Username Harvesting WP 4.7

Loading
loading..
cd alert picture

Username Harvesting WP 4.7

December 12, 2016
Web Admin
, , ,
No Comments

We received a security alert this morning from our Web Application Firewall provider that addresses a vulnerability in WordPress that if exploited about will reveal the username and admin usernames on the system.

SUMMARY:

With the release of WordPress 4.7 a vulnerability now exists that all users should take immediate action to remediate.  While the update to 4.7 is a good thing and fixes several existing security issue, it also adds the REST API functionality to WordPress.  Again, this is a good thing, but does create a hackers ability to do the following:

http://example.com/wp-json/wp/v2/users

This will list all users that have published a post. It includes that user’s userid, username, gravatar hash and website URL.  This functionality either needs to be turned off completely or it is our recommendation, configure the firewall to prevent anonymous access and maintain the desired functionality of a the REST API.  Obviously this isn’t information that you want a hacker to have access to as it is half the battle with gaining unauthorized access.

REMEDIAL ACTIONS:

Our security team is recommending that all users upgraded to 4.7 and have our premium version of our WAF installed and configured immediately.  This will prevent hackers from using this functionality and gaining unauthorized access to your systems.

TO BE CLEAR:  All WordPress websites that are updated to the current version are vulnerable to this attack unless steps are taken.  Please contact us for a solution that will protect your site and increase your overall security profile.

Scott Barbour – Covered Data Founder/CEO

Leave A Comment

Layout mode
Predefined Skins
Patterns Background
Images Background