CVE-2025-4302
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-17

Last updated on: 2026-01-02

Assigner: WPScan

Description
The Stop User Enumeration WordPress plugin before version 1.7.3 blocks REST API /wp-json/wp/v2/users/ requests for non-authorized users. However, this can be bypassed by URL-encoding the API path.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-17
Last Modified
2026-01-02
Generated
2026-05-27
AI Q&A
2025-07-17
EPSS Evaluated
2026-05-25
NVD
CVE-2025-4302
EUVD
EUVD-2025-21758
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fullworks stop_user_enumeration to 1.7.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-NVD-CWE-noinfo
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability in the Stop User Enumeration WordPress plugin before version 1.7.3 allows an attacker to bypass the plugin's protection by URL-encoding the REST API path /wp-json/wp/v2/users/. This means that although the plugin blocks user enumeration requests for non-authorized users, an attacker can still access user information by encoding the URL, effectively circumventing the intended access restrictions.


How can this vulnerability impact me? :

This vulnerability can allow unauthorized users to enumerate WordPress users via the REST API, potentially exposing usernames and other user-related information. This can facilitate further attacks such as brute force login attempts, social engineering, or privilege escalation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart