Wordfence <= 7.1.12 - Username Enumeration Prevention Bypass



Proof of Concept
Wordfence blocks:

http://www.example.com/?author=1

But allowed:

http://www.example.com/?author[]=1

Affects Plugin

fixed in version 7.1.14

References

PACKETSTORM 149845
URL http://www.waraxe.us/advisory-109.html

Classification

Type BYPASS

Miscellaneous

Original Researcher Janek Vind "waraxe"
Submitter Ryan Dewhurst
Submitter Website https://dewhurstsecurity.com/
Submitter Twitter ethicalhack3r
Views 10842
Verified Yes
WPVDB ID 9135

Timeline

Publicly Published 2018-10-02 (10 months ago)
Added 2018-10-18 (9 months ago)
Last Updated 2018-10-18 (9 months ago)