.

This API is accessible through the URL below

https://yourWordpressApp.com/?rest_route=/

Following a careful analysis of the various endpoints provided by this API, I can assume that no privilege escalation attack is possible on the last release of the CMS. However, a specific route caught my attention !

In fact, when accessing the endpoint /wp/v2/users, the application returns any users registered alongside the website, showing their ID, name, slug, etc.

But that’s not all ! Indeed, this functionality is available natively and, only the installation of plugin can restrict the access to authenticated users ! Consequently, any fresh install present over the internet are vulnerable to this kind of user enumeration, making easier the next phase, the brute force attack !

REST API is not the only way to enumerate Wordpress users, however, plenty of hardening articles explain how to prevent such attack by disabling the author path (?author=ID) or using a generic message error when a connexion attempt fails !

To continue with, I forked the WPScan repository and added this enumeration vector. I’m currently waiting for a Ruby expert to review my piece of code before submitting my pull request cause this tool is so huge that I’m afraid to break the design pattern implemented :sweat_smile: So, if someone is motivated to do a code review, feel free to access my repo on github !

I hope you enjoyed this article !

Best,
Nitrax


[CVE-2018-11759] Apache mod_jk access control bypass
(Community & PR manager) #2

WordPress is the Flash Player of the CMS world.


([email protected] [email protected]) #3

Lmfao, nice post! I’m not versed in ruby at all, but I do hope that wpsscan does integrate your code as it seems to be very useful.


(Security Architect & Founder) #4

I love this. @Nitrax has found a vulnerability in a very popular CMS. That is insanely cool.

Good job man, I’m gonna take a look at the code now :wink:


#5

Cheers guys ! Do you think that this finding deserves a CVE ? ahah


(Security Architect & Founder) #6

Ahahaha, go for it :stuck_out_tongue:


#7

Fun fact: WP-SCAN won’t allow you to scan wordpress.blogspot or whatever sites. Fix is easy!

Go to where wp-scan libs are (Prob /usr or /opt
(/opt/wpscan/lib/wpscan/wp_target.rb) for me.

change the lines:

def wordpress_hosted?
 @uri.to_s =~ /.*\.wordpress.blogspot.com/i

TO

def wordpress_hosted?
 @uri.to_s =~ /\.qqqqqqqqqqqqqqqqqq\.com/i

Afterwards wp-scan will work just fine on blogspot sites.


Services & Tools [Wiki]
(Security Architect & Founder) #8

That’s really weird… Does it just quit? Or does it pretend it’s scanning?


#9

Nice article mate. Interesting find!


#10

Cheers mate ! However, my PR was refused … Indeed, they implemented this feature in the beta version of WPScan. Nevertheless, it was fun to discover such odd vulnerability :slight_smile:


(Security Architect & Founder) #11

Take solace in the fact you found it :slight_smile:

Finding vulnerabilities is no easy task, it’s like trying to find a needle in a haystack, and the needle might not even exist.

Good job man.


( X2tf) #13

Really is that possible?

I know is is very close to it, but they does exit even in linux kernel.


(Security Architect & Founder) #14

Well. The needle might not look how you think it will look.


#15

Sometimes the needle IS the haystack


#16

I couldn’t agree more with your statement. Thanks mate !


(Nerd) #17

Please how can I reach you?..I’m a curious mind with questions.


(fxbg) #18

This is functionality implemented by default, https://developer.wordpress.org/rest-api/using-the-rest-api/discovery/

When I tried on a quick install of the latest wordpress version it returned REST information but didn’t return any usernames registered to the newly installed wordpress blog or anything sensitive, it did return a bunch of information about the site.


#21

Things evolve mate and editors deploy patches :wink:


(Tim) #22

Lmao I was bout to get on your helmet when I read the “no flaw has ever been found” and the no CVE part


#23