Security vulnerabilities

  • Status Closed
  • Assigned To
  • Private
Attached to Project: Security vulnerabilities
Opened by nilesh - 12.02.2024
Last edited by cbay - 13.02.2024

FS#28 - Summary: A username disclosure vulnerability has been identified on the

Details: Upon accessing the URL endpoint, the website returns a JSON response containing information about registered users, including usernames. This exposes user account details to anyone who accesses the endpoint, without requiring authentication.

Impact: The username disclosure vulnerability poses a significant risk to the security and privacy of users on the website. Attackers can use the exposed usernames to attempt unauthorized access to user accounts, conduct targeted phishing attacks, or perform further reconnaissance to exploit additional vulnerabilities.


  Immediate Mitigation: Disable public access to the /wp-json/wp/v2/users/ endpoint to prevent unauthorized users from obtaining a list of user accounts.
  Patch Deployment: Implement a security patch or update provided by the website’s developers to address the username disclosure vulnerability.
  User Notification: Inform registered users of the vulnerability and advise them to change their passwords as a precautionary measure.
  Security Audit: Conduct a comprehensive security audit of the website to identify and remediate any additional vulnerabilities that may exist.

Additional Information: This report aims to assist in promptly addressing the username disclosure vulnerability on the website to safeguard user data and mitigate potential security risks. Urgent action is recommended to prevent exploitation and protect the website’s users from unauthorized access to their accounts.

Please feel free to reach out if further assistance or clarification is needed.

Sincerely, Nilesh

Closed by  cbay
13.02.2024 09:23
Reason for closing:  Invalid
cbay commented on 12.02.2024 10:32

Hello, runs on the latest version of WordPress. The "vulnerability" you're describing is standard WordPress behaviour, so if you think that's a security issue, you should report it to them.

Kind regards,


Available keyboard shortcuts


Task Details

Task Editing