Home

Description

The Stop User Enumeration WordPress plugin before version 1.7.3 blocks REST API /wp-json/wp/v2/users/ requests for non-authorized users. However, this can be bypassed by URL-encoding the API path.

PUBLISHED Reserved 2025-05-05 | Published 2025-07-17 | Updated 2025-07-17 | Assigner WPScan

Problem types

CWE-203 Observable Discrepancy

Product status

Default status
unaffected

Any version before 1.7.3
affected

Credits

Stan, Chin Siang Leow finder

WPScan coordinator

References

wpscan.com/...erability/19f67d6e-4ffe-4126-ac42-fb23c5017a3e exploit vdb-entry technical-description

cve.org (CVE-2025-4302)

nvd.nist.gov (CVE-2025-4302)

Download JSON