Stop User Enumeration allows user enumeration via the REST API

Score Vector Complexity Authentication Confidentiality Integrity Availability
Network Low None Partial None None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.


Stop User Enumeration optionally allows stopping user enumeration via the WordPress REST API. When that option is enabled, requests to /wp-json/wp/v2/users are blocked and return an error like this:

{"code":"rest_cannot_access","message":"Only authenticated users can access the User endpoint REST API.","data":{"status":401}}

It also successfully blocks requests such as /?rest_route=/wp/v2/users.

The blocking relies upon the following comparison:

if( preg_match('/users/', $_SERVER['REQUEST_URI']) !== 0 ) {

On the surface this looks like it should work. And it seems like we can’t get around the restriction by sending a POST request with the parameter rest_route=/wp/v2/users, because WordPress thinks we want to create a user and responds with an error.

However, the REST API allows simulating different request types. As such, we can perform a POST request with the “users” string in the body of the request, and tell the REST API to act like it’s received a GET request.

Proof of concept

curl http://localhost/?_method=GET -d rest_route=/wp/v2/users

Mitigation/further actions

Upgrade to version 1.3.9 or later.