H3-2022-0080
WordPress Unauthenticated User Enumeration
| Category | SECURITY_MISCONFIGURATION |
| Base Score | 3.0 |
Description
WordPress users can be enumerated without authentication using the REST API or author archives.
Impact
An unauthenticated attacker can query the Wordpress instance and compile a list of known usernames. These usernames can be used to conduct credential attacks such as password spray and credential stuffing.