Urgent Security Alert: Username Enumeration Vulnerability Found

I am pretty sure this is some party doing some fishing on my WordPress site, an email from “Cyber Fort”

Severity: Medium-High
Bug Name: Username Enumeration

Website: https://cog.dog
Affected POC: https://cog.dog/wp-json/wp/v2/users/

Description:
During our comprehensive security assessment, we identified a Username Enumeration vulnerability on your site. This flaw allows attackers to discern valid usernames by analyzing different system responses during login, password reset, or registration processes. Such information significantly aids threat actors in launching targeted brute-force or social engineering attacks, potentially leading to unauthorized account access, data leakage, or account takeover.

I have only one user on this site, it’s my admin account, and the login name is NOT admin, that is merely the “nicename”, so I do not see any vulnerability in what the WordPress API returns for:

https://cog.dog/wp-json/wp/v2/users/

as this does not reveal in any way my admin login name.

amirite?

Hi,

As this is just the default REST API, it isn’t exposing anything that isn’t already publicly accessible. You could disable this by disabling the api itself, which comes with its own set of issues, but as long as you are using a strong password it isn’t an issue (and as you mentioned, it does not seem to be displaying the actual login name anyways). Many of these companies simply scan sites to send vulnerabilities and then ask for bug bounties or payments in return when that really isn’t necessary for something like this.

If you did want to disable the REST API, you do it via .htaccess or via a plugin, but I would recommend leaving it as is and just making sure you are using a secure password. Let me know if you have any questions!

Best,
Noah Dorsett
Security Administrator
Reclaim Hosting

Thanks Noah, I was 99% sure there was not a issue to worry about. An heck no, I use the API often!