2

I've just started working for a small company that has a Wordpress website with user accounts. Each user account has a login name, display name, actual name, email, password and the rest.

I dug down and found a page which had a list of all registered users (showing just display names, but no personal information), as well as a total number of registered users.

This raises a big stinking red flag with me, firstly because the company doesn't need it, but it also feels wrong to expose this large amount of data. Yet I can't see anyway for it to be manipulated.

Can anyone tell me if this data can be used to carry out an attack on the website or a specific user?

Thanks

Tom
  • 123
  • 3
  • 2
    We have lots of questions here about the risks of username enumeration, you might want to have a look. [This question](https://security.stackexchange.com/questions/42872/user-name-enumeration) addresses username enumeration in general and you might also find [this one](https://security.stackexchange.com/questions/150913/should-i-be-concerned-about-the-wordpress-rest-apis-user-enumeration-vulnerabil) about Wordpress interesting. – Arminius Mar 02 '17 at 17:54

1 Answers1

2

If login names can be guessed or inferred by the display names, then it may allow password guessing attacks to take place.

It is low risk, but if it's not needed for any purpose then it should be removed.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
  • 1
    Further to your point in some cases, the admin user is easily enumerated by navigating to website.com/?author=1 so a strong password for admin users is critical. Ideally you don't want your users to be available for the world to see, but a strong password (or 2FA) should be implemented. – DKNUCKLES Mar 02 '17 at 18:12