- Status Closed
-
Assigned To
cbay - Private
Opened by nilesh - 12.02.2024
Last edited by cbay - 13.02.2024
FS#28 - Summary: A username disclosure vulnerability has been identified on the https://blog.alwaysdata.com
Details: Upon accessing the URL endpoint https://blog.alwaysdata.com/wp-json/wp/v2/users/, the website returns a JSON response containing information about registered users, including usernames. This exposes user account details to anyone who accesses the endpoint, without requiring authentication.
Impact: The username disclosure vulnerability poses a significant risk to the security and privacy of users on the https://blog.alwaysdata.com website. Attackers can use the exposed usernames to attempt unauthorized access to user accounts, conduct targeted phishing attacks, or perform further reconnaissance to exploit additional vulnerabilities.
Recommendations:
Immediate Mitigation: Disable public access to the /wp-json/wp/v2/users/ endpoint to prevent unauthorized users from obtaining a list of user accounts.
Patch Deployment: Implement a security patch or update provided by the website’s developers to address the username disclosure vulnerability.
User Notification: Inform registered users of the vulnerability and advise them to change their passwords as a precautionary measure.
Security Audit: Conduct a comprehensive security audit of the website to identify and remediate any additional vulnerabilities that may exist.
Additional Information: This report aims to assist in promptly addressing the username disclosure vulnerability on the https://blog.alwaysdata.com website to safeguard user data and mitigate potential security risks. Urgent action is recommended to prevent exploitation and protect the website’s users from unauthorized access to their accounts.
Please feel free to reach out if further assistance or clarification is needed.
Sincerely, Nilesh
nilesh56466@gmail.com
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
https://blog.alwaysdata.com/ runs on the latest version of WordPress. The "vulnerability" you're describing is standard WordPress behaviour, so if you think that's a security issue, you should report it to them.
Kind regards,
Cyril