WordPress – User Disclosure

Description

During the scan, Kayran managed to find the WordPress – User Disclosure vulnerability. It has found that the site display usernames that should be concealed in order to prevent User Disclosure.

An attacker can abuse the WordPress – User Disclosure by using failed login attempts which allows him to enumerate valid usernames in order to use it for further attacks such as Phishing attempts, Brute-Force attacks, etc.

Web applications usually use an authentication mechanism to prevent unauthorized/anonymous users from accessing to the application’s protected resources and functionalities. Attackers will try to find flaws in the authentication mechanism to get into the protected resources and functionalities. Username enumeration is one of the most popular attacks that are performed against authentication mechanisms to identify the valid usernames on the system.

Recommendation

To prevent this vulnerability from happening:

  • Use policies to enforce strong WordPress passwords.
  • Enable 2FA with a WordPress two-factor authentication plugin.
  • Add HTTP authentication for the WordPress login page.
  • Restrict access to the login page (/wp-admin/) section to unauthorized IP addresses.

Also make sure to rename the admin account to something else to reduce the chance of successful brute force attacks.

References

https://wordpress.org/support/article/updating-wordpress/

< Return to all Vulnerabilities

Crossing Scripts – XSS

Injections. SQL Injections. Cross-site Scripting (hence the amazing title “Crossing Scripts – XSS”). There all sorts of Injection-Based attacks, if you want to read about

Read More »

Blue Team

We’ve talked about The Red Team before, but what about The Blue Team? How is this group different from the red one? Why would we

Read More »

What is a CWE ?

Similar to the article written on CVEs, in this article we will answer the questions :What is CWE ? and, what is the difference between

Read More »

What is Kayran

Kayran scanner is helping all businesses, both SMBs and enterprises, to test their online assets and products for over 9000 vulnerabilities.Kayran’s mission is to make

Read More »