CVE-2017-5487 in WordPressinfo

Summary

by MITRE

wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/13/2026

The vulnerability identified as CVE-2017-5487 resides within the WordPress REST API implementation, specifically in the wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php file. This flaw affects WordPress versions 4.7 and earlier, before the release of version 4.7.1, creating a significant security gap that could be exploited by remote attackers to gain unauthorized access to sensitive user information. The vulnerability manifests through the REST API's user endpoint handling, where the system fails to properly enforce authorization controls when processing requests for user listings.

The technical nature of this vulnerability stems from inadequate access control mechanisms within the WordPress REST API framework. When attackers send a wp-json/wp/v2/users request to a vulnerable WordPress installation, the system responds with detailed user information including usernames, display names, and other potentially sensitive metadata about registered users. This occurs because the REST API endpoint does not properly verify whether the requesting user has sufficient privileges to view the complete user listings, allowing any authenticated user or even unauthenticated attackers to enumerate user accounts and gather intelligence about the site's user base.

This vulnerability directly relates to CWE-284, which describes improper access control issues, and can be mapped to ATT&CK technique T1087.001 for account discovery through enumeration of user accounts. The operational impact of this flaw extends beyond simple information disclosure, as it provides attackers with valuable reconnaissance data that can be used for subsequent attacks. Attackers can use the gathered user information to target specific individuals for social engineering attacks, perform credential stuffing attacks against known usernames, or plan more sophisticated exploitation attempts. The vulnerability essentially undermines the principle of least privilege by allowing unauthorized access to user enumeration data that should be restricted to administrators or authorized personnel only.

The implications of this vulnerability are particularly concerning for WordPress installations that host sensitive content or serve as platforms for organizations with security-conscious requirements. The flaw enables attackers to build comprehensive user profiles without requiring elevated privileges, which can significantly aid in planning targeted attacks. Organizations using WordPress versions prior to 4.7.1 should consider this vulnerability as a critical security concern that could lead to broader compromise if combined with other attack vectors. The vulnerability demonstrates the importance of proper API access controls and the need for thorough security testing of web application interfaces, particularly those that expose user data through RESTful endpoints. Mitigation efforts should focus on immediate patching to WordPress version 4.7.1 or later, while also implementing additional monitoring to detect unusual API access patterns that might indicate exploitation attempts.

The security community has identified this as a critical flaw that highlights the importance of maintaining up-to-date software versions and proper access control implementation. Organizations should conduct thorough security assessments of their WordPress installations to identify similar vulnerabilities in other API endpoints and ensure that all user enumeration features properly enforce authorization checks. This vulnerability serves as a reminder that even seemingly innocuous API endpoints can provide significant attack surface when access controls are not properly implemented.

Reservation

01/14/2017

Disclosure

01/14/2017

Moderation

accepted

Entry

VDB-95347

CPE

ready

Exploit

Download

EPSS

0.87095

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!