Wordpress has never been safer!

Nitrax · April 11, 2017, 9:39am

Hi fellas,

Today, I wanted to spend some time explaining you why Wordpress is, and will still be, the best CMS of all time !
Indeed, since its release on May 27, 2003, no flaw has been found and its founders are kept hard work to maintain and enhance this fabulous solution that help thousand users to put online a secure and flawless website.

To convince the most sceptics, here are a few examples, illustrating the magnificence of this product.

Well …. Troll apart, this short article aims to describe a new and odd way, that I found during a pentesting, to enumerate users. It is important to note that this method has not been implemented by well-known Wordpress application scanners such as WPScan, Droopescan, etc.

Indeed, since two or three version release in the past, the Wordpress team implemented a REST API whose aim is to simplify the information gathering within the application e.g categories, articles, products, etc.

This API is accessible through the URL below

https://yourWordpressApp.com/?rest_route=/

Following a careful analysis of the various endpoints provided by this API, I can assume that no privilege escalation attack is possible on the last release of the CMS. However, a specific route caught my attention !

In fact, when accessing the endpoint /wp/v2/users, the application returns any users registered alongside the website, showing their ID, name, slug, etc.

But that’s not all ! Indeed, this functionality is available natively and, only the installation of plugin can restrict the access to authenticated users ! Consequently, any fresh install present over the internet are vulnerable to this kind of user enumeration, making easier the next phase, the brute force attack !

REST API is not the only way to enumerate Wordpress users, however, plenty of hardening articles explain how to prevent such attack by disabling the author path (?author=ID) or using a generic message error when a connexion attempt fails !

To continue with, I forked the WPScan repository and added this enumeration vector. I’m currently waiting for a Ruby expert to review my piece of code before submitting my pull request cause this tool is so huge that I’m afraid to break the design pattern implemented So, if someone is motivated to do a code review, feel free to access my repo on github !

I hope you enjoyed this article !

Best,
Nitrax

anon79434934 · April 11, 2017, 9:50am

WordPress is the Flash Player of the CMS world.

VVid0w · April 11, 2017, 9:56pm

Lmfao, nice post! I’m not versed in ruby at all, but I do hope that wpsscan does integrate your code as it seems to be very useful.

pry0cc · April 11, 2017, 10:23pm

I love this. @Nitrax has found a vulnerability in a very popular CMS. That is insanely cool.

Good job man, I’m gonna take a look at the code now

Nitrax · April 11, 2017, 10:37pm

Cheers guys ! Do you think that this finding deserves a CVE ? ahah

pry0cc · April 11, 2017, 10:40pm

Ahahaha, go for it

IoTh1nkN0t · April 13, 2017, 1:07pm

Fun fact: WP-SCAN won’t allow you to scan wordpress.blogspot or whatever sites. Fix is easy!

Go to where wp-scan libs are (Prob /usr or /opt
(/opt/wpscan/lib/wpscan/wp_target.rb) for me.

change the lines:

def wordpress_hosted?
 @uri.to_s =~ /.*\.wordpress.blogspot.com/i

TO

def wordpress_hosted?
 @uri.to_s =~ /\.qqqqqqqqqqqqqqqqqq\.com/i

Afterwards wp-scan will work just fine on blogspot sites.

pry0cc · April 15, 2017, 6:19am

That’s really weird… Does it just quit? Or does it pretend it’s scanning?

ricksanchez · April 18, 2017, 7:51pm

Nice article mate. Interesting find!

Nitrax · April 19, 2017, 7:33am

Cheers mate ! However, my PR was refused … Indeed, they implemented this feature in the beta version of WPScan. Nevertheless, it was fun to discover such odd vulnerability

pry0cc · April 20, 2017, 8:04pm

Take solace in the fact you found it

Finding vulnerabilities is no easy task, it’s like trying to find a needle in a haystack, and the needle might not even exist.

Good job man.

_k_h · April 21, 2017, 11:52am

Really is that possible?

I know is is very close to it, but they does exit even in linux kernel.

pry0cc · April 21, 2017, 2:46pm

Well. The needle might not look how you think it will look.

IoTh1nkN0t · April 23, 2017, 5:09pm

Sometimes the needle IS the haystack

Nitrax · April 24, 2017, 8:44am

I couldn’t agree more with your statement. Thanks mate !

Ghostnerd · February 15, 2018, 10:56am

Please how can I reach you?..I’m a curious mind with questions.

fxbg · February 15, 2018, 10:23pm

This is functionality implemented by default, https://developer.wordpress.org/rest-api/using-the-rest-api/discovery/

When I tried on a quick install of the latest wordpress version it returned REST information but didn’t return any usernames registered to the newly installed wordpress blog or anything sensitive, it did return a bunch of information about the site.

Nitrax · February 16, 2018, 3:10pm

Things evolve mate and editors deploy patches

0xff7 · March 12, 2018, 7:02am

Lmao I was bout to get on your helmet when I read the “no flaw has ever been found” and the no CVE part