[wp-trac] [WordPress Trac] #25428: All administrator, authors, usernames able to be discovered

WordPress Trac noreply at wordpress.org
Fri Sep 27 22:18:38 UTC 2013


#25428: All administrator, authors, usernames able to be discovered
--------------------------+-----------------------------
 Reporter:  taipo         |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Users         |    Version:  3.6.1
 Severity:  normal        |   Keywords:  needs-patch
--------------------------+-----------------------------
 By appending ?author=2 ?author=3 or whatever userid number, an attacker is
 able to retrieve the complete list of usernames including the
 administrator usernames.

 This then gives the attacker an advantage for bruteforcing user password
 combinations.

--
Ticket URL: <http://core.trac.wordpress.org/ticket/25428>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list