Wordpress has never been safer!

Hi fellas,

Today, I wanted to spend some time explaining you why Wordpress is, and will still be, the best CMS of all time !
Indeed, since its release on May 27, 2003, no flaw has been found and its founders are kept hard work to maintain and enhance this fabulous solution that help thousand users to put online a secure and flawless website.

To convince the most sceptics, here are a few examples, illustrating the magnificence of this product.

Well …. Troll apart, this short article aims to describe a new and odd way, that I found during a pentesting, to enumerate users. It is important to note that this method has not been implemented by well-known Wordpress application scanners such as WPScan, Droopescan, etc.

Indeed, since two or three version release in the past, the Wordpress team implemented a REST API whose aim is to simplify the information gathering within the application e.g categories, articles, products, etc.

This API is accessible through the URL below

https://yourWordpressApp.com/?rest_route=/

Following a careful analysis of the various endpoints provided by this API, I can assume that no privilege escalation attack is possible on the last release of the CMS. However, a specific route caught my attention !

In fact, when accessing the endpoint /wp/v2/users, the application returns any users registered alongside the website, showing their ID, name, slug, etc.

But that’s not all ! Indeed, this functionality is available natively and, only the installation of plugin can restrict the access to authenticated users ! Consequently, any fresh install present over the internet are vulnerable to this kind of user enumeration, making easier the next phase, the brute force attack !

REST API is not the only way to enumerate Wordpress users, however, plenty of hardening articles explain how to prevent such attack by disabling the author path (?author=ID) or using a generic message error when a connexion attempt fails !

To continue with, I forked the WPScan repository and added this enumeration vector. I’m currently waiting for a Ruby expert to review my piece of code before submitting my pull request cause this tool is so huge that I’m afraid to break the design pattern implemented :sweat_smile: So, if someone is motivated to do a code review, feel free to access my repo on github !

I hope you enjoyed this article !

Best,
Nitrax

21 Likes

WordPress is the Flash Player of the CMS world.

12 Likes

Lmfao, nice post! I’m not versed in ruby at all, but I do hope that wpsscan does integrate your code as it seems to be very useful.

1 Like

I love this. @Nitrax has found a vulnerability in a very popular CMS. That is insanely cool.

Good job man, I’m gonna take a look at the code now :wink:

2 Likes

Cheers guys ! Do you think that this finding deserves a CVE ? ahah

1 Like

Ahahaha, go for it :stuck_out_tongue:

2 Likes

Fun fact: WP-SCAN won’t allow you to scan wordpress.blogspot or whatever sites. Fix is easy!

Go to where wp-scan libs are (Prob /usr or /opt
(/opt/wpscan/lib/wpscan/wp_target.rb) for me.

change the lines:

def wordpress_hosted?
 @uri.to_s =~ /.*\.wordpress.blogspot.com/i

TO

def wordpress_hosted?
 @uri.to_s =~ /\.qqqqqqqqqqqqqqqqqq\.com/i

Afterwards wp-scan will work just fine on blogspot sites.

8 Likes

That’s really weird… Does it just quit? Or does it pretend it’s scanning?

Nice article mate. Interesting find!

1 Like

Cheers mate ! However, my PR was refused … Indeed, they implemented this feature in the beta version of WPScan. Nevertheless, it was fun to discover such odd vulnerability :slight_smile:

3 Likes

Take solace in the fact you found it :slight_smile:

Finding vulnerabilities is no easy task, it’s like trying to find a needle in a haystack, and the needle might not even exist.

Good job man.

2 Likes

Really is that possible?

I know is is very close to it, but they does exit even in linux kernel.

Well. The needle might not look how you think it will look.

Sometimes the needle IS the haystack

2 Likes

I couldn’t agree more with your statement. Thanks mate !

Please how can I reach you?..I’m a curious mind with questions.

This is functionality implemented by default, https://developer.wordpress.org/rest-api/using-the-rest-api/discovery/

When I tried on a quick install of the latest wordpress version it returned REST information but didn’t return any usernames registered to the newly installed wordpress blog or anything sensitive, it did return a bunch of information about the site.

Things evolve mate and editors deploy patches :wink:

1 Like

Lmao I was bout to get on your helmet when I read the “no flaw has ever been found” and the no CVE part